--- /dev/null
+From f1fa557a115c6c83445bd989b260e6e929dc5035 Mon Sep 17 00:00:00 2001
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Thu, 7 Feb 2019 13:33:21 -0700
+Subject: af_key: unconditionally clone on broadcast
+
+[ Upstream commit fc2d5cfdcfe2ab76b263d91429caa22451123085 ]
+
+Attempting to avoid cloning the skb when broadcasting by inflating
+the refcount with sock_hold/sock_put while under RCU lock is dangerous
+and violates RCU principles. It leads to subtle race conditions when
+attempting to free the SKB, as we may reference sockets that have
+already been freed by the stack.
+
+Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b
+[006b6b6b6b6b6c4b] address between user and kernel address ranges
+Internal error: Oops: 96000004 [#1] PREEMPT SMP
+task: fffffff78f65b380 task.stack: ffffff8049a88000
+pc : sock_rfree+0x38/0x6c
+lr : skb_release_head_state+0x6c/0xcc
+Process repro (pid: 7117, stack limit = 0xffffff8049a88000)
+Call trace:
+ sock_rfree+0x38/0x6c
+ skb_release_head_state+0x6c/0xcc
+ skb_release_all+0x1c/0x38
+ __kfree_skb+0x1c/0x30
+ kfree_skb+0xd0/0xf4
+ pfkey_broadcast+0x14c/0x18c
+ pfkey_sendmsg+0x1d8/0x408
+ sock_sendmsg+0x44/0x60
+ ___sys_sendmsg+0x1d0/0x2a8
+ __sys_sendmsg+0x64/0xb4
+ SyS_sendmsg+0x34/0x4c
+ el0_svc_naked+0x34/0x38
+Kernel panic - not syncing: Fatal exception
+
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 40 +++++++++++++++-------------------------
+ 1 file changed, 15 insertions(+), 25 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 3b209cbfe1df..b095551a5773 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -196,30 +196,22 @@ static int pfkey_release(struct socket *sock)
+ return 0;
+ }
+
+-static int pfkey_broadcast_one(struct sk_buff *skb, struct sk_buff **skb2,
+- gfp_t allocation, struct sock *sk)
++static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation,
++ struct sock *sk)
+ {
+ int err = -ENOBUFS;
+
+- sock_hold(sk);
+- if (*skb2 == NULL) {
+- if (refcount_read(&skb->users) != 1) {
+- *skb2 = skb_clone(skb, allocation);
+- } else {
+- *skb2 = skb;
+- refcount_inc(&skb->users);
+- }
+- }
+- if (*skb2 != NULL) {
+- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf) {
+- skb_set_owner_r(*skb2, sk);
+- skb_queue_tail(&sk->sk_receive_queue, *skb2);
+- sk->sk_data_ready(sk);
+- *skb2 = NULL;
+- err = 0;
+- }
++ if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
++ return err;
++
++ skb = skb_clone(skb, allocation);
++
++ if (skb) {
++ skb_set_owner_r(skb, sk);
++ skb_queue_tail(&sk->sk_receive_queue, skb);
++ sk->sk_data_ready(sk);
++ err = 0;
+ }
+- sock_put(sk);
+ return err;
+ }
+
+@@ -234,7 +226,6 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
+ {
+ struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
+ struct sock *sk;
+- struct sk_buff *skb2 = NULL;
+ int err = -ESRCH;
+
+ /* XXX Do we need something like netlink_overrun? I think
+@@ -253,7 +244,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
+ * socket.
+ */
+ if (pfk->promisc)
+- pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
++ pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
+
+ /* the exact target will be processed later */
+ if (sk == one_sk)
+@@ -268,7 +259,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
+ continue;
+ }
+
+- err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
++ err2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
+
+ /* Error is cleared after successful sending to at least one
+ * registered KM */
+@@ -278,9 +269,8 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
+ rcu_read_unlock();
+
+ if (one_sk != NULL)
+- err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);
++ err = pfkey_broadcast_one(skb, allocation, one_sk);
+
+- kfree_skb(skb2);
+ kfree_skb(skb);
+ return err;
+ }
+--
+2.19.1
+
--- /dev/null
+From d0b873a2289b932e0817d4d5b45ab5f81a5e526a Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Tue, 5 Feb 2019 10:07:07 -0800
+Subject: ARC: uacces: remove lp_start, lp_end from clobber list
+
+[ Upstream commit d5e3c55e01d8b1774b37b4647c30fb22f1d39077 ]
+
+Newer ARC gcc handles lp_start, lp_end in a different way and doesn't
+like them in the clobber list.
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/uaccess.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h
+index c9173c02081c..eabc3efa6c6d 100644
+--- a/arch/arc/include/asm/uaccess.h
++++ b/arch/arc/include/asm/uaccess.h
+@@ -207,7 +207,7 @@ raw_copy_from_user(void *to, const void __user *from, unsigned long n)
+ */
+ "=&r" (tmp), "+r" (to), "+r" (from)
+ :
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return n;
+ }
+@@ -433,7 +433,7 @@ raw_copy_to_user(void __user *to, const void *from, unsigned long n)
+ */
+ "=&r" (tmp), "+r" (to), "+r" (from)
+ :
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return n;
+ }
+@@ -653,7 +653,7 @@ static inline unsigned long __arc_clear_user(void __user *to, unsigned long n)
+ " .previous \n"
+ : "+r"(d_char), "+r"(res)
+ : "i"(0)
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return res;
+ }
+@@ -686,7 +686,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count)
+ " .previous \n"
+ : "+r"(res), "+r"(dst), "+r"(src), "=r"(val)
+ : "g"(-EFAULT), "r"(count)
+- : "lp_count", "lp_start", "lp_end", "memory");
++ : "lp_count", "memory");
+
+ return res;
+ }
+--
+2.19.1
+
--- /dev/null
+From 6028479b6bb3b8b9595431d9630cd0dd9abfc68f Mon Sep 17 00:00:00 2001
+From: Eugeniy Paltsev <eugeniy.paltsev@synopsys.com>
+Date: Wed, 30 Jan 2019 19:32:40 +0300
+Subject: ARCv2: lib: memcpy: fix doing prefetchw outside of buffer
+
+[ Upstream commit f8a15f97664178f27dfbf86a38f780a532cb6df0 ]
+
+ARCv2 optimized memcpy uses PREFETCHW instruction for prefetching the
+next cache line but doesn't ensure that the line is not past the end of
+the buffer. PRETECHW changes the line ownership and marks it dirty,
+which can cause data corruption if this area is used for DMA IO.
+
+Fix the issue by avoiding the PREFETCHW. This leads to performance
+degradation but it is OK as we'll introduce new memcpy implementation
+optimized for unaligned memory access using.
+
+We also cut off all PREFETCH instructions at they are quite useless
+here:
+ * we call PREFETCH right before LOAD instruction call.
+ * we copy 16 or 32 bytes of data (depending on CONFIG_ARC_HAS_LL64)
+ in a main logical loop. so we call PREFETCH 4 times (or 2 times)
+ for each L1 cache line (in case of 64B L1 cache Line which is
+ default case). Obviously this is not optimal.
+
+Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/lib/memcpy-archs.S | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/arch/arc/lib/memcpy-archs.S b/arch/arc/lib/memcpy-archs.S
+index d61044dd8b58..ea14b0bf3116 100644
+--- a/arch/arc/lib/memcpy-archs.S
++++ b/arch/arc/lib/memcpy-archs.S
+@@ -25,15 +25,11 @@
+ #endif
+
+ #ifdef CONFIG_ARC_HAS_LL64
+-# define PREFETCH_READ(RX) prefetch [RX, 56]
+-# define PREFETCH_WRITE(RX) prefetchw [RX, 64]
+ # define LOADX(DST,RX) ldd.ab DST, [RX, 8]
+ # define STOREX(SRC,RX) std.ab SRC, [RX, 8]
+ # define ZOLSHFT 5
+ # define ZOLAND 0x1F
+ #else
+-# define PREFETCH_READ(RX) prefetch [RX, 28]
+-# define PREFETCH_WRITE(RX) prefetchw [RX, 32]
+ # define LOADX(DST,RX) ld.ab DST, [RX, 4]
+ # define STOREX(SRC,RX) st.ab SRC, [RX, 4]
+ # define ZOLSHFT 4
+@@ -41,8 +37,6 @@
+ #endif
+
+ ENTRY_CFI(memcpy)
+- prefetch [r1] ; Prefetch the read location
+- prefetchw [r0] ; Prefetch the write location
+ mov.f 0, r2
+ ;;; if size is zero
+ jz.d [blink]
+@@ -72,8 +66,6 @@ ENTRY_CFI(memcpy)
+ lpnz @.Lcopy32_64bytes
+ ;; LOOP START
+ LOADX (r6, r1)
+- PREFETCH_READ (r1)
+- PREFETCH_WRITE (r3)
+ LOADX (r8, r1)
+ LOADX (r10, r1)
+ LOADX (r4, r1)
+@@ -117,9 +109,7 @@ ENTRY_CFI(memcpy)
+ lpnz @.Lcopy8bytes_1
+ ;; LOOP START
+ ld.ab r6, [r1, 4]
+- prefetch [r1, 28] ;Prefetch the next read location
+ ld.ab r8, [r1,4]
+- prefetchw [r3, 32] ;Prefetch the next write location
+
+ SHIFT_1 (r7, r6, 24)
+ or r7, r7, r5
+@@ -162,9 +152,7 @@ ENTRY_CFI(memcpy)
+ lpnz @.Lcopy8bytes_2
+ ;; LOOP START
+ ld.ab r6, [r1, 4]
+- prefetch [r1, 28] ;Prefetch the next read location
+ ld.ab r8, [r1,4]
+- prefetchw [r3, 32] ;Prefetch the next write location
+
+ SHIFT_1 (r7, r6, 16)
+ or r7, r7, r5
+@@ -204,9 +192,7 @@ ENTRY_CFI(memcpy)
+ lpnz @.Lcopy8bytes_3
+ ;; LOOP START
+ ld.ab r6, [r1, 4]
+- prefetch [r1, 28] ;Prefetch the next read location
+ ld.ab r8, [r1,4]
+- prefetchw [r3, 32] ;Prefetch the next write location
+
+ SHIFT_1 (r7, r6, 8)
+ or r7, r7, r5
+--
+2.19.1
+
--- /dev/null
+From 867316d6f58e8730c52bd32477c0de8089ba65f4 Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Wed, 6 Jun 2018 10:20:37 -0700
+Subject: ARCv2: support manual regfile save on interrupts
+
+[ Upstream commit e494239a007e601448110ac304fe055951f9de3b ]
+
+There's a hardware bug which affects the HSDK platform, triggered by
+micro-ops for auto-saving regfile on taken interrupt. The workaround is
+to inhibit autosave.
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/Kconfig | 8 +++++
+ arch/arc/include/asm/entry-arcv2.h | 54 ++++++++++++++++++++++++++++++
+ arch/arc/kernel/entry-arcv2.S | 4 ++-
+ arch/arc/kernel/intc-arcv2.c | 2 ++
+ arch/arc/plat-hsdk/Kconfig | 1 +
+ 5 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig
+index 9d06c9478a0d..82050893d0b3 100644
+--- a/arch/arc/Kconfig
++++ b/arch/arc/Kconfig
+@@ -417,6 +417,14 @@ config ARC_HAS_ACCL_REGS
+ (also referred to as r58:r59). These can also be used by gcc as GPR so
+ kernel needs to save/restore per process
+
++config ARC_IRQ_NO_AUTOSAVE
++ bool "Disable hardware autosave regfile on interrupts"
++ default n
++ help
++ On HS cores, taken interrupt auto saves the regfile on stack.
++ This is programmable and can be optionally disabled in which case
++ software INTERRUPT_PROLOGUE/EPILGUE do the needed work
++
+ endif # ISA_ARCV2
+
+ endmenu # "ARC CPU Configuration"
+diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h
+index 257a68f3c2fe..9f581553dcc3 100644
+--- a/arch/arc/include/asm/entry-arcv2.h
++++ b/arch/arc/include/asm/entry-arcv2.h
+@@ -17,6 +17,33 @@
+ ;
+ ; Now manually save: r12, sp, fp, gp, r25
+
++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
++.ifnc \called_from, exception
++ st.as r9, [sp, -10] ; save r9 in it's final stack slot
++ sub sp, sp, 12 ; skip JLI, LDI, EI
++
++ PUSH lp_count
++ PUSHAX lp_start
++ PUSHAX lp_end
++ PUSH blink
++
++ PUSH r11
++ PUSH r10
++
++ sub sp, sp, 4 ; skip r9
++
++ PUSH r8
++ PUSH r7
++ PUSH r6
++ PUSH r5
++ PUSH r4
++ PUSH r3
++ PUSH r2
++ PUSH r1
++ PUSH r0
++.endif
++#endif
++
+ #ifdef CONFIG_ARC_HAS_ACCL_REGS
+ PUSH r59
+ PUSH r58
+@@ -86,6 +113,33 @@
+ POP r59
+ #endif
+
++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE
++.ifnc \called_from, exception
++ POP r0
++ POP r1
++ POP r2
++ POP r3
++ POP r4
++ POP r5
++ POP r6
++ POP r7
++ POP r8
++ POP r9
++ POP r10
++ POP r11
++
++ POP blink
++ POPAX lp_end
++ POPAX lp_start
++
++ POP r9
++ mov lp_count, r9
++
++ add sp, sp, 12 ; skip JLI, LDI, EI
++ ld.as r9, [sp, -10] ; reload r9 which got clobbered
++.endif
++#endif
++
+ .endm
+
+ /*------------------------------------------------------------------------*/
+diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S
+index cc558a25b8fa..562089d62d9d 100644
+--- a/arch/arc/kernel/entry-arcv2.S
++++ b/arch/arc/kernel/entry-arcv2.S
+@@ -209,7 +209,9 @@ restore_regs:
+ ;####### Return from Intr #######
+
+ debug_marker_l1:
+- bbit1.nt r0, STATUS_DE_BIT, .Lintr_ret_to_delay_slot
++ ; bbit1.nt r0, STATUS_DE_BIT, .Lintr_ret_to_delay_slot
++ btst r0, STATUS_DE_BIT ; Z flag set if bit clear
++ bnz .Lintr_ret_to_delay_slot ; branch if STATUS_DE_BIT set
+
+ .Lisr_ret_fast_path:
+ ; Handle special case #1: (Entry via Exception, Return via IRQ)
+diff --git a/arch/arc/kernel/intc-arcv2.c b/arch/arc/kernel/intc-arcv2.c
+index 067ea362fb3e..cf18b3e5a934 100644
+--- a/arch/arc/kernel/intc-arcv2.c
++++ b/arch/arc/kernel/intc-arcv2.c
+@@ -49,11 +49,13 @@ void arc_init_IRQ(void)
+
+ *(unsigned int *)&ictrl = 0;
+
++#ifndef CONFIG_ARC_IRQ_NO_AUTOSAVE
+ ictrl.save_nr_gpr_pairs = 6; /* r0 to r11 (r12 saved manually) */
+ ictrl.save_blink = 1;
+ ictrl.save_lp_regs = 1; /* LP_COUNT, LP_START, LP_END */
+ ictrl.save_u_to_u = 0; /* user ctxt saved on kernel stack */
+ ictrl.save_idx_regs = 1; /* JLI, LDI, EI */
++#endif
+
+ WRITE_AUX(AUX_IRQ_CTRL, ictrl);
+
+diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig
+index fcc9a9e27e9c..8fb1600b29b7 100644
+--- a/arch/arc/plat-hsdk/Kconfig
++++ b/arch/arc/plat-hsdk/Kconfig
+@@ -9,5 +9,6 @@ menuconfig ARC_SOC_HSDK
+ bool "ARC HS Development Kit SOC"
+ depends on ISA_ARCV2
+ select ARC_HAS_ACCL_REGS
++ select ARC_IRQ_NO_AUTOSAVE
+ select CLK_HSDK
+ select RESET_HSDK
+--
+2.19.1
+
--- /dev/null
+From 156ae4b25ce08b9c79e67c808142460d9cc62aff Mon Sep 17 00:00:00 2001
+From: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Date: Mon, 21 Jan 2019 14:42:42 +0100
+Subject: ARM: 8824/1: fix a migrating irq bug when hotplug cpu
+
+[ Upstream commit 1b5ba350784242eb1f899bcffd95d2c7cff61e84 ]
+
+Arm TC2 fails cpu hotplug stress test.
+
+This issue was tracked down to a missing copy of the new affinity
+cpumask for the vexpress-spc interrupt into struct
+irq_common_data.affinity when the interrupt is migrated in
+migrate_one_irq().
+
+Fix it by replacing the arm specific hotplug cpu migration with the
+generic irq code.
+
+This is the counterpart implementation to commit 217d453d473c ("arm64:
+fix a migrating irq bug when hotplug cpu").
+
+Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus
+CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y).
+The vexpress-spc interrupt (irq=22) on this board is affine to CPU0.
+Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when
+CPU0 is hotplugged out.
+
+Suggested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/irq.h | 1 -
+ arch/arm/kernel/irq.c | 62 --------------------------------------
+ arch/arm/kernel/smp.c | 2 +-
+ 4 files changed, 2 insertions(+), 64 deletions(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index d1346a160760..cf69aab648fb 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1447,6 +1447,7 @@ config NR_CPUS
+ config HOTPLUG_CPU
+ bool "Support for hot-pluggable CPUs"
+ depends on SMP
++ select GENERIC_IRQ_MIGRATION
+ help
+ Say Y here to experiment with turning CPUs off and on. CPUs
+ can be controlled through /sys/devices/system/cpu.
+diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h
+index b6f319606e30..2de321e89b94 100644
+--- a/arch/arm/include/asm/irq.h
++++ b/arch/arm/include/asm/irq.h
+@@ -25,7 +25,6 @@
+ #ifndef __ASSEMBLY__
+ struct irqaction;
+ struct pt_regs;
+-extern void migrate_irqs(void);
+
+ extern void asm_do_IRQ(unsigned int, struct pt_regs *);
+ void handle_IRQ(unsigned int, struct pt_regs *);
+diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c
+index ece04a457486..5b07c7a31c31 100644
+--- a/arch/arm/kernel/irq.c
++++ b/arch/arm/kernel/irq.c
+@@ -31,7 +31,6 @@
+ #include <linux/smp.h>
+ #include <linux/init.h>
+ #include <linux/seq_file.h>
+-#include <linux/ratelimit.h>
+ #include <linux/errno.h>
+ #include <linux/list.h>
+ #include <linux/kallsyms.h>
+@@ -119,64 +118,3 @@ int __init arch_probe_nr_irqs(void)
+ return nr_irqs;
+ }
+ #endif
+-
+-#ifdef CONFIG_HOTPLUG_CPU
+-static bool migrate_one_irq(struct irq_desc *desc)
+-{
+- struct irq_data *d = irq_desc_get_irq_data(desc);
+- const struct cpumask *affinity = irq_data_get_affinity_mask(d);
+- struct irq_chip *c;
+- bool ret = false;
+-
+- /*
+- * If this is a per-CPU interrupt, or the affinity does not
+- * include this CPU, then we have nothing to do.
+- */
+- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity))
+- return false;
+-
+- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) {
+- affinity = cpu_online_mask;
+- ret = true;
+- }
+-
+- c = irq_data_get_irq_chip(d);
+- if (!c->irq_set_affinity)
+- pr_debug("IRQ%u: unable to set affinity\n", d->irq);
+- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret)
+- cpumask_copy(irq_data_get_affinity_mask(d), affinity);
+-
+- return ret;
+-}
+-
+-/*
+- * The current CPU has been marked offline. Migrate IRQs off this CPU.
+- * If the affinity settings do not allow other CPUs, force them onto any
+- * available CPU.
+- *
+- * Note: we must iterate over all IRQs, whether they have an attached
+- * action structure or not, as we need to get chained interrupts too.
+- */
+-void migrate_irqs(void)
+-{
+- unsigned int i;
+- struct irq_desc *desc;
+- unsigned long flags;
+-
+- local_irq_save(flags);
+-
+- for_each_irq_desc(i, desc) {
+- bool affinity_broken;
+-
+- raw_spin_lock(&desc->lock);
+- affinity_broken = migrate_one_irq(desc);
+- raw_spin_unlock(&desc->lock);
+-
+- if (affinity_broken)
+- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n",
+- i, smp_processor_id());
+- }
+-
+- local_irq_restore(flags);
+-}
+-#endif /* CONFIG_HOTPLUG_CPU */
+diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
+index f57333f46242..65f85737c6a2 100644
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -254,7 +254,7 @@ int __cpu_disable(void)
+ /*
+ * OK - migrate IRQs away from this CPU
+ */
+- migrate_irqs();
++ irq_migrate_all_off_this_cpu();
+
+ /*
+ * Flush user cache and TLB mappings, and then remove this CPU
+--
+2.19.1
+
--- /dev/null
+From b66f3f6e52429799449f8a7543acb322232f3c2f Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 12 Dec 2018 11:49:47 +0000
+Subject: ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
+
+[ Upstream commit 50d6b3cf9403879911e06d69c7ef41e43f8f7b4b ]
+
+If we have a kernel configured for periodic timer interrupts, and we
+have cpuidle enabled, then we end up with CPU1 losing timer interupts
+after a hotplug.
+
+This can manifest itself in RCU stall warnings, or userspace becoming
+unresponsive.
+
+The problem is that the kernel initially wants to use the TWD timer
+for interrupts, but the TWD loses context when we enter the C3 cpuidle
+state. Nothing reprograms the TWD after idle.
+
+We have solved this in the past by switching to broadcast timer ticks,
+and cpuidle44xx switches to that mode at boot time. However, there is
+nothing to switch from periodic mode local timers after a hotplug
+operation.
+
+We call tick_broadcast_enter() in omap_enter_idle_coupled(), which one
+would expect would take care of the issue, but internally this only
+deals with one-shot local timers - tick_broadcast_enable() on the other
+hand only deals with periodic local timers. So, we need to call both.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+[tony@atomide.com: just standardized the subject line]
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/cpuidle44xx.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c
+index a8b291f00109..dae514c8276a 100644
+--- a/arch/arm/mach-omap2/cpuidle44xx.c
++++ b/arch/arm/mach-omap2/cpuidle44xx.c
+@@ -152,6 +152,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev,
+ mpuss_can_lose_context = (cx->mpu_state == PWRDM_POWER_RET) &&
+ (cx->mpu_logic_state == PWRDM_POWER_OFF);
+
++ /* Enter broadcast mode for periodic timers */
++ tick_broadcast_enable();
++
++ /* Enter broadcast mode for one-shot timers */
+ tick_broadcast_enter();
+
+ /*
+@@ -218,15 +222,6 @@ fail:
+ return index;
+ }
+
+-/*
+- * For each cpu, setup the broadcast timer because local timers
+- * stops for the states above C1.
+- */
+-static void omap_setup_broadcast_timer(void *arg)
+-{
+- tick_broadcast_enable();
+-}
+-
+ static struct cpuidle_driver omap4_idle_driver = {
+ .name = "omap4_idle",
+ .owner = THIS_MODULE,
+@@ -319,8 +314,5 @@ int __init omap4_idle_init(void)
+ if (!cpu_clkdm[0] || !cpu_clkdm[1])
+ return -ENODEV;
+
+- /* Configure the broadcast timer on each cpu */
+- on_each_cpu(omap_setup_broadcast_timer, NULL, 1);
+-
+ return cpuidle_register(idle_driver, cpu_online_mask);
+ }
+--
+2.19.1
+
--- /dev/null
+From 5f0c86d5d7b744561bc3fc73aca8cae7a827398a Mon Sep 17 00:00:00 2001
+From: Yizhuo <yzhai003@ucr.edu>
+Date: Fri, 25 Jan 2019 22:32:20 -0800
+Subject: ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be
+ uninitialized
+
+[ Upstream commit dc30e70391376ba3987aeb856ae6d9c0706534f1 ]
+
+In function omap4_dsi_mux_pads(), local variable "reg" could
+be uninitialized if function regmap_read() returns -EINVAL.
+However, it will be used directly in the later context, which
+is potentially unsafe.
+
+Signed-off-by: Yizhuo <yzhai003@ucr.edu>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/display.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c
+index b3f6eb5d04a2..6e7440ef503a 100644
+--- a/arch/arm/mach-omap2/display.c
++++ b/arch/arm/mach-omap2/display.c
+@@ -84,6 +84,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ u32 enable_mask, enable_shift;
+ u32 pipd_mask, pipd_shift;
+ u32 reg;
++ int ret;
+
+ if (dsi_id == 0) {
+ enable_mask = OMAP4_DSI1_LANEENABLE_MASK;
+@@ -99,7 +100,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes)
+ return -ENODEV;
+ }
+
+- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, ®);
++ ret = regmap_read(omap4_dsi_mux_syscon,
++ OMAP4_DSIPHY_SYSCON_OFFSET,
++ ®);
++ if (ret)
++ return ret;
+
+ reg &= ~enable_mask;
+ reg &= ~pipd_mask;
+--
+2.19.1
+
--- /dev/null
+From 75ff580829aa8e444771f1e162e0d46a3e5452cd Mon Sep 17 00:00:00 2001
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+Date: Wed, 20 Feb 2019 11:43:05 +0000
+Subject: arm64: Relax GIC version check during early boot
+
+[ Upstream commit 74698f6971f25d045301139413578865fc2bd8f9 ]
+
+Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have
+values other than 0 or 1. At the moment, Linux is quite strict in the
+way it handles this field at early boot stage (cpufeature is fine) and
+will refuse to use the system register CPU interface if it doesn't
+find the value 1.
+
+Fixes: 021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3")
+Reported-by: Chase Conklin <Chase.Conklin@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/head.S | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
+index ec393275ba04..1371542de0d3 100644
+--- a/arch/arm64/kernel/head.S
++++ b/arch/arm64/kernel/head.S
+@@ -442,8 +442,7 @@ set_hcr:
+ /* GICv3 system register access */
+ mrs x0, id_aa64pfr0_el1
+ ubfx x0, x0, #24, #4
+- cmp x0, #1
+- b.ne 3f
++ cbz x0, 3f
+
+ mrs_s x0, SYS_ICC_SRE_EL2
+ orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1
+--
+2.19.1
+
--- /dev/null
+From 811611378248c2127209043d5314d0b8f40f5615 Mon Sep 17 00:00:00 2001
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Date: Tue, 5 Feb 2019 10:22:27 -0600
+Subject: ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables
+
+[ Upstream commit c16e12010060c6c7a31f08b4a99513064cb53b7d ]
+
+KASAN reports and additional traces point to out-of-bounds accesses to
+the dapm_up_seq and dapm_down_seq lookup tables. The indices used are
+larger than the array definition.
+
+Fix by adding missing entries for the new widget types in these two
+lookup tables, and align them with PGA values.
+
+Also the sequences for the following widgets were not defined. Since
+their values defaulted to zero, assign them explicitly
+
+ snd_soc_dapm_input
+ snd_soc_dapm_output
+ snd_soc_dapm_vmid
+ snd_soc_dapm_siggen
+ snd_soc_dapm_sink
+
+Fixes: 8a70b4544ef4 ('ASoC: dapm: Add new widget type for constructing DAPM graphs on DSPs.').
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-dapm.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index bba6a917cd02..e9f7c6287376 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -75,12 +75,16 @@ static int dapm_up_seq[] = {
+ [snd_soc_dapm_clock_supply] = 1,
+ [snd_soc_dapm_supply] = 2,
+ [snd_soc_dapm_micbias] = 3,
++ [snd_soc_dapm_vmid] = 3,
+ [snd_soc_dapm_dai_link] = 2,
+ [snd_soc_dapm_dai_in] = 4,
+ [snd_soc_dapm_dai_out] = 4,
+ [snd_soc_dapm_aif_in] = 4,
+ [snd_soc_dapm_aif_out] = 4,
+ [snd_soc_dapm_mic] = 5,
++ [snd_soc_dapm_siggen] = 5,
++ [snd_soc_dapm_input] = 5,
++ [snd_soc_dapm_output] = 5,
+ [snd_soc_dapm_mux] = 6,
+ [snd_soc_dapm_demux] = 6,
+ [snd_soc_dapm_dac] = 7,
+@@ -88,11 +92,19 @@ static int dapm_up_seq[] = {
+ [snd_soc_dapm_mixer] = 8,
+ [snd_soc_dapm_mixer_named_ctl] = 8,
+ [snd_soc_dapm_pga] = 9,
++ [snd_soc_dapm_buffer] = 9,
++ [snd_soc_dapm_scheduler] = 9,
++ [snd_soc_dapm_effect] = 9,
++ [snd_soc_dapm_src] = 9,
++ [snd_soc_dapm_asrc] = 9,
++ [snd_soc_dapm_encoder] = 9,
++ [snd_soc_dapm_decoder] = 9,
+ [snd_soc_dapm_adc] = 10,
+ [snd_soc_dapm_out_drv] = 11,
+ [snd_soc_dapm_hp] = 11,
+ [snd_soc_dapm_spk] = 11,
+ [snd_soc_dapm_line] = 11,
++ [snd_soc_dapm_sink] = 11,
+ [snd_soc_dapm_kcontrol] = 12,
+ [snd_soc_dapm_post] = 13,
+ };
+@@ -105,13 +117,25 @@ static int dapm_down_seq[] = {
+ [snd_soc_dapm_spk] = 3,
+ [snd_soc_dapm_line] = 3,
+ [snd_soc_dapm_out_drv] = 3,
++ [snd_soc_dapm_sink] = 3,
+ [snd_soc_dapm_pga] = 4,
++ [snd_soc_dapm_buffer] = 4,
++ [snd_soc_dapm_scheduler] = 4,
++ [snd_soc_dapm_effect] = 4,
++ [snd_soc_dapm_src] = 4,
++ [snd_soc_dapm_asrc] = 4,
++ [snd_soc_dapm_encoder] = 4,
++ [snd_soc_dapm_decoder] = 4,
+ [snd_soc_dapm_switch] = 5,
+ [snd_soc_dapm_mixer_named_ctl] = 5,
+ [snd_soc_dapm_mixer] = 5,
+ [snd_soc_dapm_dac] = 6,
+ [snd_soc_dapm_mic] = 7,
++ [snd_soc_dapm_siggen] = 7,
++ [snd_soc_dapm_input] = 7,
++ [snd_soc_dapm_output] = 7,
+ [snd_soc_dapm_micbias] = 8,
++ [snd_soc_dapm_vmid] = 8,
+ [snd_soc_dapm_mux] = 9,
+ [snd_soc_dapm_demux] = 9,
+ [snd_soc_dapm_aif_in] = 10,
+--
+2.19.1
+
--- /dev/null
+From 9ca130c193637fb5ad5001bcb319af8e04a62093 Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Tue, 5 Feb 2019 09:46:43 +0900
+Subject: ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check
+
+[ Upstream commit d9111d36024de07784f2e1ba2ccf70b16035f378 ]
+
+commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set
+under non-atomic") added new rsnd_ssi_prepare() and moved
+rsnd_ssi_master_clk_start() to .prepare.
+But, ssi user count (= ssi->usrcnt) is incremented at .init
+(= rsnd_ssi_init()).
+Because of these timing exchange, ssi->usrcnt check at
+rsnd_ssi_master_clk_start() should be adjusted.
+Otherwise, 2nd master clock setup will be no check.
+This patch fixup this issue.
+
+Fixes: commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set under non-atomic")
+Reported-by: Yusuke Goda <yusuke.goda.sx@renesas.com>
+Reported-by: Valentine Barshak <valentine.barshak@cogentembedded.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-by: Yusuke Goda <yusuke.goda.sx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/ssi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
+index 0db2791f7035..60cc550c5a4c 100644
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -280,7 +280,7 @@ static int rsnd_ssi_master_clk_start(struct rsnd_mod *mod,
+ if (rsnd_ssi_is_multi_slave(mod, io))
+ return 0;
+
+- if (ssi->usrcnt > 1) {
++ if (ssi->usrcnt > 0) {
+ if (ssi->rate != rate) {
+ dev_err(dev, "SSI parent/child should use same rate\n");
+ return -EINVAL;
+--
+2.19.1
+
--- /dev/null
+From 6ec81be536afa580054e03ab027a6234246b273c Mon Sep 17 00:00:00 2001
+From: Bard liao <yung-chuan.liao@linux.intel.com>
+Date: Sun, 17 Feb 2019 21:23:47 +0800
+Subject: ASoC: topology: free created components in tplg load error
+
+[ Upstream commit 304017d31df36fb61eb2ed3ebf65fb6870b3c731 ]
+
+Topology resources are no longer needed if any element failed to load.
+
+Signed-off-by: Bard liao <yung-chuan.liao@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index c1619860a5de..2d5cf263515b 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -2513,6 +2513,7 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp,
+ struct snd_soc_tplg_ops *ops, const struct firmware *fw, u32 id)
+ {
+ struct soc_tplg tplg;
++ int ret;
+
+ /* setup parsing context */
+ memset(&tplg, 0, sizeof(tplg));
+@@ -2526,7 +2527,12 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp,
+ tplg.bytes_ext_ops = ops->bytes_ext_ops;
+ tplg.bytes_ext_ops_count = ops->bytes_ext_ops_count;
+
+- return soc_tplg_load(&tplg);
++ ret = soc_tplg_load(&tplg);
++ /* free the created components if fail to load topology */
++ if (ret)
++ snd_soc_tplg_component_remove(comp, SND_SOC_TPLG_INDEX_ALL);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load);
+
+--
+2.19.1
+
--- /dev/null
+From 078482aa9b50064ed31bdf30c52e8465603b9aa4 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 14 Feb 2019 16:20:15 +0000
+Subject: assoc_array: Fix shortcut creation
+
+[ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ]
+
+Fix the creation of shortcuts for which the length of the index key value
+is an exact multiple of the machine word size. The problem is that the
+code that blanks off the unused bits of the shortcut value malfunctions if
+the number of bits in the last word equals machine word size. This is due
+to the "<<" operator being given a shift of zero in this case, and so the
+mask that should be all zeros is all ones instead. This causes the
+subsequent masking operation to clear everything rather than clearing
+nothing.
+
+Ordinarily, the presence of the hash at the beginning of the tree index key
+makes the issue very hard to test for, but in this case, it was encountered
+due to a development mistake that caused the hash output to be either 0
+(keyring) or 1 (non-keyring) only. This made it susceptible to the
+keyctl/unlink/valid test in the keyutils package.
+
+The fix is simply to skip the blanking if the shift would be 0. For
+example, an index key that is 64 bits long would produce a 0 shift and thus
+a 'blank' of all 1s. This would then be inverted and AND'd onto the
+index_key, incorrectly clearing the entire last word.
+
+Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/assoc_array.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/assoc_array.c b/lib/assoc_array.c
+index 4e53be8bc590..9463d3445ccd 100644
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -781,9 +781,11 @@ all_leaves_cluster_together:
+ new_s0->index_key[i] =
+ ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE);
+
+- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
+- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
+- new_s0->index_key[keylen - 1] &= ~blank;
++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) {
++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK);
++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank);
++ new_s0->index_key[keylen - 1] &= ~blank;
++ }
+
+ /* This now reduces to a node splitting exercise for which we'll need
+ * to regenerate the disparity table.
+--
+2.19.1
+
--- /dev/null
+From d8c827ab0d2fdd50cb0bcd31b8b1f62a6608fadc Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Date: Sat, 9 Feb 2019 00:38:45 +0100
+Subject: auxdisplay: ht16k33: fix potential user-after-free on module unload
+
+[ Upstream commit 69ef9bc54715fb1cb7786ada15774e469e822209 ]
+
+On module unload/remove, we need to ensure that work does not run
+after we have freed resources. Concretely, cancel_delayed_work()
+may return while the callback function is still running.
+
+From kernel/workqueue.c:
+
+ The work callback function may still be running on return,
+ unless it returns true and the work doesn't re-arm itself.
+ Explicitly flush or use cancel_delayed_work_sync() to wait on it.
+
+Link: https://lore.kernel.org/lkml/20190204220952.30761-1-TheSven73@googlemail.com/
+Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Reviewed-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Acked-by: Robin van der Gracht <robin@protonic.nl>
+Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/auxdisplay/ht16k33.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c
+index fbfa5b4cc567..a93ded300740 100644
+--- a/drivers/auxdisplay/ht16k33.c
++++ b/drivers/auxdisplay/ht16k33.c
+@@ -517,7 +517,7 @@ static int ht16k33_remove(struct i2c_client *client)
+ struct ht16k33_priv *priv = i2c_get_clientdata(client);
+ struct ht16k33_fbdev *fbdev = &priv->fbdev;
+
+- cancel_delayed_work(&fbdev->work);
++ cancel_delayed_work_sync(&fbdev->work);
+ unregister_framebuffer(fbdev->info);
+ framebuffer_release(fbdev->info);
+ free_page((unsigned long) fbdev->buffer);
+--
+2.19.1
+
--- /dev/null
+From 23dadb3ebe71ebc9a9ba629dcfa147b3d5f1124c Mon Sep 17 00:00:00 2001
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Wed, 23 Jan 2019 00:59:11 +0000
+Subject: clk: sunxi: A31: Fix wrong AHB gate number
+
+[ Upstream commit ee0b27a3a4da0b0ed2318aa092f8856896e9450b ]
+
+According to the manual the gate clock for MMC3 is at bit 11, and NAND1
+is controlled by bit 12.
+
+Fix the gate bit definitions in the clock driver.
+
+Fixes: c6e6c96d8fa6 ("clk: sunxi-ng: Add A31/A31s clocks")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun6i-a31.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
+index 40d5f74cb2ac..d93b4815e65c 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
++++ b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c
+@@ -252,9 +252,9 @@ static SUNXI_CCU_GATE(ahb1_mmc1_clk, "ahb1-mmc1", "ahb1",
+ static SUNXI_CCU_GATE(ahb1_mmc2_clk, "ahb1-mmc2", "ahb1",
+ 0x060, BIT(10), 0);
+ static SUNXI_CCU_GATE(ahb1_mmc3_clk, "ahb1-mmc3", "ahb1",
+- 0x060, BIT(12), 0);
++ 0x060, BIT(11), 0);
+ static SUNXI_CCU_GATE(ahb1_nand1_clk, "ahb1-nand1", "ahb1",
+- 0x060, BIT(13), 0);
++ 0x060, BIT(12), 0);
+ static SUNXI_CCU_GATE(ahb1_nand0_clk, "ahb1-nand0", "ahb1",
+ 0x060, BIT(13), 0);
+ static SUNXI_CCU_GATE(ahb1_sdram_clk, "ahb1-sdram", "ahb1",
+--
+2.19.1
+
--- /dev/null
+From 3cfcac12a7d16c3ac98a9b452ec18150b2ccf2ec Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Tue, 22 Jan 2019 09:16:19 +0100
+Subject: clk: sunxi-ng: v3s: Fix TCON reset de-assert bit
+
+[ Upstream commit 5c59801f7018acba11b12de59017a3fcdcf7421d ]
+
+According to the datasheet and the reference code from Allwinner, the
+bit used to de-assert the TCON reset is bit 4, not bit 3.
+
+Fix it in the V3s CCU driver.
+
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+index 621b1cd996db..ac12f261f8ca 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+@@ -542,7 +542,7 @@ static struct ccu_reset_map sun8i_v3s_ccu_resets[] = {
+ [RST_BUS_OHCI0] = { 0x2c0, BIT(29) },
+
+ [RST_BUS_VE] = { 0x2c4, BIT(0) },
+- [RST_BUS_TCON0] = { 0x2c4, BIT(3) },
++ [RST_BUS_TCON0] = { 0x2c4, BIT(4) },
+ [RST_BUS_CSI] = { 0x2c4, BIT(8) },
+ [RST_BUS_DE] = { 0x2c4, BIT(12) },
+ [RST_BUS_DBG] = { 0x2c4, BIT(31) },
+--
+2.19.1
+
--- /dev/null
+From b53267773c3d0dbde5bf828bc48e8def4eb0adf0 Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Mon, 5 Nov 2018 16:36:07 +0100
+Subject: drm/imx: ignore plane updates on disabled crtcs
+
+[ Upstream commit 4fb873c9648e383206e0a91cef9b03aa54066aca ]
+
+This patch fixes backtraces like the following when sending SIGKILL to a
+process with a currently pending plane update:
+
+ [drm:ipu_plane_atomic_check] CRTC should be enabled
+ [drm:drm_framebuffer_remove] *ERROR* failed to commit
+ ------------[ cut here ]------------
+ WARNING: CPU: 3 PID: 63 at drivers/gpu/drm/drm_framebuffer.c:926 drm_framebuffer_remove+0x47c/0x498
+ atomic remove_fb failed with -22
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/ipuv3-plane.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/imx/ipuv3-plane.c b/drivers/gpu/drm/imx/ipuv3-plane.c
+index cf98596c7ce1..d0d7f6adbc89 100644
+--- a/drivers/gpu/drm/imx/ipuv3-plane.c
++++ b/drivers/gpu/drm/imx/ipuv3-plane.c
+@@ -348,9 +348,9 @@ static int ipu_plane_atomic_check(struct drm_plane *plane,
+ if (ret)
+ return ret;
+
+- /* CRTC should be enabled */
++ /* nothing to check when disabling or disabled */
+ if (!crtc_state->enable)
+- return -EINVAL;
++ return 0;
+
+ switch (plane->type) {
+ case DRM_PLANE_TYPE_PRIMARY:
+--
+2.19.1
+
--- /dev/null
+From 7aded8716f0ec10dd01f44b0dff5b216f3333189 Mon Sep 17 00:00:00 2001
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Sun, 13 Jan 2019 09:47:42 +0100
+Subject: drm/imx: imx-ldb: add missing of_node_puts
+
+[ Upstream commit aa3312012f103f91f123600bbf768b11c8f431bc ]
+
+The device node iterators perform an of_node_get on each
+iteration, so a jump out of the loop requires an of_node_put.
+
+Move the initialization channel->child = child; down to just
+before the call to imx_ldb_register so that intervening failures
+don't need to clear it. Add a label at the end of the function to
+do all the of_node_puts.
+
+The semantic patch that finds part of this problem is as follows
+(http://coccinelle.lip6.fr):
+
+// <smpl>
+@@
+expression root,e;
+local idexpression child;
+iterator name for_each_child_of_node;
+@@
+
+ for_each_child_of_node(root, child) {
+ ... when != of_node_put(child)
+ when != e = child
+(
+ return child;
+|
+* return ...;
+)
+ ...
+ }
+// </smpl>
+
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/imx-ldb.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/imx/imx-ldb.c b/drivers/gpu/drm/imx/imx-ldb.c
+index dd5312b02a8d..4f2e6c7e04c1 100644
+--- a/drivers/gpu/drm/imx/imx-ldb.c
++++ b/drivers/gpu/drm/imx/imx-ldb.c
+@@ -652,8 +652,10 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data)
+ int bus_format;
+
+ ret = of_property_read_u32(child, "reg", &i);
+- if (ret || i < 0 || i > 1)
+- return -EINVAL;
++ if (ret || i < 0 || i > 1) {
++ ret = -EINVAL;
++ goto free_child;
++ }
+
+ if (!of_device_is_available(child))
+ continue;
+@@ -666,7 +668,6 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data)
+ channel = &imx_ldb->channel[i];
+ channel->ldb = imx_ldb;
+ channel->chno = i;
+- channel->child = child;
+
+ /*
+ * The output port is port@4 with an external 4-port mux or
+@@ -676,13 +677,13 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data)
+ imx_ldb->lvds_mux ? 4 : 2, 0,
+ &channel->panel, &channel->bridge);
+ if (ret && ret != -ENODEV)
+- return ret;
++ goto free_child;
+
+ /* panel ddc only if there is no bridge */
+ if (!channel->bridge) {
+ ret = imx_ldb_panel_ddc(dev, channel, child);
+ if (ret)
+- return ret;
++ goto free_child;
+ }
+
+ bus_format = of_get_bus_format(dev, child);
+@@ -698,18 +699,26 @@ static int imx_ldb_bind(struct device *dev, struct device *master, void *data)
+ if (bus_format < 0) {
+ dev_err(dev, "could not determine data mapping: %d\n",
+ bus_format);
+- return bus_format;
++ ret = bus_format;
++ goto free_child;
+ }
+ channel->bus_format = bus_format;
++ channel->child = child;
+
+ ret = imx_ldb_register(drm, channel);
+- if (ret)
+- return ret;
++ if (ret) {
++ channel->child = NULL;
++ goto free_child;
++ }
+ }
+
+ dev_set_drvdata(dev, imx_ldb);
+
+ return 0;
++
++free_child:
++ of_node_put(child);
++ return ret;
+ }
+
+ static void imx_ldb_unbind(struct device *dev, struct device *master,
+--
+2.19.1
+
--- /dev/null
+From 97cdc3fd1633623a9a3f2a68839ed3b0d4be8aaa Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Mon, 28 Jan 2019 09:35:35 +0100
+Subject: esp: Skip TX bytes accounting when sending from a request socket
+
+[ Upstream commit 09db51241118aeb06e1c8cd393b45879ce099b36 ]
+
+On ESP output, sk_wmem_alloc is incremented for the added padding if a
+socket is associated to the skb. When replying with TCP SYNACKs over
+IPsec, the associated sk is a casted request socket, only. Increasing
+sk_wmem_alloc on a request socket results in a write at an arbitrary
+struct offset. In the best case, this produces the following WARNING:
+
+WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
+refcount_t: addition on 0; use-after-free.
+CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
+Hardware name: Marvell Armada 380/385 (Device Tree)
+[...]
+[<bf0ff354>] (esp_output_head [esp4]) from [<bf1006a4>] (esp_output+0xb8/0x180 [esp4])
+[<bf1006a4>] (esp_output [esp4]) from [<c05dee64>] (xfrm_output_resume+0x558/0x664)
+[<c05dee64>] (xfrm_output_resume) from [<c05d07b0>] (xfrm4_output+0x44/0xc4)
+[<c05d07b0>] (xfrm4_output) from [<c05956bc>] (tcp_v4_send_synack+0xa8/0xe8)
+[<c05956bc>] (tcp_v4_send_synack) from [<c0586ad8>] (tcp_conn_request+0x7f4/0x948)
+[<c0586ad8>] (tcp_conn_request) from [<c058c404>] (tcp_rcv_state_process+0x2a0/0xe64)
+[<c058c404>] (tcp_rcv_state_process) from [<c05958ac>] (tcp_v4_do_rcv+0xf0/0x1f4)
+[<c05958ac>] (tcp_v4_do_rcv) from [<c0598a4c>] (tcp_v4_rcv+0xdb8/0xe20)
+[<c0598a4c>] (tcp_v4_rcv) from [<c056eb74>] (ip_protocol_deliver_rcu+0x2c/0x2dc)
+[<c056eb74>] (ip_protocol_deliver_rcu) from [<c056ee6c>] (ip_local_deliver_finish+0x48/0x54)
+[<c056ee6c>] (ip_local_deliver_finish) from [<c056eecc>] (ip_local_deliver+0x54/0xec)
+[<c056eecc>] (ip_local_deliver) from [<c056efac>] (ip_rcv+0x48/0xb8)
+[<c056efac>] (ip_rcv) from [<c0519c2c>] (__netif_receive_skb_one_core+0x50/0x6c)
+[...]
+
+The issue triggers only when not using TCP syncookies, as for syncookies
+no socket is associated.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4.c | 2 +-
+ net/ipv6/esp6.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
+index b00e4a43b4dc..d30285c5d52d 100644
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -307,7 +307,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
+ skb->len += tailen;
+ skb->data_len += tailen;
+ skb->truesize += tailen;
+- if (sk)
++ if (sk && sk_fullsock(sk))
+ refcount_add(tailen, &sk->sk_wmem_alloc);
+
+ goto out;
+diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
+index f112fef79216..ef7822fad0fd 100644
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -275,7 +275,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
+ skb->len += tailen;
+ skb->data_len += tailen;
+ skb->truesize += tailen;
+- if (sk)
++ if (sk && sk_fullsock(sk))
+ refcount_add(tailen, &sk->sk_wmem_alloc);
+
+ goto out;
+--
+2.19.1
+
--- /dev/null
+From a596c7857398f472a258843dc4b14b75f3ae4f0a Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 29 Jan 2019 16:34:04 +0800
+Subject: floppy: check_events callback should not return a negative number
+
+[ Upstream commit 96d7cb932e826219ec41ac02e5af037ffae6098c ]
+
+floppy_check_events() is supposed to return bit flags to say which
+events occured. We should return zero to say that no event flags are
+set. Only BIT(0) and BIT(1) are used in the caller. And .check_events
+interface also expect to return an unsigned int value.
+
+However, after commit a0c80efe5956, it may return -EINTR (-4u).
+Here, both BIT(0) and BIT(1) are cleared. So this patch shouldn't
+affect runtime, but it obviously is still worth fixing.
+
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: a0c80efe5956 ("floppy: fix lock_fdc() signal handling")
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/floppy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
+index a7f212ea17bf..3ea9c3e9acb3 100644
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -4079,7 +4079,7 @@ static unsigned int floppy_check_events(struct gendisk *disk,
+
+ if (time_after(jiffies, UDRS->last_checked + UDP->checkfreq)) {
+ if (lock_fdc(drive))
+- return -EINTR;
++ return 0;
+ poll_drive(false, 0);
+ process_fd_request();
+ }
+--
+2.19.1
+
--- /dev/null
+From fb41c6779e62bbe4fa29507733c907b16c943c8f Mon Sep 17 00:00:00 2001
+From: Steve Longerbeam <slongerbeam@gmail.com>
+Date: Tue, 16 Oct 2018 17:31:40 -0700
+Subject: gpu: ipu-v3: Fix CSI offsets for imx53
+
+[ Upstream commit bb867d219fda7fbaabea3314702474c4eac2b91d ]
+
+The CSI offsets are wrong for both CSI0 and CSI1. They are at
+physical address 0x1e030000 and 0x1e038000 respectively.
+
+Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit")
+
+Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
+index 5f8b31f879ca..f3a57c0500f3 100644
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -910,8 +910,8 @@ static struct ipu_devtype ipu_type_imx53 = {
+ .cpmem_ofs = 0x07000000,
+ .srm_ofs = 0x07040000,
+ .tpm_ofs = 0x07060000,
+- .csi0_ofs = 0x07030000,
+- .csi1_ofs = 0x07038000,
++ .csi0_ofs = 0x06030000,
++ .csi1_ofs = 0x06038000,
+ .ic_ofs = 0x06020000,
+ .disp0_ofs = 0x06040000,
+ .disp1_ofs = 0x06048000,
+--
+2.19.1
+
--- /dev/null
+From 74bfe808e60d0a6546b80a5acf56c107d3a71379 Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <shc_work@mail.ru>
+Date: Thu, 20 Dec 2018 11:06:38 +0300
+Subject: gpu: ipu-v3: Fix i.MX51 CSI control registers offset
+
+[ Upstream commit 2c0408dd0d8906b26fe8023889af7adf5e68b2c2 ]
+
+The CSI0/CSI1 registers offset is at +0xe030000/+0xe038000 relative
+to the control module registers on IPUv3EX.
+This patch fixes wrong values for i.MX51 CSI0/CSI1.
+
+Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit")
+
+Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
+index 2c8411b8d050..5f8b31f879ca 100644
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -894,8 +894,8 @@ static struct ipu_devtype ipu_type_imx51 = {
+ .cpmem_ofs = 0x1f000000,
+ .srm_ofs = 0x1f040000,
+ .tpm_ofs = 0x1f060000,
+- .csi0_ofs = 0x1f030000,
+- .csi1_ofs = 0x1f038000,
++ .csi0_ofs = 0x1e030000,
++ .csi1_ofs = 0x1e038000,
+ .ic_ofs = 0x1e020000,
+ .disp0_ofs = 0x1e040000,
+ .disp1_ofs = 0x1e048000,
+--
+2.19.1
+
--- /dev/null
+From 79077ec79eb807b6409189f5c67a6fb063692d3e Mon Sep 17 00:00:00 2001
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Date: Thu, 27 Dec 2018 16:42:25 +0100
+Subject: i2c: bcm2835: Clear current buffer pointers and counts after a
+ transfer
+
+[ Upstream commit f275a4659484716259cc46268d9043424e51cf0f ]
+
+The driver's interrupt handler checks whether a message is currently
+being handled with the curr_msg pointer. When it is NULL, the interrupt
+is considered to be unexpected. Similarly, the i2c_start_transfer
+routine checks for the remaining number of messages to handle in
+num_msgs.
+
+However, these values are never cleared and always keep the message and
+number relevant to the latest transfer (which might be done already and
+the underlying message memory might have been freed).
+
+When an unexpected interrupt hits with the DONE bit set, the isr will
+then try to access the flags field of the curr_msg structure, leading
+to a fatal page fault.
+
+The msg_buf and msg_buf_remaining fields are also never cleared at the
+end of the transfer, which can lead to similar pitfalls.
+
+Fix these issues by introducing a cleanup function and always calling
+it after a transfer is finished.
+
+Fixes: e2474541032d ("i2c: bcm2835: Fix hang for writing messages larger than 16 bytes")
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-bcm2835.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-bcm2835.c b/drivers/i2c/busses/i2c-bcm2835.c
+index 44deae78913e..4d19254f78c8 100644
+--- a/drivers/i2c/busses/i2c-bcm2835.c
++++ b/drivers/i2c/busses/i2c-bcm2835.c
+@@ -191,6 +191,15 @@ static void bcm2835_i2c_start_transfer(struct bcm2835_i2c_dev *i2c_dev)
+ bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, c);
+ }
+
++static void bcm2835_i2c_finish_transfer(struct bcm2835_i2c_dev *i2c_dev)
++{
++ i2c_dev->curr_msg = NULL;
++ i2c_dev->num_msgs = 0;
++
++ i2c_dev->msg_buf = NULL;
++ i2c_dev->msg_buf_remaining = 0;
++}
++
+ /*
+ * Note about I2C_C_CLEAR on error:
+ * The I2C_C_CLEAR on errors will take some time to resolve -- if you were in
+@@ -291,6 +300,9 @@ static int bcm2835_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
+
+ time_left = wait_for_completion_timeout(&i2c_dev->completion,
+ adap->timeout);
++
++ bcm2835_i2c_finish_transfer(i2c_dev);
++
+ if (!time_left) {
+ bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C,
+ BCM2835_I2C_C_CLEAR);
+--
+2.19.1
+
--- /dev/null
+From 37c1a9f2b599b18d1a0569c9d7caafffeca43436 Mon Sep 17 00:00:00 2001
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Date: Tue, 5 Feb 2019 16:42:53 +0530
+Subject: i2c: cadence: Fix the hold bit setting
+
+[ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ]
+
+In case the hold bit is not needed we are carrying the old values.
+Fix the same by resetting the bit when not needed.
+
+Fixes the sporadic i2c bus lockups on National Instruments
+Zynq-based devices.
+
+Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller")
+Reported-by: Kyle Roeschley <kyle.roeschley@ni.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Tested-by: Kyle Roeschley <kyle.roeschley@ni.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index b13605718291..d917cefc5a19 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -382,8 +382,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if (id->recv_count > CDNS_I2C_FIFO_DEPTH)
++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
++ else
++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+@@ -440,8 +442,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if (id->send_count > CDNS_I2C_FIFO_DEPTH)
++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
++ else
++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
++
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+ /* Clear the interrupts in interrupt status register. */
+--
+2.19.1
+
--- /dev/null
+From 2ab4c3ab975384bfe28794be3f19a510b003c607 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 5 Feb 2019 13:52:26 -0800
+Subject: Input: cap11xx - switch to using set_brightness_blocking()
+
+[ Upstream commit 628442880af8c201d307a45f3862a7a17df8a189 ]
+
+Updating LED state requires access to regmap and therefore we may sleep,
+so we could not do that directly form set_brightness() method.
+Historically we used private work to adjust the brightness, but with the
+introduction of set_brightness_blocking() we no longer need it.
+
+As a bonus, not having our own work item means we do not have
+use-after-free issue as we neglected to cancel outstanding work on
+driver unbind.
+
+Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
+Reviewed-by: Sven Van Asbroeck <TheSven73@googlemail.com>
+Acked-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/cap11xx.c | 35 ++++++++++----------------------
+ 1 file changed, 11 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/input/keyboard/cap11xx.c b/drivers/input/keyboard/cap11xx.c
+index 1a1eacae3ea1..87fb48143859 100644
+--- a/drivers/input/keyboard/cap11xx.c
++++ b/drivers/input/keyboard/cap11xx.c
+@@ -75,9 +75,7 @@
+ struct cap11xx_led {
+ struct cap11xx_priv *priv;
+ struct led_classdev cdev;
+- struct work_struct work;
+ u32 reg;
+- enum led_brightness new_brightness;
+ };
+ #endif
+
+@@ -233,30 +231,21 @@ static void cap11xx_input_close(struct input_dev *idev)
+ }
+
+ #ifdef CONFIG_LEDS_CLASS
+-static void cap11xx_led_work(struct work_struct *work)
++static int cap11xx_led_set(struct led_classdev *cdev,
++ enum led_brightness value)
+ {
+- struct cap11xx_led *led = container_of(work, struct cap11xx_led, work);
++ struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev);
+ struct cap11xx_priv *priv = led->priv;
+- int value = led->new_brightness;
+
+ /*
+- * All LEDs share the same duty cycle as this is a HW limitation.
+- * Brightness levels per LED are either 0 (OFF) and 1 (ON).
++ * All LEDs share the same duty cycle as this is a HW
++ * limitation. Brightness levels per LED are either
++ * 0 (OFF) and 1 (ON).
+ */
+- regmap_update_bits(priv->regmap, CAP11XX_REG_LED_OUTPUT_CONTROL,
+- BIT(led->reg), value ? BIT(led->reg) : 0);
+-}
+-
+-static void cap11xx_led_set(struct led_classdev *cdev,
+- enum led_brightness value)
+-{
+- struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev);
+-
+- if (led->new_brightness == value)
+- return;
+-
+- led->new_brightness = value;
+- schedule_work(&led->work);
++ return regmap_update_bits(priv->regmap,
++ CAP11XX_REG_LED_OUTPUT_CONTROL,
++ BIT(led->reg),
++ value ? BIT(led->reg) : 0);
+ }
+
+ static int cap11xx_init_leds(struct device *dev,
+@@ -299,7 +288,7 @@ static int cap11xx_init_leds(struct device *dev,
+ led->cdev.default_trigger =
+ of_get_property(child, "linux,default-trigger", NULL);
+ led->cdev.flags = 0;
+- led->cdev.brightness_set = cap11xx_led_set;
++ led->cdev.brightness_set_blocking = cap11xx_led_set;
+ led->cdev.max_brightness = 1;
+ led->cdev.brightness = LED_OFF;
+
+@@ -312,8 +301,6 @@ static int cap11xx_init_leds(struct device *dev,
+ led->reg = reg;
+ led->priv = priv;
+
+- INIT_WORK(&led->work, cap11xx_led_work);
+-
+ error = devm_led_classdev_register(dev, &led->cdev);
+ if (error) {
+ of_node_put(child);
+--
+2.19.1
+
--- /dev/null
+From 7780e1b10133e163d6808bd81cc1a06b2232729e Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 7 Feb 2019 14:39:40 -0800
+Subject: Input: matrix_keypad - use flush_delayed_work()
+
+[ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ]
+
+We should be using flush_delayed_work() instead of flush_work() in
+matrix_keypad_stop() to ensure that we are not missing work that is
+scheduled but not yet put in the workqueue (i.e. its delay timer has not
+expired yet).
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/matrix_keypad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c
+index 782dda68d93a..c04559a232f7 100644
+--- a/drivers/input/keyboard/matrix_keypad.c
++++ b/drivers/input/keyboard/matrix_keypad.c
+@@ -222,7 +222,7 @@ static void matrix_keypad_stop(struct input_dev *dev)
+ keypad->stopped = true;
+ spin_unlock_irq(&keypad->lock);
+
+- flush_work(&keypad->work.work);
++ flush_delayed_work(&keypad->work);
+ /*
+ * matrix_keypad_scan() will leave IRQs enabled;
+ * we should disable them now.
+--
+2.19.1
+
--- /dev/null
+From 5277002d7f94790eb0736234a2c863454d5e79c1 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 7 Feb 2019 14:22:42 -0800
+Subject: Input: ps2-gpio - flush TX work when closing port
+
+[ Upstream commit 33a841ce5cef4ca6c18ad333248b6d273f54c839 ]
+
+To ensure that TX work is not running after serio port has been torn down,
+let's flush it when closing the port.
+
+Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
+Acked-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
+Reviewed-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/ps2-gpio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/serio/ps2-gpio.c b/drivers/input/serio/ps2-gpio.c
+index b50e3817f3c4..4a64ab30589c 100644
+--- a/drivers/input/serio/ps2-gpio.c
++++ b/drivers/input/serio/ps2-gpio.c
+@@ -76,6 +76,7 @@ static void ps2_gpio_close(struct serio *serio)
+ {
+ struct ps2_gpio_data *drvdata = serio->port_data;
+
++ flush_delayed_work(&drvdata->tx_work);
+ disable_irq(drvdata->irq);
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 664c43d757fb00c57703dde635ed7ab39660c247 Mon Sep 17 00:00:00 2001
+From: Jonathan Bakker <xc-racer2@live.ca>
+Date: Mon, 28 Jan 2019 11:13:01 -0800
+Subject: Input: pwm-vibra - prevent unbalanced regulator
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3ca232df9921f083c3b37ba5fbc76f4d9046268b ]
+
+pwm_vibrator_stop disables the regulator, but it can be called from
+multiple places, even when the regulator is already disabled. Fix this
+by using regulator_is_enabled check when starting and stopping device.
+
+Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
+Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/pwm-vibra.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/input/misc/pwm-vibra.c b/drivers/input/misc/pwm-vibra.c
+index 55da191ae550..9df87431d7d4 100644
+--- a/drivers/input/misc/pwm-vibra.c
++++ b/drivers/input/misc/pwm-vibra.c
+@@ -34,6 +34,7 @@ struct pwm_vibrator {
+ struct work_struct play_work;
+ u16 level;
+ u32 direction_duty_cycle;
++ bool vcc_on;
+ };
+
+ static int pwm_vibrator_start(struct pwm_vibrator *vibrator)
+@@ -42,10 +43,13 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator)
+ struct pwm_state state;
+ int err;
+
+- err = regulator_enable(vibrator->vcc);
+- if (err) {
+- dev_err(pdev, "failed to enable regulator: %d", err);
+- return err;
++ if (!vibrator->vcc_on) {
++ err = regulator_enable(vibrator->vcc);
++ if (err) {
++ dev_err(pdev, "failed to enable regulator: %d", err);
++ return err;
++ }
++ vibrator->vcc_on = true;
+ }
+
+ pwm_get_state(vibrator->pwm, &state);
+@@ -76,7 +80,10 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator)
+
+ static void pwm_vibrator_stop(struct pwm_vibrator *vibrator)
+ {
+- regulator_disable(vibrator->vcc);
++ if (vibrator->vcc_on) {
++ regulator_disable(vibrator->vcc);
++ vibrator->vcc_on = false;
++ }
+
+ if (vibrator->pwm_dir)
+ pwm_disable(vibrator->pwm_dir);
+--
+2.19.1
+
--- /dev/null
+From 984b0d83d6d9db803bac3d023a46c0872292f4b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Chmiel?= <pawel.mikolaj.chmiel@gmail.com>
+Date: Mon, 28 Jan 2019 11:13:34 -0800
+Subject: Input: pwm-vibra - stop regulator after disabling pwm, not before
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 94803aef3533676194c772383472636c453e3147 ]
+
+This patch fixes order of disable calls in pwm_vibrator_stop.
+Currently when starting device, we first enable vcc regulator and then
+setup and enable pwm. When stopping, we should do this in oposite order,
+so first disable pwm and then disable regulator.
+Previously order was the same as in start.
+
+Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/pwm-vibra.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/misc/pwm-vibra.c b/drivers/input/misc/pwm-vibra.c
+index 9df87431d7d4..dbb6d9e1b947 100644
+--- a/drivers/input/misc/pwm-vibra.c
++++ b/drivers/input/misc/pwm-vibra.c
+@@ -80,14 +80,14 @@ static int pwm_vibrator_start(struct pwm_vibrator *vibrator)
+
+ static void pwm_vibrator_stop(struct pwm_vibrator *vibrator)
+ {
++ if (vibrator->pwm_dir)
++ pwm_disable(vibrator->pwm_dir);
++ pwm_disable(vibrator->pwm);
++
+ if (vibrator->vcc_on) {
+ regulator_disable(vibrator->vcc);
+ vibrator->vcc_on = false;
+ }
+-
+- if (vibrator->pwm_dir)
+- pwm_disable(vibrator->pwm_dir);
+- pwm_disable(vibrator->pwm);
+ }
+
+ static void pwm_vibrator_play_work(struct work_struct *work)
+--
+2.19.1
+
--- /dev/null
+From 303d72bb3bdda502e026baf330f010c1c71b9e3f Mon Sep 17 00:00:00 2001
+From: Gabriel Fernandez <gabriel.fernandez@st.com>
+Date: Sat, 16 Feb 2019 21:10:16 -0800
+Subject: Input: st-keyscan - fix potential zalloc NULL dereference
+
+[ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ]
+
+This patch fixes the following static checker warning:
+
+drivers/input/keyboard/st-keyscan.c:156 keyscan_probe()
+error: potential zalloc NULL dereference: 'keypad_data->input_dev'
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Gabriel Fernandez <gabriel.fernandez@st.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/st-keyscan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c
+index babcfb165e4f..3b85631fde91 100644
+--- a/drivers/input/keyboard/st-keyscan.c
++++ b/drivers/input/keyboard/st-keyscan.c
+@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev)
+
+ input_dev->id.bustype = BUS_HOST;
+
++ keypad_data->input_dev = input_dev;
++
+ error = keypad_matrix_key_parse_dt(keypad_data);
+ if (error)
+ return error;
+@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev)
+
+ input_set_drvdata(input_dev, keypad_data);
+
+- keypad_data->input_dev = input_dev;
+-
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ keypad_data->base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(keypad_data->base))
+--
+2.19.1
+
--- /dev/null
+From 5e61552b7126a9094cb30379eb64ef17685942bf Mon Sep 17 00:00:00 2001
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Mon, 11 Feb 2019 16:14:39 +0100
+Subject: ipvs: fix dependency on nf_defrag_ipv6
+
+[ Upstream commit 098e13f5b21d3398065fce8780f07a3ef62f4812 ]
+
+ipvs relies on nf_defrag_ipv6 module to manage IPv6 fragmentation,
+but lacks proper Kconfig dependencies and does not explicitly
+request defrag features.
+
+As a result, if netfilter hooks are not loaded, when IPv6 fragmented
+packet are handled by ipvs only the first fragment makes through.
+
+Fix it properly declaring the dependency on Kconfig and registering
+netfilter hooks on ip_vs_add_service() and ip_vs_new_dest().
+
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/Kconfig | 1 +
+ net/netfilter/ipvs/ip_vs_core.c | 10 ++++------
+ net/netfilter/ipvs/ip_vs_ctl.c | 10 ++++++++++
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
+index b32fb0dbe237..3f8e490d1133 100644
+--- a/net/netfilter/ipvs/Kconfig
++++ b/net/netfilter/ipvs/Kconfig
+@@ -29,6 +29,7 @@ config IP_VS_IPV6
+ bool "IPv6 support for IPVS"
+ depends on IPV6 = y || IP_VS = IPV6
+ select IP6_NF_IPTABLES
++ select NF_DEFRAG_IPV6
+ ---help---
+ Add IPv6 support to IPVS.
+
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 1bd53b1e7672..4278f5c947ab 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1524,14 +1524,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
+ /* sorry, all this trouble for a no-hit :) */
+ IP_VS_DBG_PKT(12, af, pp, skb, iph->off,
+ "ip_vs_in: packet continues traversal as normal");
+- if (iph->fragoffs) {
+- /* Fragment that couldn't be mapped to a conn entry
+- * is missing module nf_defrag_ipv6
+- */
+- IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
++
++ /* Fragment couldn't be mapped to a conn entry */
++ if (iph->fragoffs)
+ IP_VS_DBG_PKT(7, af, pp, skb, iph->off,
+ "unhandled fragment");
+- }
++
+ *verdict = NF_ACCEPT;
+ return 0;
+ }
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index dff4ead3d117..56dd5ce6274f 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -43,6 +43,7 @@
+ #ifdef CONFIG_IP_VS_IPV6
+ #include <net/ipv6.h>
+ #include <net/ip6_route.h>
++#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
+ #endif
+ #include <net/route.h>
+ #include <net/sock.h>
+@@ -888,6 +889,7 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
+ {
+ struct ip_vs_dest *dest;
+ unsigned int atype, i;
++ int ret = 0;
+
+ EnterFunction(2);
+
+@@ -898,6 +900,10 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
+ atype & IPV6_ADDR_LINKLOCAL) &&
+ !__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6))
+ return -EINVAL;
++
++ ret = nf_defrag_ipv6_enable(svc->ipvs->net);
++ if (ret)
++ return ret;
+ } else
+ #endif
+ {
+@@ -1221,6 +1227,10 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
+ ret = -EINVAL;
+ goto out_err;
+ }
++
++ ret = nf_defrag_ipv6_enable(ipvs->net);
++ if (ret)
++ goto out_err;
+ }
+ #endif
+
+--
+2.19.1
+
--- /dev/null
+From 7abff80b7274e2d11ff03b9b2a42344173650a83 Mon Sep 17 00:00:00 2001
+From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Date: Mon, 28 Jan 2019 09:45:01 -0800
+Subject: ixgbe: fix older devices that do not support IXGBE_MRQC_L3L4TXSWEN
+
+[ Upstream commit 156a67a9065e3339be85f811d1b13b920e50d73b ]
+
+The enabling L3/L4 filtering for transmit switched packets for all
+devices caused unforeseen issue on older devices when trying to send UDP
+traffic in an ordered sequence. This bit was originally intended for X550
+devices, which supported this feature, so limit the scope of this bit to
+only X550 devices.
+
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 42183a8b649c..01c120d656c5 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -3827,8 +3827,11 @@ static void ixgbe_setup_mrqc(struct ixgbe_adapter *adapter)
+ else
+ mrqc = IXGBE_MRQC_VMDQRSS64EN;
+
+- /* Enable L3/L4 for Tx Switched packets */
+- mrqc |= IXGBE_MRQC_L3L4TXSWEN;
++ /* Enable L3/L4 for Tx Switched packets only for X550,
++ * older devices do not support this feature
++ */
++ if (hw->mac.type >= ixgbe_mac_X550)
++ mrqc |= IXGBE_MRQC_L3L4TXSWEN;
+ } else {
+ if (tcs > 4)
+ mrqc = IXGBE_MRQC_RTRSS8TCEN;
+--
+2.19.1
+
--- /dev/null
+From 3f9218db9eb28f31c8b11035df7eff1a911b4ea8 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 20 Feb 2019 22:20:25 -0800
+Subject: kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY
+
+[ Upstream commit 219667c23c68eb3dbc0d5662b9246f28477fe529 ]
+
+Similarly to commit 96fedce27e13 ("kasan: make tag based mode work with
+CONFIG_HARDENED_USERCOPY"), we need to reset pointer tags in
+__check_heap_object() in mm/slab.c before doing any pointer math.
+
+Link: http://lkml.kernel.org/r/9a5c0f958db10e69df5ff9f2b997866b56b7effc.1550602886.git.andreyknvl@google.com
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Tested-by: Qian Cai <cai@lca.pw>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Evgeniy Stepanov <eugenis@google.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/slab.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/mm/slab.c b/mm/slab.c
+index 09df506ae830..409631e49295 100644
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -4415,6 +4415,8 @@ const char *__check_heap_object(const void *ptr, unsigned long n,
+ unsigned int objnr;
+ unsigned long offset;
+
++ ptr = kasan_reset_tag(ptr);
++
+ /* Find and validate object. */
+ cachep = page->slab_cache;
+ objnr = obj_to_index(cachep, page, (void *)ptr);
+--
+2.19.1
+
--- /dev/null
+From a8146d43007331bebbe675fd3acbcd6a46342a37 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 20 Feb 2019 22:19:23 -0800
+Subject: kasan, slub: move kasan_poison_slab hook before page_address
+
+[ Upstream commit a71012242837fe5e67d8c999cfc357174ed5dba0 ]
+
+With tag based KASAN page_address() looks at the page flags to see whether
+the resulting pointer needs to have a tag set. Since we don't want to set
+a tag when page_address() is called on SLAB pages, we call
+page_kasan_tag_reset() in kasan_poison_slab(). However in allocate_slab()
+page_address() is called before kasan_poison_slab(). Fix it by changing
+the order.
+
+[andreyknvl@google.com: fix compilation error when CONFIG_SLUB_DEBUG=n]
+ Link: http://lkml.kernel.org/r/ac27cc0bbaeb414ed77bcd6671a877cf3546d56e.1550066133.git.andreyknvl@google.com
+Link: http://lkml.kernel.org/r/cd895d627465a3f1c712647072d17f10883be2a1.1549921721.git.andreyknvl@google.com
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Evgeniy Stepanov <eugenis@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: Qian Cai <cai@lca.pw>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/slub.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/mm/slub.c b/mm/slub.c
+index 220d42e592ef..f14ef59c9e57 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1087,6 +1087,16 @@ static void setup_object_debug(struct kmem_cache *s, struct page *page,
+ init_tracking(s, object);
+ }
+
++static void setup_page_debug(struct kmem_cache *s, void *addr, int order)
++{
++ if (!(s->flags & SLAB_POISON))
++ return;
++
++ metadata_access_enable();
++ memset(addr, POISON_INUSE, PAGE_SIZE << order);
++ metadata_access_disable();
++}
++
+ static inline int alloc_consistency_checks(struct kmem_cache *s,
+ struct page *page,
+ void *object, unsigned long addr)
+@@ -1304,6 +1314,8 @@ unsigned long kmem_cache_flags(unsigned long object_size,
+ #else /* !CONFIG_SLUB_DEBUG */
+ static inline void setup_object_debug(struct kmem_cache *s,
+ struct page *page, void *object) {}
++static inline void setup_page_debug(struct kmem_cache *s,
++ void *addr, int order) {}
+
+ static inline int alloc_debug_processing(struct kmem_cache *s,
+ struct page *page, void *object, unsigned long addr) { return 0; }
+@@ -1599,12 +1611,11 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node)
+ if (page_is_pfmemalloc(page))
+ SetPageSlabPfmemalloc(page);
+
+- start = page_address(page);
++ kasan_poison_slab(page);
+
+- if (unlikely(s->flags & SLAB_POISON))
+- memset(start, POISON_INUSE, PAGE_SIZE << order);
++ start = page_address(page);
+
+- kasan_poison_slab(page);
++ setup_page_debug(s, start, order);
+
+ shuffle = shuffle_freelist(s, page);
+
+--
+2.19.1
+
--- /dev/null
+From 8857b8d38602ede2ddd5662926f91ada5507384c Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 14 Feb 2019 16:20:25 +0000
+Subject: keys: Fix dependency loop between construction record and auth key
+
+[ Upstream commit 822ad64d7e46a8e2c8b8a796738d7b657cbb146d ]
+
+In the request_key() upcall mechanism there's a dependency loop by which if
+a key type driver overrides the ->request_key hook and the userspace side
+manages to lose the authorisation key, the auth key and the internal
+construction record (struct key_construction) can keep each other pinned.
+
+Fix this by the following changes:
+
+ (1) Killing off the construction record and using the auth key instead.
+
+ (2) Including the operation name in the auth key payload and making the
+ payload available outside of security/keys/.
+
+ (3) The ->request_key hook is given the authkey instead of the cons
+ record and operation name.
+
+Changes (2) and (3) allow the auth key to naturally be cleaned up if the
+keyring it is in is destroyed or cleared or the auth key is unlinked.
+
+Fixes: 7ee02a316600 ("keys: Fix dependency loop between construction record and auth key")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4idmap.c | 31 ++++++------
+ include/keys/request_key_auth-type.h | 36 ++++++++++++++
+ include/linux/key-type.h | 22 +++------
+ security/keys/internal.h | 13 +----
+ security/keys/keyctl.c | 1 +
+ security/keys/process_keys.c | 1 +
+ security/keys/request_key.c | 72 +++++++++++-----------------
+ security/keys/request_key_auth.c | 16 ++++---
+ 8 files changed, 100 insertions(+), 92 deletions(-)
+ create mode 100644 include/keys/request_key_auth-type.h
+
+diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c
+index b6f9d84ba19b..ae2d6f220627 100644
+--- a/fs/nfs/nfs4idmap.c
++++ b/fs/nfs/nfs4idmap.c
+@@ -44,6 +44,7 @@
+ #include <linux/keyctl.h>
+ #include <linux/key-type.h>
+ #include <keys/user-type.h>
++#include <keys/request_key_auth-type.h>
+ #include <linux/module.h>
+
+ #include "internal.h"
+@@ -59,7 +60,7 @@ static struct key_type key_type_id_resolver_legacy;
+ struct idmap_legacy_upcalldata {
+ struct rpc_pipe_msg pipe_msg;
+ struct idmap_msg idmap_msg;
+- struct key_construction *key_cons;
++ struct key *authkey;
+ struct idmap *idmap;
+ };
+
+@@ -384,7 +385,7 @@ static const match_table_t nfs_idmap_tokens = {
+ { Opt_find_err, NULL }
+ };
+
+-static int nfs_idmap_legacy_upcall(struct key_construction *, const char *, void *);
++static int nfs_idmap_legacy_upcall(struct key *, void *);
+ static ssize_t idmap_pipe_downcall(struct file *, const char __user *,
+ size_t);
+ static void idmap_release_pipe(struct inode *);
+@@ -545,11 +546,12 @@ nfs_idmap_prepare_pipe_upcall(struct idmap *idmap,
+ static void
+ nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret)
+ {
+- struct key_construction *cons = idmap->idmap_upcall_data->key_cons;
++ struct key *authkey = idmap->idmap_upcall_data->authkey;
+
+ kfree(idmap->idmap_upcall_data);
+ idmap->idmap_upcall_data = NULL;
+- complete_request_key(cons, ret);
++ complete_request_key(authkey, ret);
++ key_put(authkey);
+ }
+
+ static void
+@@ -559,15 +561,14 @@ nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret)
+ nfs_idmap_complete_pipe_upcall_locked(idmap, ret);
+ }
+
+-static int nfs_idmap_legacy_upcall(struct key_construction *cons,
+- const char *op,
+- void *aux)
++static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux)
+ {
+ struct idmap_legacy_upcalldata *data;
++ struct request_key_auth *rka = get_request_key_auth(authkey);
+ struct rpc_pipe_msg *msg;
+ struct idmap_msg *im;
+ struct idmap *idmap = (struct idmap *)aux;
+- struct key *key = cons->key;
++ struct key *key = rka->target_key;
+ int ret = -ENOKEY;
+
+ if (!aux)
+@@ -582,7 +583,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons,
+ msg = &data->pipe_msg;
+ im = &data->idmap_msg;
+ data->idmap = idmap;
+- data->key_cons = cons;
++ data->authkey = key_get(authkey);
+
+ ret = nfs_idmap_prepare_message(key->description, idmap, im, msg);
+ if (ret < 0)
+@@ -600,7 +601,7 @@ static int nfs_idmap_legacy_upcall(struct key_construction *cons,
+ out2:
+ kfree(data);
+ out1:
+- complete_request_key(cons, ret);
++ complete_request_key(authkey, ret);
+ return ret;
+ }
+
+@@ -647,9 +648,10 @@ out:
+ static ssize_t
+ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
+ {
++ struct request_key_auth *rka;
+ struct rpc_inode *rpci = RPC_I(file_inode(filp));
+ struct idmap *idmap = (struct idmap *)rpci->private;
+- struct key_construction *cons;
++ struct key *authkey;
+ struct idmap_msg im;
+ size_t namelen_in;
+ int ret = -ENOKEY;
+@@ -661,7 +663,8 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
+ if (idmap->idmap_upcall_data == NULL)
+ goto out_noupcall;
+
+- cons = idmap->idmap_upcall_data->key_cons;
++ authkey = idmap->idmap_upcall_data->authkey;
++ rka = get_request_key_auth(authkey);
+
+ if (mlen != sizeof(im)) {
+ ret = -ENOSPC;
+@@ -686,9 +689,9 @@ idmap_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
+
+ ret = nfs_idmap_read_and_verify_message(&im,
+ &idmap->idmap_upcall_data->idmap_msg,
+- cons->key, cons->authkey);
++ rka->target_key, authkey);
+ if (ret >= 0) {
+- key_set_timeout(cons->key, nfs_idmap_cache_timeout);
++ key_set_timeout(rka->target_key, nfs_idmap_cache_timeout);
+ ret = mlen;
+ }
+
+diff --git a/include/keys/request_key_auth-type.h b/include/keys/request_key_auth-type.h
+new file mode 100644
+index 000000000000..a726dd3f1dc6
+--- /dev/null
++++ b/include/keys/request_key_auth-type.h
+@@ -0,0 +1,36 @@
++/* request_key authorisation token key type
++ *
++ * Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
++ * Written by David Howells (dhowells@redhat.com)
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public Licence
++ * as published by the Free Software Foundation; either version
++ * 2 of the Licence, or (at your option) any later version.
++ */
++
++#ifndef _KEYS_REQUEST_KEY_AUTH_TYPE_H
++#define _KEYS_REQUEST_KEY_AUTH_TYPE_H
++
++#include <linux/key.h>
++
++/*
++ * Authorisation record for request_key().
++ */
++struct request_key_auth {
++ struct key *target_key;
++ struct key *dest_keyring;
++ const struct cred *cred;
++ void *callout_info;
++ size_t callout_len;
++ pid_t pid;
++ char op[8];
++} __randomize_layout;
++
++static inline struct request_key_auth *get_request_key_auth(const struct key *key)
++{
++ return key->payload.data[0];
++}
++
++
++#endif /* _KEYS_REQUEST_KEY_AUTH_TYPE_H */
+diff --git a/include/linux/key-type.h b/include/linux/key-type.h
+index 9520fc3c3b9a..dfb3ba782d2c 100644
+--- a/include/linux/key-type.h
++++ b/include/linux/key-type.h
+@@ -17,15 +17,6 @@
+
+ #ifdef CONFIG_KEYS
+
+-/*
+- * key under-construction record
+- * - passed to the request_key actor if supplied
+- */
+-struct key_construction {
+- struct key *key; /* key being constructed */
+- struct key *authkey;/* authorisation for key being constructed */
+-};
+-
+ /*
+ * Pre-parsed payload, used by key add, update and instantiate.
+ *
+@@ -47,8 +38,7 @@ struct key_preparsed_payload {
+ time_t expiry; /* Expiry time of key */
+ } __randomize_layout;
+
+-typedef int (*request_key_actor_t)(struct key_construction *key,
+- const char *op, void *aux);
++typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
+
+ /*
+ * Preparsed matching criterion.
+@@ -170,20 +160,20 @@ extern int key_instantiate_and_link(struct key *key,
+ const void *data,
+ size_t datalen,
+ struct key *keyring,
+- struct key *instkey);
++ struct key *authkey);
+ extern int key_reject_and_link(struct key *key,
+ unsigned timeout,
+ unsigned error,
+ struct key *keyring,
+- struct key *instkey);
+-extern void complete_request_key(struct key_construction *cons, int error);
++ struct key *authkey);
++extern void complete_request_key(struct key *authkey, int error);
+
+ static inline int key_negate_and_link(struct key *key,
+ unsigned timeout,
+ struct key *keyring,
+- struct key *instkey)
++ struct key *authkey)
+ {
+- return key_reject_and_link(key, timeout, ENOKEY, keyring, instkey);
++ return key_reject_and_link(key, timeout, ENOKEY, keyring, authkey);
+ }
+
+ extern int generic_key_instantiate(struct key *key, struct key_preparsed_payload *prep);
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 503adbae7b0d..e3a573840186 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -188,20 +188,9 @@ static inline int key_permission(const key_ref_t key_ref, unsigned perm)
+ return key_task_permission(key_ref, current_cred(), perm);
+ }
+
+-/*
+- * Authorisation record for request_key().
+- */
+-struct request_key_auth {
+- struct key *target_key;
+- struct key *dest_keyring;
+- const struct cred *cred;
+- void *callout_info;
+- size_t callout_len;
+- pid_t pid;
+-} __randomize_layout;
+-
+ extern struct key_type key_type_request_key_auth;
+ extern struct key *request_key_auth_new(struct key *target,
++ const char *op,
+ const void *callout_info,
+ size_t callout_len,
+ struct key *dest_keyring);
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 1ffe60bb2845..ca31af186abd 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -26,6 +26,7 @@
+ #include <linux/security.h>
+ #include <linux/uio.h>
+ #include <linux/uaccess.h>
++#include <keys/request_key_auth-type.h>
+ #include "internal.h"
+
+ #define KEY_MAX_DESC_SIZE 4096
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 740affd65ee9..5f2993ab2d50 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -20,6 +20,7 @@
+ #include <linux/security.h>
+ #include <linux/user_namespace.h>
+ #include <linux/uaccess.h>
++#include <keys/request_key_auth-type.h>
+ #include "internal.h"
+
+ /* Session keyring create vs join semaphore */
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index c707fdbb3429..2ecd67221476 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -18,31 +18,30 @@
+ #include <linux/keyctl.h>
+ #include <linux/slab.h>
+ #include "internal.h"
++#include <keys/request_key_auth-type.h>
+
+ #define key_negative_timeout 60 /* default timeout on a negative key's existence */
+
+ /**
+ * complete_request_key - Complete the construction of a key.
+- * @cons: The key construction record.
++ * @auth_key: The authorisation key.
+ * @error: The success or failute of the construction.
+ *
+ * Complete the attempt to construct a key. The key will be negated
+ * if an error is indicated. The authorisation key will be revoked
+ * unconditionally.
+ */
+-void complete_request_key(struct key_construction *cons, int error)
++void complete_request_key(struct key *authkey, int error)
+ {
+- kenter("{%d,%d},%d", cons->key->serial, cons->authkey->serial, error);
++ struct request_key_auth *rka = get_request_key_auth(authkey);
++ struct key *key = rka->target_key;
++
++ kenter("%d{%d},%d", authkey->serial, key->serial, error);
+
+ if (error < 0)
+- key_negate_and_link(cons->key, key_negative_timeout, NULL,
+- cons->authkey);
++ key_negate_and_link(key, key_negative_timeout, NULL, authkey);
+ else
+- key_revoke(cons->authkey);
+-
+- key_put(cons->key);
+- key_put(cons->authkey);
+- kfree(cons);
++ key_revoke(authkey);
+ }
+ EXPORT_SYMBOL(complete_request_key);
+
+@@ -91,21 +90,19 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
+ * Request userspace finish the construction of a key
+ * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
+ */
+-static int call_sbin_request_key(struct key_construction *cons,
+- const char *op,
+- void *aux)
++static int call_sbin_request_key(struct key *authkey, void *aux)
+ {
+ static char const request_key[] = "/sbin/request-key";
++ struct request_key_auth *rka = get_request_key_auth(authkey);
+ const struct cred *cred = current_cred();
+ key_serial_t prkey, sskey;
+- struct key *key = cons->key, *authkey = cons->authkey, *keyring,
+- *session;
++ struct key *key = rka->target_key, *keyring, *session;
+ char *argv[9], *envp[3], uid_str[12], gid_str[12];
+ char key_str[12], keyring_str[3][12];
+ char desc[20];
+ int ret, i;
+
+- kenter("{%d},{%d},%s", key->serial, authkey->serial, op);
++ kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
+
+ ret = install_user_keyrings();
+ if (ret < 0)
+@@ -163,7 +160,7 @@ static int call_sbin_request_key(struct key_construction *cons,
+ /* set up the argument list */
+ i = 0;
+ argv[i++] = (char *)request_key;
+- argv[i++] = (char *) op;
++ argv[i++] = (char *)rka->op;
+ argv[i++] = key_str;
+ argv[i++] = uid_str;
+ argv[i++] = gid_str;
+@@ -191,7 +188,7 @@ error_link:
+ key_put(keyring);
+
+ error_alloc:
+- complete_request_key(cons, ret);
++ complete_request_key(authkey, ret);
+ kleave(" = %d", ret);
+ return ret;
+ }
+@@ -205,42 +202,31 @@ static int construct_key(struct key *key, const void *callout_info,
+ size_t callout_len, void *aux,
+ struct key *dest_keyring)
+ {
+- struct key_construction *cons;
+ request_key_actor_t actor;
+ struct key *authkey;
+ int ret;
+
+ kenter("%d,%p,%zu,%p", key->serial, callout_info, callout_len, aux);
+
+- cons = kmalloc(sizeof(*cons), GFP_KERNEL);
+- if (!cons)
+- return -ENOMEM;
+-
+ /* allocate an authorisation key */
+- authkey = request_key_auth_new(key, callout_info, callout_len,
++ authkey = request_key_auth_new(key, "create", callout_info, callout_len,
+ dest_keyring);
+- if (IS_ERR(authkey)) {
+- kfree(cons);
+- ret = PTR_ERR(authkey);
+- authkey = NULL;
+- } else {
+- cons->authkey = key_get(authkey);
+- cons->key = key_get(key);
++ if (IS_ERR(authkey))
++ return PTR_ERR(authkey);
+
+- /* make the call */
+- actor = call_sbin_request_key;
+- if (key->type->request_key)
+- actor = key->type->request_key;
++ /* Make the call */
++ actor = call_sbin_request_key;
++ if (key->type->request_key)
++ actor = key->type->request_key;
+
+- ret = actor(cons, "create", aux);
++ ret = actor(authkey, aux);
+
+- /* check that the actor called complete_request_key() prior to
+- * returning an error */
+- WARN_ON(ret < 0 &&
+- !test_bit(KEY_FLAG_REVOKED, &authkey->flags));
+- key_put(authkey);
+- }
++ /* check that the actor called complete_request_key() prior to
++ * returning an error */
++ WARN_ON(ret < 0 &&
++ !test_bit(KEY_FLAG_REVOKED, &authkey->flags));
+
++ key_put(authkey);
+ kleave(" = %d", ret);
+ return ret;
+ }
+@@ -275,7 +261,7 @@ static int construct_get_dest_keyring(struct key **_dest_keyring)
+ if (cred->request_key_auth) {
+ authkey = cred->request_key_auth;
+ down_read(&authkey->sem);
+- rka = authkey->payload.data[0];
++ rka = get_request_key_auth(authkey);
+ if (!test_bit(KEY_FLAG_REVOKED,
+ &authkey->flags))
+ dest_keyring =
+diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
+index 6797843154f0..5e515791ccd1 100644
+--- a/security/keys/request_key_auth.c
++++ b/security/keys/request_key_auth.c
+@@ -18,7 +18,7 @@
+ #include <linux/slab.h>
+ #include <linux/uaccess.h>
+ #include "internal.h"
+-#include <keys/user-type.h>
++#include <keys/request_key_auth-type.h>
+
+ static int request_key_auth_preparse(struct key_preparsed_payload *);
+ static void request_key_auth_free_preparse(struct key_preparsed_payload *);
+@@ -69,7 +69,7 @@ static int request_key_auth_instantiate(struct key *key,
+ static void request_key_auth_describe(const struct key *key,
+ struct seq_file *m)
+ {
+- struct request_key_auth *rka = key->payload.data[0];
++ struct request_key_auth *rka = get_request_key_auth(key);
+
+ seq_puts(m, "key:");
+ seq_puts(m, key->description);
+@@ -84,7 +84,7 @@ static void request_key_auth_describe(const struct key *key,
+ static long request_key_auth_read(const struct key *key,
+ char __user *buffer, size_t buflen)
+ {
+- struct request_key_auth *rka = key->payload.data[0];
++ struct request_key_auth *rka = get_request_key_auth(key);
+ size_t datalen;
+ long ret;
+
+@@ -110,7 +110,7 @@ static long request_key_auth_read(const struct key *key,
+ */
+ static void request_key_auth_revoke(struct key *key)
+ {
+- struct request_key_auth *rka = key->payload.data[0];
++ struct request_key_auth *rka = get_request_key_auth(key);
+
+ kenter("{%d}", key->serial);
+
+@@ -137,7 +137,7 @@ static void free_request_key_auth(struct request_key_auth *rka)
+ */
+ static void request_key_auth_destroy(struct key *key)
+ {
+- struct request_key_auth *rka = key->payload.data[0];
++ struct request_key_auth *rka = get_request_key_auth(key);
+
+ kenter("{%d}", key->serial);
+
+@@ -148,8 +148,9 @@ static void request_key_auth_destroy(struct key *key)
+ * Create an authorisation token for /sbin/request-key or whoever to gain
+ * access to the caller's security data.
+ */
+-struct key *request_key_auth_new(struct key *target, const void *callout_info,
+- size_t callout_len, struct key *dest_keyring)
++struct key *request_key_auth_new(struct key *target, const char *op,
++ const void *callout_info, size_t callout_len,
++ struct key *dest_keyring)
+ {
+ struct request_key_auth *rka, *irka;
+ const struct cred *cred = current->cred;
+@@ -167,6 +168,7 @@ struct key *request_key_auth_new(struct key *target, const void *callout_info,
+ if (!rka->callout_info)
+ goto error_free_rka;
+ rka->callout_len = callout_len;
++ strlcpy(rka->op, op, sizeof(rka->op));
+
+ /* see if the calling process is already servicing the key request of
+ * another process */
+--
+2.19.1
+
--- /dev/null
+From 816251e46d9f4021a26cf3b2dd02a09d34f7b8e2 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@arm.com>
+Date: Thu, 20 Dec 2018 12:44:05 +0100
+Subject: KVM: arm/arm64: Reset the VCPU without preemption and vcpu state
+ loaded
+
+[ Upstream commit e761a927bc9a7ee6ceb7c4f63d5922dbced87f0d ]
+
+We have two ways to reset a vcpu:
+- either through VCPU_INIT
+- or through a PSCI_ON call
+
+The first one is easy to reason about. The second one is implemented
+in a more bizarre way, as it is the vcpu that handles PSCI_ON that
+resets the vcpu that is being powered-on. As we need to turn the logic
+around and have the target vcpu to reset itself, we must take some
+preliminary steps.
+
+Resetting the VCPU state modifies the system register state in memory,
+but this may interact with vcpu_load/vcpu_put if running with preemption
+disabled, which in turn may lead to corrupted system register state.
+
+Address this by disabling preemption and doing put/load if required
+around the reset logic.
+
+Reviewed-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/reset.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
+index a74311beda35..c1c5a57249d2 100644
+--- a/arch/arm64/kvm/reset.c
++++ b/arch/arm64/kvm/reset.c
+@@ -95,16 +95,33 @@ int kvm_arch_dev_ioctl_check_extension(struct kvm *kvm, long ext)
+ * This function finds the right table above and sets the registers on
+ * the virtual CPU struct to their architecturally defined reset
+ * values.
++ *
++ * Note: This function can be called from two paths: The KVM_ARM_VCPU_INIT
++ * ioctl or as part of handling a request issued by another VCPU in the PSCI
++ * handling code. In the first case, the VCPU will not be loaded, and in the
++ * second case the VCPU will be loaded. Because this function operates purely
++ * on the memory-backed valus of system registers, we want to do a full put if
++ * we were loaded (handling a request) and load the values back at the end of
++ * the function. Otherwise we leave the state alone. In both cases, we
++ * disable preemption around the vcpu reset as we would otherwise race with
++ * preempt notifiers which also call put/load.
+ */
+ int kvm_reset_vcpu(struct kvm_vcpu *vcpu)
+ {
+ const struct kvm_regs *cpu_reset;
++ int ret = -EINVAL;
++ bool loaded;
++
++ preempt_disable();
++ loaded = (vcpu->cpu != -1);
++ if (loaded)
++ kvm_arch_vcpu_put(vcpu);
+
+ switch (vcpu->arch.target) {
+ default:
+ if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features)) {
+ if (!cpu_has_32bit_el1())
+- return -EINVAL;
++ goto out;
+ cpu_reset = &default_regs_reset32;
+ } else {
+ cpu_reset = &default_regs_reset;
+@@ -127,5 +144,10 @@ int kvm_reset_vcpu(struct kvm_vcpu *vcpu)
+ vcpu->arch.workaround_flags |= VCPU_WORKAROUND_2_FLAG;
+
+ /* Reset timer */
+- return kvm_timer_vcpu_reset(vcpu);
++ ret = kvm_timer_vcpu_reset(vcpu);
++out:
++ if (loaded)
++ kvm_arch_vcpu_load(vcpu, smp_processor_id());
++ preempt_enable();
++ return ret;
+ }
+--
+2.19.1
+
--- /dev/null
+From 5f479efd921f08a4a9f64db734c46e86ff6454de Mon Sep 17 00:00:00 2001
+From: Ilan Peer <ilan.peer@intel.com>
+Date: Wed, 6 Feb 2019 13:17:21 +0200
+Subject: mac80211: Fix Tx aggregation session tear down with ITXQs
+
+[ Upstream commit 6157ca0d6bfe437691b1e98a62e2efe12b6714da ]
+
+When mac80211 requests the low level driver to stop an ongoing
+Tx aggregation, the low level driver is expected to call
+ieee80211_stop_tx_ba_cb_irqsafe() to indicate that it is ready
+to stop the session. The callback in turn schedules a worker
+to complete the session tear down, which in turn also handles
+the relevant state for the intermediate Tx queue.
+
+However, as this flow in asynchronous, the intermediate queue
+should be stopped and not continue servicing frames, as in
+such a case frames that are dequeued would be marked as part
+of an aggregation, although the aggregation is already been
+stopped.
+
+Fix this by stopping the intermediate Tx queue, before
+calling the low level driver to stop the Tx aggregation.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/agg-tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
+index 197947a07f83..ed57db9b6086 100644
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -8,7 +8,7 @@
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2007-2010, Intel Corporation
+ * Copyright(c) 2015-2017 Intel Deutschland GmbH
+- * Copyright (C) 2018 Intel Corporation
++ * Copyright (C) 2018 - 2019 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -361,6 +361,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
+
+ set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state);
+
++ ieee80211_agg_stop_txq(sta, tid);
++
+ spin_unlock_bh(&sta->lock);
+
+ ht_dbg(sta->sdata, "Tx BA session stop requested for %pM tid %u\n",
+--
+2.19.1
+
--- /dev/null
+From 40259f10ec7b9b60aa4942b121a3c291fcc1abfc Mon Sep 17 00:00:00 2001
+From: Li RongQing <lirongqing@baidu.com>
+Date: Tue, 19 Feb 2019 13:12:40 +0800
+Subject: mac80211_hwsim: propagate genlmsg_reply return code
+
+[ Upstream commit 17407715240456448e4989bee46ffc93991add83 ]
+
+genlmsg_reply can fail, so propagate its return code
+
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 8f57ca969c9f..27224dc26413 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3241,7 +3241,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info)
+ goto out_err;
+ }
+
+- genlmsg_reply(skb, info);
++ res = genlmsg_reply(skb, info);
+ break;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 0bb42df6c9991ab7c90ed142c10d2da773b04a3f Mon Sep 17 00:00:00 2001
+From: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+Date: Mon, 4 Feb 2019 11:21:29 -0800
+Subject: mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue
+
+[ Upstream commit d7bf31a0f85faaf63c63c39d55154825a1eaaea9 ]
+
+RING_CONTROL reg was not written due to wrong address, hence all
+the subsequent ring flush was timing out.
+
+Fixes: a371c10ea4b3 ("mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush sequence")
+
+Signed-off-by: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+Signed-off-by: Ray Jui <ray.jui@broadcom.com>
+Reviewed-by: Scott Branden <scott.branden@broadcom.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/bcm-flexrm-mailbox.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mailbox/bcm-flexrm-mailbox.c b/drivers/mailbox/bcm-flexrm-mailbox.c
+index f052a3eb2098..7e3ed2714630 100644
+--- a/drivers/mailbox/bcm-flexrm-mailbox.c
++++ b/drivers/mailbox/bcm-flexrm-mailbox.c
+@@ -1381,9 +1381,9 @@ static void flexrm_shutdown(struct mbox_chan *chan)
+
+ /* Clear ring flush state */
+ timeout = 1000; /* timeout of 1s */
+- writel_relaxed(0x0, ring + RING_CONTROL);
++ writel_relaxed(0x0, ring->regs + RING_CONTROL);
+ do {
+- if (!(readl_relaxed(ring + RING_FLUSH_DONE) &
++ if (!(readl_relaxed(ring->regs + RING_FLUSH_DONE) &
+ FLUSH_DONE_MASK))
+ break;
+ mdelay(1);
+--
+2.19.1
+
--- /dev/null
+From a5f7bbe4a8a35ccf65738311c1eea15c7dd64fe2 Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Tue, 12 Feb 2019 15:35:58 -0800
+Subject: mm/gup: fix gup_pmd_range() for dax
+
+[ Upstream commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 ]
+
+For dax pmd, pmd_trans_huge() returns false but pmd_huge() returns true
+on x86. So the function works as long as hugetlb is configured.
+However, dax doesn't depend on hugetlb.
+
+Link: http://lkml.kernel.org/r/20190111034033.601-1-yuzhao@google.com
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: "Michael S . Tsirkin" <mst@redhat.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Wei Yang <richard.weiyang@gmail.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/gup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/gup.c b/mm/gup.c
+index 4cc8a6ff0f56..7c0e5b1bbcd4 100644
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -1643,7 +1643,8 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end,
+ if (!pmd_present(pmd))
+ return 0;
+
+- if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd))) {
++ if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) ||
++ pmd_devmap(pmd))) {
+ /*
+ * NUMA hinting faults need to be handled in the GUP
+ * slowpath for accounting purposes and so that they
+--
+2.19.1
+
--- /dev/null
+From a9b70022d02dc22155775b9ef8246a1559dc8d3c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 13 Feb 2019 22:45:59 +0100
+Subject: mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs
+
+[ Upstream commit 2c2ade81741c66082f8211f0b96cf509cc4c0218 ]
+
+The basic idea behind ->pagecnt_bias is: If we pre-allocate the maximum
+number of references that we might need to create in the fastpath later,
+the bump-allocation fastpath only has to modify the non-atomic bias value
+that tracks the number of extra references we hold instead of the atomic
+refcount. The maximum number of allocations we can serve (under the
+assumption that no allocation is made with size 0) is nc->size, so that's
+the bias used.
+
+However, even when all memory in the allocation has been given away, a
+reference to the page is still held; and in the `offset < 0` slowpath, the
+page may be reused if everyone else has dropped their references.
+This means that the necessary number of references is actually
+`nc->size+1`.
+
+Luckily, from a quick grep, it looks like the only path that can call
+page_frag_alloc(fragsz=1) is TAP with the IFF_NAPI_FRAGS flag, which
+requires CAP_NET_ADMIN in the init namespace and is only intended to be
+used for kernel testing and fuzzing.
+
+To test for this issue, put a `WARN_ON(page_ref_count(page) == 0)` in the
+`offset < 0` path, below the virt_to_page() call, and then repeatedly call
+writev() on a TAP device with IFF_TAP|IFF_NO_PI|IFF_NAPI_FRAGS|IFF_NAPI,
+with a vector consisting of 15 elements containing 1 byte each.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/page_alloc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index a2f365f40433..40075c1946b3 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -4325,11 +4325,11 @@ refill:
+ /* Even if we own the page, we do not use atomic_set().
+ * This would break get_page_unless_zero() users.
+ */
+- page_ref_add(page, size - 1);
++ page_ref_add(page, size);
+
+ /* reset page count bias and offset to start of new frag */
+ nc->pfmemalloc = page_is_pfmemalloc(page);
+- nc->pagecnt_bias = size;
++ nc->pagecnt_bias = size + 1;
+ nc->offset = size;
+ }
+
+@@ -4345,10 +4345,10 @@ refill:
+ size = nc->size;
+ #endif
+ /* OK, page count is 0, we can safely set it */
+- set_page_count(page, size);
++ set_page_count(page, size + 1);
+
+ /* reset page count bias and offset to start of new frag */
+- nc->pagecnt_bias = size;
++ nc->pagecnt_bias = size + 1;
+ offset = size - fragsz;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From eb9260a89860016a155ea34b602c886270f0dc72 Mon Sep 17 00:00:00 2001
+From: Huang Zijiang <huang.zijiang@zte.com.cn>
+Date: Thu, 14 Feb 2019 14:41:45 +0800
+Subject: net: hns: Fix object reference leaks in hns_dsaf_roce_reset()
+
+[ Upstream commit c969c6e7ab8cb42b5c787c567615474fdbad9d6a ]
+
+The of_find_device_by_node() takes a reference to the underlying device
+structure, we should release that reference.
+
+Signed-off-by: Huang Zijiang <huang.zijiang@zte.com.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+index 51d42d7f6074..7e82dfbb4340 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+@@ -3074,6 +3074,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset)
+ dsaf_dev = dev_get_drvdata(&pdev->dev);
+ if (!dsaf_dev) {
+ dev_err(&pdev->dev, "dsaf_dev is NULL\n");
++ put_device(&pdev->dev);
+ return -ENODEV;
+ }
+
+@@ -3081,6 +3082,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset)
+ if (AE_IS_VER1(dsaf_dev->dsaf_ver)) {
+ dev_err(dsaf_dev->dev, "%s v1 chip doesn't support RoCE!\n",
+ dsaf_dev->ae_dev.name);
++ put_device(&pdev->dev);
+ return -ENODEV;
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 1b6ba4915074884896518ccc210aabbfec98f130 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 15 Feb 2019 13:55:47 +0000
+Subject: net: marvell: mvneta: fix DMA debug warning
+
+[ Upstream commit a8fef9ba58c9966ddb1fec916d8d8137c9d8bc89 ]
+
+Booting 4.20 on SolidRun Clearfog issues this warning with DMA API
+debug enabled:
+
+WARNING: CPU: 0 PID: 555 at kernel/dma/debug.c:1230 check_sync+0x514/0x5bc
+mvneta f1070000.ethernet: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x000000002dd7dc00] [size=240 bytes]
+Modules linked in: ahci mv88e6xxx dsa_core xhci_plat_hcd xhci_hcd devlink armada_thermal marvell_cesa des_generic ehci_orion phy_armada38x_comphy mcp3021 spi_orion evbug sfp mdio_i2c ip_tables x_tables
+CPU: 0 PID: 555 Comm: bridge-network- Not tainted 4.20.0+ #291
+Hardware name: Marvell Armada 380/385 (Device Tree)
+[<c0019638>] (unwind_backtrace) from [<c0014888>] (show_stack+0x10/0x14)
+[<c0014888>] (show_stack) from [<c07f54e0>] (dump_stack+0x9c/0xd4)
+[<c07f54e0>] (dump_stack) from [<c00312bc>] (__warn+0xf8/0x124)
+[<c00312bc>] (__warn) from [<c00313b0>] (warn_slowpath_fmt+0x38/0x48)
+[<c00313b0>] (warn_slowpath_fmt) from [<c00b0370>] (check_sync+0x514/0x5bc)
+[<c00b0370>] (check_sync) from [<c00b04f8>] (debug_dma_sync_single_range_for_cpu+0x6c/0x74)
+[<c00b04f8>] (debug_dma_sync_single_range_for_cpu) from [<c051bd14>] (mvneta_poll+0x298/0xf58)
+[<c051bd14>] (mvneta_poll) from [<c0656194>] (net_rx_action+0x128/0x424)
+[<c0656194>] (net_rx_action) from [<c000a230>] (__do_softirq+0xf0/0x540)
+[<c000a230>] (__do_softirq) from [<c00386e0>] (irq_exit+0x124/0x144)
+[<c00386e0>] (irq_exit) from [<c009b5e0>] (__handle_domain_irq+0x58/0xb0)
+[<c009b5e0>] (__handle_domain_irq) from [<c03a63c4>] (gic_handle_irq+0x48/0x98)
+[<c03a63c4>] (gic_handle_irq) from [<c0009a10>] (__irq_svc+0x70/0x98)
+...
+
+This appears to be caused by mvneta_rx_hwbm() calling
+dma_sync_single_range_for_cpu() with the wrong struct device pointer,
+as the buffer manager device pointer is used to map and unmap the
+buffer. Fix this.
+
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 074a5b79d691..f76cbefeb3c7 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -2102,7 +2102,7 @@ err_drop_frame:
+ if (unlikely(!skb))
+ goto err_drop_frame_ret_pool;
+
+- dma_sync_single_range_for_cpu(dev->dev.parent,
++ dma_sync_single_range_for_cpu(&pp->bm_priv->pdev->dev,
+ rx_desc->buf_phys_addr,
+ MVNETA_MH_SIZE + NET_SKB_PAD,
+ rx_bytes,
+--
+2.19.1
+
--- /dev/null
+From 6f884495faa0fa84c9a847ce20884d4c0a7a59c6 Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 16 Feb 2019 00:20:54 +0300
+Subject: net: mv643xx_eth: disable clk on error path in
+ mv643xx_eth_shared_probe()
+
+[ Upstream commit e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ]
+
+If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe()
+leaves clk enabled.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
+index 81c1fac00d33..2434409f84b2 100644
+--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
+@@ -2886,7 +2886,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev)
+
+ ret = mv643xx_eth_shared_of_probe(pdev);
+ if (ret)
+- return ret;
++ goto err_put_clk;
+ pd = dev_get_platdata(&pdev->dev);
+
+ msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ?
+@@ -2894,6 +2894,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev)
+ infer_hw_params(msp);
+
+ return 0;
++
++err_put_clk:
++ if (!IS_ERR(msp->clk))
++ clk_disable_unprepare(msp->clk);
++ return ret;
+ }
+
+ static int mv643xx_eth_shared_remove(struct platform_device *pdev)
+--
+2.19.1
+
--- /dev/null
+From 3256929044cae03fdab2bf8d5a7fa722d72cf4d6 Mon Sep 17 00:00:00 2001
+From: Mao Wenan <maowenan@huawei.com>
+Date: Fri, 22 Feb 2019 14:57:23 +0800
+Subject: net: set static variable an initial value in atl2_probe()
+
+[ Upstream commit 4593403fa516a5a4cffe6883c5062d60932cbfbe ]
+
+cards_found is a static variable, but when it enters atl2_probe(),
+cards_found is set to zero, the value is not consistent with last probe,
+so next behavior is not our expect.
+
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atlx/atl2.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c
+index 77a1c03255de..225b4d452e0e 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl2.c
++++ b/drivers/net/ethernet/atheros/atlx/atl2.c
+@@ -1334,13 +1334,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ struct net_device *netdev;
+ struct atl2_adapter *adapter;
+- static int cards_found;
++ static int cards_found = 0;
+ unsigned long mmio_start;
+ int mmio_len;
+ int err;
+
+- cards_found = 0;
+-
+ err = pci_enable_device(pdev);
+ if (err)
+ return err;
+--
+2.19.1
+
--- /dev/null
+From b80de827c7b58c0032b08d842dcae41f33f1e3f7 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 15 Feb 2019 12:16:51 -0800
+Subject: net: systemport: Fix reception of BPDUs
+
+[ Upstream commit a40061ea2e39494104602b3048751341bda374a1 ]
+
+SYSTEMPORT has its RXCHK parser block that attempts to validate the
+packet structures, unfortunately setting the L2 header check bit will
+cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look
+like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type.
+
+Fixes: 4e8aedfe78c7 ("net: systemport: Turn on offloads by default")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index ed3edb17fd09..79018fea7be2 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -134,6 +134,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev,
+
+ priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM);
+ reg = rxchk_readl(priv, RXCHK_CONTROL);
++ /* Clear L2 header checks, which would prevent BPDUs
++ * from being received.
++ */
++ reg &= ~RXCHK_L2_HDR_DIS;
+ if (priv->rx_chk_en)
+ reg |= RXCHK_EN;
+ else
+--
+2.19.1
+
--- /dev/null
+From b9f964fbd4cb099b9b4e5b3fc5839f4f2c678b30 Mon Sep 17 00:00:00 2001
+From: Vadim Lomovtsev <vlomovtsev@marvell.com>
+Date: Wed, 20 Feb 2019 11:02:43 +0000
+Subject: net: thunderx: make CFG_DONE message to run through generic send-ack
+ sequence
+
+[ Upstream commit 0dd563b9a62c4cbabf5d4fd6596440c2491e72b1 ]
+
+At the end of NIC VF initialization VF sends CFG_DONE message to PF without
+using nicvf_msg_send_to_pf routine. This potentially could re-write data in
+mailbox. This commit is to implement common way of sending CFG_DONE message
+by the same way with other configuration messages by using
+nicvf_send_msg_to_pf() routine.
+
+Signed-off-by: Vadim Lomovtsev <vlomovtsev@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/nic_main.c | 2 +-
+ drivers/net/ethernet/cavium/thunder/nicvf_main.c | 15 ++++++++++++---
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c
+index d89ec4724efd..819f38a3225d 100644
+--- a/drivers/net/ethernet/cavium/thunder/nic_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c
+@@ -1030,7 +1030,7 @@ static void nic_handle_mbx_intr(struct nicpf *nic, int vf)
+ case NIC_MBOX_MSG_CFG_DONE:
+ /* Last message of VF config msg sequence */
+ nic_enable_vf(nic, vf, true);
+- goto unlock;
++ break;
+ case NIC_MBOX_MSG_SHUTDOWN:
+ /* First msg in VF teardown sequence */
+ if (vf >= nic->num_vf_en)
+diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+index f13256af8031..59b62b49ad48 100644
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+@@ -166,6 +166,17 @@ static int nicvf_check_pf_ready(struct nicvf *nic)
+ return 1;
+ }
+
++static void nicvf_send_cfg_done(struct nicvf *nic)
++{
++ union nic_mbx mbx = {};
++
++ mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE;
++ if (nicvf_send_msg_to_pf(nic, &mbx)) {
++ netdev_err(nic->netdev,
++ "PF didn't respond to CFG DONE msg\n");
++ }
++}
++
+ static void nicvf_read_bgx_stats(struct nicvf *nic, struct bgx_stats_msg *bgx)
+ {
+ if (bgx->rx)
+@@ -1329,7 +1340,6 @@ int nicvf_open(struct net_device *netdev)
+ struct nicvf *nic = netdev_priv(netdev);
+ struct queue_set *qs = nic->qs;
+ struct nicvf_cq_poll *cq_poll = NULL;
+- union nic_mbx mbx = {};
+
+ netif_carrier_off(netdev);
+
+@@ -1419,8 +1429,7 @@ int nicvf_open(struct net_device *netdev)
+ nicvf_enable_intr(nic, NICVF_INTR_RBDR, qidx);
+
+ /* Send VF config done msg to PF */
+- mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE;
+- nicvf_write_to_mbx(nic, &mbx);
++ nicvf_send_cfg_done(nic);
+
+ return 0;
+ cleanup:
+--
+2.19.1
+
--- /dev/null
+From ca10918a278b3ee96fe2540cb0cdc7dccc0ce26e Mon Sep 17 00:00:00 2001
+From: Jiong Wang <jiong.wang@netronome.com>
+Date: Fri, 22 Feb 2019 22:36:04 +0000
+Subject: nfp: bpf: fix ALU32 high bits clearance bug
+
+[ Upstream commit f036ebd9bfbe1e91a3d855e85e05fc5ff156b641 ]
+
+NFP BPF JIT compiler is doing a couple of small optimizations when jitting
+ALU imm instructions, some of these optimizations could save code-gen, for
+example:
+
+ A & -1 = A
+ A | 0 = A
+ A ^ 0 = A
+
+However, for ALU32, high 32-bit of the 64-bit register should still be
+cleared according to ISA semantics.
+
+Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator")
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/bpf/jit.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/bpf/jit.c b/drivers/net/ethernet/netronome/nfp/bpf/jit.c
+index 3105ee5bbf8e..c1ffec85817a 100644
+--- a/drivers/net/ethernet/netronome/nfp/bpf/jit.c
++++ b/drivers/net/ethernet/netronome/nfp/bpf/jit.c
+@@ -756,15 +756,10 @@ wrp_alu64_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta,
+
+ static int
+ wrp_alu32_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta,
+- enum alu_op alu_op, bool skip)
++ enum alu_op alu_op)
+ {
+ const struct bpf_insn *insn = &meta->insn;
+
+- if (skip) {
+- meta->skip = true;
+- return 0;
+- }
+-
+ wrp_alu_imm(nfp_prog, insn->dst_reg * 2, alu_op, insn->imm);
+ wrp_immed(nfp_prog, reg_both(insn->dst_reg * 2 + 1), 0);
+
+@@ -1017,7 +1012,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+
+ static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+ {
+- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm);
++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR);
+ }
+
+ static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+@@ -1027,7 +1022,7 @@ static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+
+ static int and_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+ {
+- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND, !~meta->insn.imm);
++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND);
+ }
+
+ static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+@@ -1037,7 +1032,7 @@ static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+
+ static int or_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+ {
+- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR, !meta->insn.imm);
++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR);
+ }
+
+ static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+@@ -1047,7 +1042,7 @@ static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+
+ static int add_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+ {
+- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD, !meta->insn.imm);
++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD);
+ }
+
+ static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+@@ -1057,7 +1052,7 @@ static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+
+ static int sub_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+ {
+- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB, !meta->insn.imm);
++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB);
+ }
+
+ static int shl_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+--
+2.19.1
+
--- /dev/null
+From f470584598d006775daef85155a5d0a4e333deeb Mon Sep 17 00:00:00 2001
+From: Jiong Wang <jiong.wang@netronome.com>
+Date: Fri, 22 Feb 2019 22:36:03 +0000
+Subject: nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K
+
+[ Upstream commit 71c190249f0ced5b26377ea6bf829ab3af77a40c ]
+
+The intended optimization should be A ^ 0 = A, not A ^ -1 = A.
+
+Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator")
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/bpf/jit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/bpf/jit.c b/drivers/net/ethernet/netronome/nfp/bpf/jit.c
+index 239dfbe8a0a1..3105ee5bbf8e 100644
+--- a/drivers/net/ethernet/netronome/nfp/bpf/jit.c
++++ b/drivers/net/ethernet/netronome/nfp/bpf/jit.c
+@@ -1017,7 +1017,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+
+ static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+ {
+- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !~meta->insn.imm);
++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm);
+ }
+
+ static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta)
+--
+2.19.1
+
--- /dev/null
+From b6f8a3bead3e19044c4b76809c15be1ec22948ce Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Wed, 6 Feb 2019 06:09:43 -0500
+Subject: NFS: Don't use page_file_mapping after removing the page
+
+[ Upstream commit d2ceb7e57086750ea6198a31fd942d98099a0786 ]
+
+If nfs_page_async_flush() removes the page from the mapping, then we can't
+use page_file_mapping() on it as nfs_updatepate() is wont to do when
+receiving an error. Instead, push the mapping to the stack before the page
+is possibly truncated.
+
+Fixes: 8fc75bed96bb ("NFS: Fix up return value on fatal errors in nfs_page_async_flush()")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/write.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 2d956a7d5378..50ed3944d183 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -236,9 +236,9 @@ out:
+ }
+
+ /* A writeback failed: mark the page as bad, and invalidate the page cache */
+-static void nfs_set_pageerror(struct page *page)
++static void nfs_set_pageerror(struct address_space *mapping)
+ {
+- nfs_zap_mapping(page_file_mapping(page)->host, page_file_mapping(page));
++ nfs_zap_mapping(mapping->host, mapping);
+ }
+
+ /*
+@@ -994,7 +994,7 @@ static void nfs_write_completion(struct nfs_pgio_header *hdr)
+ nfs_list_remove_request(req);
+ if (test_bit(NFS_IOHDR_ERROR, &hdr->flags) &&
+ (hdr->good_bytes < bytes)) {
+- nfs_set_pageerror(req->wb_page);
++ nfs_set_pageerror(page_file_mapping(req->wb_page));
+ nfs_context_set_write_error(req->wb_context, hdr->error);
+ goto remove_req;
+ }
+@@ -1330,7 +1330,8 @@ int nfs_updatepage(struct file *file, struct page *page,
+ unsigned int offset, unsigned int count)
+ {
+ struct nfs_open_context *ctx = nfs_file_open_context(file);
+- struct inode *inode = page_file_mapping(page)->host;
++ struct address_space *mapping = page_file_mapping(page);
++ struct inode *inode = mapping->host;
+ int status = 0;
+
+ nfs_inc_stats(inode, NFSIOS_VFSUPDATEPAGE);
+@@ -1348,7 +1349,7 @@ int nfs_updatepage(struct file *file, struct page *page,
+
+ status = nfs_writepage_setup(ctx, page, offset, count);
+ if (status < 0)
+- nfs_set_pageerror(page);
++ nfs_set_pageerror(mapping);
+ else
+ __set_page_dirty_nobuffers(page);
+ out:
+--
+2.19.1
+
--- /dev/null
+From f22e5d04fe0545f080d8f883ddb734bffff95eed Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 22:53:50 +0100
+Subject: phonet: fix building with clang
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 6321aa197547da397753757bd84c6ce64b3e3d89 ]
+
+clang warns about overflowing the data[] member in the struct pnpipehdr:
+
+net/phonet/pep.c:295:8: warning: array index 4 is past the end of the array (which contains 1 element) [-Warray-bounds]
+ if (hdr->data[4] == PEP_IND_READY)
+ ^ ~
+include/net/phonet/pep.h:66:3: note: array 'data' declared here
+ u8 data[1];
+
+Using a flexible array member at the end of the struct avoids the
+warning, but since we cannot have a flexible array member inside
+of the union, each index now has to be moved back by one, which
+makes it a little uglier.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Rémi Denis-Courmont <remi@remlab.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/phonet/pep.h | 5 +++--
+ net/phonet/pep.c | 32 ++++++++++++++++----------------
+ 2 files changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/include/net/phonet/pep.h b/include/net/phonet/pep.h
+index b669fe6dbc3b..98f31c7ea23d 100644
+--- a/include/net/phonet/pep.h
++++ b/include/net/phonet/pep.h
+@@ -63,10 +63,11 @@ struct pnpipehdr {
+ u8 state_after_reset; /* reset request */
+ u8 error_code; /* any response */
+ u8 pep_type; /* status indication */
+- u8 data[1];
++ u8 data0; /* anything else */
+ };
++ u8 data[];
+ };
+-#define other_pep_type data[1]
++#define other_pep_type data[0]
+
+ static inline struct pnpipehdr *pnp_hdr(struct sk_buff *skb)
+ {
+diff --git a/net/phonet/pep.c b/net/phonet/pep.c
+index e81537991ddf..bffcef58ebf5 100644
+--- a/net/phonet/pep.c
++++ b/net/phonet/pep.c
+@@ -132,7 +132,7 @@ static int pep_indicate(struct sock *sk, u8 id, u8 code,
+ ph->utid = 0;
+ ph->message_id = id;
+ ph->pipe_handle = pn->pipe_handle;
+- ph->data[0] = code;
++ ph->error_code = code;
+ return pn_skb_send(sk, skb, NULL);
+ }
+
+@@ -153,7 +153,7 @@ static int pipe_handler_request(struct sock *sk, u8 id, u8 code,
+ ph->utid = id; /* whatever */
+ ph->message_id = id;
+ ph->pipe_handle = pn->pipe_handle;
+- ph->data[0] = code;
++ ph->error_code = code;
+ return pn_skb_send(sk, skb, NULL);
+ }
+
+@@ -208,7 +208,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
+ struct pnpipehdr *ph;
+ struct sockaddr_pn dst;
+ u8 data[4] = {
+- oph->data[0], /* PEP type */
++ oph->pep_type, /* PEP type */
+ code, /* error code, at an unusual offset */
+ PAD, PAD,
+ };
+@@ -221,7 +221,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
+ ph->utid = oph->utid;
+ ph->message_id = PNS_PEP_CTRL_RESP;
+ ph->pipe_handle = oph->pipe_handle;
+- ph->data[0] = oph->data[1]; /* CTRL id */
++ ph->data0 = oph->data[0]; /* CTRL id */
+
+ pn_skb_get_src_sockaddr(oskb, &dst);
+ return pn_skb_send(sk, skb, &dst);
+@@ -272,17 +272,17 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
+ return -EINVAL;
+
+ hdr = pnp_hdr(skb);
+- if (hdr->data[0] != PN_PEP_TYPE_COMMON) {
++ if (hdr->pep_type != PN_PEP_TYPE_COMMON) {
+ net_dbg_ratelimited("Phonet unknown PEP type: %u\n",
+- (unsigned int)hdr->data[0]);
++ (unsigned int)hdr->pep_type);
+ return -EOPNOTSUPP;
+ }
+
+- switch (hdr->data[1]) {
++ switch (hdr->data[0]) {
+ case PN_PEP_IND_FLOW_CONTROL:
+ switch (pn->tx_fc) {
+ case PN_LEGACY_FLOW_CONTROL:
+- switch (hdr->data[4]) {
++ switch (hdr->data[3]) {
+ case PEP_IND_BUSY:
+ atomic_set(&pn->tx_credits, 0);
+ break;
+@@ -292,7 +292,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
+ }
+ break;
+ case PN_ONE_CREDIT_FLOW_CONTROL:
+- if (hdr->data[4] == PEP_IND_READY)
++ if (hdr->data[3] == PEP_IND_READY)
+ atomic_set(&pn->tx_credits, wake = 1);
+ break;
+ }
+@@ -301,12 +301,12 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
+ case PN_PEP_IND_ID_MCFC_GRANT_CREDITS:
+ if (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL)
+ break;
+- atomic_add(wake = hdr->data[4], &pn->tx_credits);
++ atomic_add(wake = hdr->data[3], &pn->tx_credits);
+ break;
+
+ default:
+ net_dbg_ratelimited("Phonet unknown PEP indication: %u\n",
+- (unsigned int)hdr->data[1]);
++ (unsigned int)hdr->data[0]);
+ return -EOPNOTSUPP;
+ }
+ if (wake)
+@@ -318,7 +318,7 @@ static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb)
+ {
+ struct pep_sock *pn = pep_sk(sk);
+ struct pnpipehdr *hdr = pnp_hdr(skb);
+- u8 n_sb = hdr->data[0];
++ u8 n_sb = hdr->data0;
+
+ pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL;
+ __skb_pull(skb, sizeof(*hdr));
+@@ -506,7 +506,7 @@ static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb)
+ return -ECONNREFUSED;
+
+ /* Parse sub-blocks */
+- n_sb = hdr->data[4];
++ n_sb = hdr->data[3];
+ while (n_sb > 0) {
+ u8 type, buf[6], len = sizeof(buf);
+ const u8 *data = pep_get_sb(skb, &type, &len, buf);
+@@ -739,7 +739,7 @@ static int pipe_do_remove(struct sock *sk)
+ ph->utid = 0;
+ ph->message_id = PNS_PIPE_REMOVE_REQ;
+ ph->pipe_handle = pn->pipe_handle;
+- ph->data[0] = PAD;
++ ph->data0 = PAD;
+ return pn_skb_send(sk, skb, NULL);
+ }
+
+@@ -817,7 +817,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp,
+ peer_type = hdr->other_pep_type << 8;
+
+ /* Parse sub-blocks (options) */
+- n_sb = hdr->data[4];
++ n_sb = hdr->data[3];
+ while (n_sb > 0) {
+ u8 type, buf[1], len = sizeof(buf);
+ const u8 *data = pep_get_sb(skb, &type, &len, buf);
+@@ -1109,7 +1109,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb)
+ ph->utid = 0;
+ if (pn->aligned) {
+ ph->message_id = PNS_PIPE_ALIGNED_DATA;
+- ph->data[0] = 0; /* padding */
++ ph->data0 = 0; /* padding */
+ } else
+ ph->message_id = PNS_PIPE_DATA;
+ ph->pipe_handle = pn->pipe_handle;
+--
+2.19.1
+
--- /dev/null
+From 2b5486881ce65d71f4a4605aa21edc4f9cf8b6ea Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sat, 9 Feb 2019 02:01:01 +0100
+Subject: pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
+
+[ Upstream commit c17abcfa93bf0be5e48bb011607d237ac2bfc839 ]
+
+Fix the mismatch between the "sdxc_d13_1_a" pin group definition from
+meson8b_cbus_groups and the entry in sdxc_a_groups ("sdxc_d0_13_1_a").
+This makes it possible to use "sdxc_d13_1_a" in device-tree files to
+route the MMC data 1..3 pins to GPIOX_1..3.
+
+Fixes: 0fefcb6876d0d6 ("pinctrl: Add support for Meson8b")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/meson/pinctrl-meson8b.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c
+index a6fff215e60f..aafd39eba64f 100644
+--- a/drivers/pinctrl/meson/pinctrl-meson8b.c
++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c
+@@ -668,7 +668,7 @@ static const char * const sd_a_groups[] = {
+
+ static const char * const sdxc_a_groups[] = {
+ "sdxc_d0_0_a", "sdxc_d13_0_a", "sdxc_d47_a", "sdxc_clk_a",
+- "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d0_13_1_a"
++ "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d13_1_a"
+ };
+
+ static const char * const pcm_a_groups[] = {
+--
+2.19.1
+
--- /dev/null
+From 82ccecbbb3c37571b1e4f0a222879c3ad31fded8 Mon Sep 17 00:00:00 2001
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Mon, 18 Feb 2019 15:24:03 +0200
+Subject: qed: Fix iWARP syn packet mac address validation.
+
+[ Upstream commit 8be3dadf04050c2907760ec1955ca1c8fbc25585 ]
+
+The ll2 forwards all syn packets to the driver without validating the mac
+address. Add validation check in the driver's iWARP listener flow and drop
+the packet if it isn't intended for the device.
+
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+index eb666877d1aa..bb09f5a9846f 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_iwarp.c
+@@ -1651,6 +1651,15 @@ qed_iwarp_parse_rx_pkt(struct qed_hwfn *p_hwfn,
+
+ eth_hlen = ETH_HLEN + (vlan_valid ? sizeof(u32) : 0);
+
++ if (!ether_addr_equal(ethh->h_dest,
++ p_hwfn->p_rdma_info->iwarp.mac_addr)) {
++ DP_VERBOSE(p_hwfn,
++ QED_MSG_RDMA,
++ "Got unexpected mac %pM instead of %pM\n",
++ ethh->h_dest, p_hwfn->p_rdma_info->iwarp.mac_addr);
++ return -EINVAL;
++ }
++
+ ether_addr_copy(remote_mac_addr, ethh->h_source);
+ ether_addr_copy(local_mac_addr, ethh->h_dest);
+
+--
+2.19.1
+
--- /dev/null
+From abde99af60f616bd20e463e1bafcd4c0eab03d26 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Fri, 15 Feb 2019 13:20:42 +0100
+Subject: qmi_wwan: apply SET_DTR quirk to Sierra WP7607
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 97dc47a1308a3af46a09b1546cfb869f2e382a81 ]
+
+The 1199:68C0 USB ID is reused by Sierra WP7607 which requires the DTR
+quirk to be detected. Apply QMI_QUIRK_SET_DTR unconditionally as
+already done for other IDs shared between different devices.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 25204d2c9e89..65e47cc52d14 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1193,8 +1193,8 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */
+- {QMI_FIXED_INTF(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354 */
+- {QMI_FIXED_INTF(0x1199, 0x68c0, 10)}, /* Sierra Wireless MC7304/MC7354 */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354, WP76xx */
++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 10)},/* Sierra Wireless MC7304/MC7354 */
+ {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */
+ {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */
+ {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */
+--
+2.19.1
+
--- /dev/null
+From bc0c88889784544219b105d48b313218514965d9 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Tue, 12 Feb 2019 15:36:03 -0800
+Subject: Revert "mm: use early_pfn_to_nid in page_ext_init"
+
+[ Upstream commit 2f1ee0913ce58efe7f18fbd518bd54c598559b89 ]
+
+This reverts commit fe53ca54270a ("mm: use early_pfn_to_nid in
+page_ext_init").
+
+When booting a system with "page_owner=on",
+
+start_kernel
+ page_ext_init
+ invoke_init_callbacks
+ init_section_page_ext
+ init_page_owner
+ init_early_allocated_pages
+ init_zones_in_node
+ init_pages_in_zone
+ lookup_page_ext
+ page_to_nid
+
+The issue here is that page_to_nid() will not work since some page flags
+have no node information until later in page_alloc_init_late() due to
+DEFERRED_STRUCT_PAGE_INIT. Hence, it could trigger an out-of-bounds
+access with an invalid nid.
+
+ UBSAN: Undefined behaviour in ./include/linux/mm.h:1104:50
+ index 7 is out of range for type 'zone [5]'
+
+Also, kernel will panic since flags were poisoned earlier with,
+
+CONFIG_DEBUG_VM_PGFLAGS=y
+CONFIG_NODE_NOT_IN_PAGE_FLAGS=n
+
+start_kernel
+ setup_arch
+ pagetable_init
+ paging_init
+ sparse_init
+ sparse_init_nid
+ memblock_alloc_try_nid_raw
+
+It did not handle it well in init_pages_in_zone() which ends up calling
+page_to_nid().
+
+ page:ffffea0004200000 is uninitialized and poisoned
+ raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
+ raw: ffffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffff
+ page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
+ page_owner info is not active (free page?)
+ kernel BUG at include/linux/mm.h:990!
+ RIP: 0010:init_page_owner+0x486/0x520
+
+This means that assumptions behind commit fe53ca54270a ("mm: use
+early_pfn_to_nid in page_ext_init") are incomplete. Therefore, revert
+the commit for now. A proper way to move the page_owner initialization
+to sooner is to hook into memmap initialization.
+
+Link: http://lkml.kernel.org/r/20190115202812.75820-1-cai@lca.pw
+Signed-off-by: Qian Cai <cai@lca.pw>
+Acked-by: Michal Hocko <mhocko@kernel.org>
+Cc: Pasha Tatashin <Pavel.Tatashin@microsoft.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Yang Shi <yang.shi@linaro.org>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/main.c | 3 ++-
+ mm/page_ext.c | 4 +---
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/init/main.c b/init/main.c
+index c4a45145e102..3d3d79c5a232 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -663,7 +663,6 @@ asmlinkage __visible void __init start_kernel(void)
+ initrd_start = 0;
+ }
+ #endif
+- page_ext_init();
+ kmemleak_init();
+ debug_objects_mem_init();
+ setup_per_cpu_pageset();
+@@ -1069,6 +1068,8 @@ static noinline void __init kernel_init_freeable(void)
+ sched_init_smp();
+
+ page_alloc_init_late();
++ /* Initialize page ext after all struct pages are initialized. */
++ page_ext_init();
+
+ do_basic_setup();
+
+diff --git a/mm/page_ext.c b/mm/page_ext.c
+index 2c16216c29b6..2c44f5b78435 100644
+--- a/mm/page_ext.c
++++ b/mm/page_ext.c
+@@ -396,10 +396,8 @@ void __init page_ext_init(void)
+ * We know some arch can have a nodes layout such as
+ * -------------pfn-------------->
+ * N0 | N1 | N2 | N0 | N1 | N2|....
+- *
+- * Take into account DEFERRED_STRUCT_PAGE_INIT.
+ */
+- if (early_pfn_to_nid(pfn) != nid)
++ if (pfn_to_nid(pfn) != nid)
+ continue;
+ if (init_section_page_ext(pfn, nid))
+ goto oom;
+--
+2.19.1
+
--- /dev/null
+From 69e36c94a6d9d92371695b0aa3f1097e42122eb5 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Wed, 21 Nov 2018 12:39:47 +0100
+Subject: s390/dasd: fix using offset into zero size array error
+
+[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ]
+
+Dan Carpenter reported the following:
+
+The patch 52898025cf7d: "[S390] dasd: security and PSF update patch
+for EMC CKD ioctl" from Mar 8, 2010, leads to the following static
+checker warning:
+
+ drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io()
+ error: using offset into zero size array 'psf_data[]'
+
+drivers/s390/block/dasd_eckd.c
+ 4458 /* Copy parms from caller */
+ 4459 rc = -EFAULT;
+ 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm)))
+ ^^^^^^^
+The user can specify any "usrparm.psf_data_len". They choose zero by
+mistake.
+
+ 4461 goto out;
+ 4462 if (is_compat_task()) {
+ 4463 /* Make sure pointers are sane even on 31 bit. */
+ 4464 rc = -EINVAL;
+ 4465 if ((usrparm.psf_data >> 32) != 0)
+ 4466 goto out;
+ 4467 if ((usrparm.rssd_result >> 32) != 0)
+ 4468 goto out;
+ 4469 usrparm.psf_data &= 0x7fffffffULL;
+ 4470 usrparm.rssd_result &= 0x7fffffffULL;
+ 4471 }
+ 4472 /* alloc I/O data area */
+ 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL
+ | GFP_DMA);
+ 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL
+ | GFP_DMA);
+ 4475 if (!psf_data || !rssd_result) {
+
+kzalloc() returns a ZERO_SIZE_PTR (0x16).
+
+ 4476 rc = -ENOMEM;
+ 4477 goto out_free;
+ 4478 }
+ 4479
+ 4480 /* get syscall header from user space */
+ 4481 rc = -EFAULT;
+ 4482 if (copy_from_user(psf_data,
+ 4483 (void __user *)(unsigned long)
+ usrparm.psf_data,
+ 4484 usrparm.psf_data_len))
+
+That all works great.
+
+ 4485 goto out_free;
+ 4486 psf0 = psf_data[0];
+ 4487 psf1 = psf_data[1];
+
+But now we're assuming that "->psf_data_len" was at least 2 bytes.
+
+Fix this by checking the user specified length psf_data_len.
+
+Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index 4c7c8455da96..0a1e7f9b5239 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -4463,6 +4463,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp)
+ usrparm.psf_data &= 0x7fffffffULL;
+ usrparm.rssd_result &= 0x7fffffffULL;
+ }
++ /* at least 2 bytes are accessed and should be allocated */
++ if (usrparm.psf_data_len < 2) {
++ DBF_DEV_EVENT(DBF_WARNING, device,
++ "Symmetrix ioctl invalid data length %d",
++ usrparm.psf_data_len);
++ rc = -EINVAL;
++ goto out;
++ }
+ /* alloc I/O data area */
+ psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA);
+ rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA);
+--
+2.19.1
+
--- /dev/null
+From f3644931461458011b6fda656b02ed073f900d92 Mon Sep 17 00:00:00 2001
+From: Anoob Soman <anoob.soman@citrix.com>
+Date: Wed, 13 Feb 2019 13:21:39 +0800
+Subject: scsi: libiscsi: Fix race between iscsi_xmit_task and
+ iscsi_complete_task
+
+[ Upstream commit 79edd00dc6a96644d76b4a1cb97d94d49e026768 ]
+
+When a target sends Check Condition, whilst initiator is busy xmiting
+re-queued data, could lead to race between iscsi_complete_task() and
+iscsi_xmit_task() and eventually crashing with the following kernel
+backtrace.
+
+[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+[3326150.987549] ALERT: IP: [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0
+[3326150.987582] WARN: Oops: 0002 [#1] SMP
+[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin
+[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1
+[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016
+[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi]
+[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000
+[3326150.987810] WARN: RIP: e030:[<ffffffffa05ce70d>] [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246
+[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480
+[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20
+[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008
+[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000
+[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08
+[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000
+[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
+[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660
+[3326150.987918] WARN: Stack:
+[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18
+[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00
+[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400
+[3326150.987964] WARN: Call Trace:
+[3326150.987975] WARN: [<ffffffffa05cea90>] iscsi_xmitworker+0x2f0/0x360 [libiscsi]
+[3326150.987988] WARN: [<ffffffff8108862c>] process_one_work+0x1fc/0x3b0
+[3326150.987997] WARN: [<ffffffff81088f95>] worker_thread+0x2a5/0x470
+[3326150.988006] WARN: [<ffffffff8159cad8>] ? __schedule+0x648/0x870
+[3326150.988015] WARN: [<ffffffff81088cf0>] ? rescuer_thread+0x300/0x300
+[3326150.988023] WARN: [<ffffffff8108ddf5>] kthread+0xd5/0xe0
+[3326150.988031] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
+[3326150.988040] WARN: [<ffffffff815a0bcf>] ret_from_fork+0x3f/0x70
+[3326150.988048] WARN: [<ffffffff8108dd20>] ? kthread_stop+0x110/0x110
+[3326150.988127] ALERT: RIP [<ffffffffa05ce70d>] iscsi_xmit_task+0x2d/0xc0 [libiscsi]
+[3326150.988138] WARN: RSP <ffff8801f545bdb0>
+[3326150.988144] WARN: CR2: 0000000000000078
+[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]---
+
+Commit 6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix
+list corruption regression") introduced "taskqueuelock" to fix list
+corruption during the race, but this wasn't enough.
+
+Re-setting of conn->task to NULL, could race with iscsi_xmit_task().
+iscsi_complete_task()
+{
+ ....
+ if (conn->task == task)
+ conn->task = NULL;
+}
+
+conn->task in iscsi_xmit_task() could be NULL and so will be task.
+__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access
+refcount.
+
+iscsi_xmit_task()
+{
+ struct iscsi_task *task = conn->task;
+
+ __iscsi_get_task(task);
+}
+
+This commit will take extra conn->session->back_lock in iscsi_xmit_task()
+to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if
+iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race,
+iscsi_xmit_task() increments task->refcount
+(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task().
+
+Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
+Signed-off-by: Bob Liu <bob.liu@oracle.com>
+Acked-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libiscsi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
+index 3ff536b350a1..5ea5d42bac76 100644
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1449,7 +1449,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn)
+ if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx))
+ return -ENODATA;
+
++ spin_lock_bh(&conn->session->back_lock);
++ if (conn->task == NULL) {
++ spin_unlock_bh(&conn->session->back_lock);
++ return -ENODATA;
++ }
+ __iscsi_get_task(task);
++ spin_unlock_bh(&conn->session->back_lock);
+ spin_unlock_bh(&conn->session->frwd_lock);
+ rc = conn->session->tt->xmit_task(task);
+ spin_lock_bh(&conn->session->frwd_lock);
+--
+2.19.1
+
crypto-rockchip-fix-scatterlist-nents-error.patch
crypto-rockchip-update-new-iv-to-device-in-multiple-operations.patch
media-videobuf2-v4l2-drop-warn_on-in-vb2_warn_zero_bytesused.patch
+drm-imx-ignore-plane-updates-on-disabled-crtcs.patch
+gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch
+drm-imx-imx-ldb-add-missing-of_node_puts.patch
+gpu-ipu-v3-fix-csi-offsets-for-imx53.patch
+s390-dasd-fix-using-offset-into-zero-size-array-erro.patch
+input-pwm-vibra-prevent-unbalanced-regulator.patch
+input-pwm-vibra-stop-regulator-after-disabling-pwm-n.patch
+arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch
+asoc-dapm-fix-out-of-bounds-accesses-to-dapm-lookup-.patch
+asoc-rsnd-fixup-rsnd_ssi_master_clk_start-user-count.patch
+kvm-arm-arm64-reset-the-vcpu-without-preemption-and-.patch
+arm-omap2-fix-lack-of-timer-interrupts-on-cpu1-after.patch
+input-cap11xx-switch-to-using-set_brightness_blockin.patch
+input-ps2-gpio-flush-tx-work-when-closing-port.patch
+input-matrix_keypad-use-flush_delayed_work.patch
+mac80211-fix-tx-aggregation-session-tear-down-with-i.patch
+ipvs-fix-dependency-on-nf_defrag_ipv6.patch
+floppy-check_events-callback-should-not-return-a-neg.patch
+nfs-don-t-use-page_file_mapping-after-removing-the-p.patch
+mm-gup-fix-gup_pmd_range-for-dax.patch
+revert-mm-use-early_pfn_to_nid-in-page_ext_init.patch
+mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch
+net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch
+i2c-cadence-fix-the-hold-bit-setting.patch
+i2c-bcm2835-clear-current-buffer-pointers-and-counts.patch
+auxdisplay-ht16k33-fix-potential-user-after-free-on-.patch
+input-st-keyscan-fix-potential-zalloc-null-dereferen.patch
+clk-sunxi-ng-v3s-fix-tcon-reset-de-assert-bit.patch
+clk-sunxi-a31-fix-wrong-ahb-gate-number.patch
+esp-skip-tx-bytes-accounting-when-sending-from-a-req.patch
+arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch
+af_key-unconditionally-clone-on-broadcast.patch
+assoc_array-fix-shortcut-creation.patch
+keys-fix-dependency-loop-between-construction-record.patch
+scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch
+net-systemport-fix-reception-of-bpdus.patch
+pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch
+qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch
+net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch
+mailbox-bcm-flexrm-mailbox-fix-flexrm-ring-flush-tim.patch
+asoc-topology-free-created-components-in-tplg-load-e.patch
+qed-fix-iwarp-syn-packet-mac-address-validation.patch
+arm64-relax-gic-version-check-during-early-boot.patch
+net-marvell-mvneta-fix-dma-debug-warning.patch
+kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch
+tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch
+kasan-slab-fix-conflicts-with-config_hardened_userco.patch
+ixgbe-fix-older-devices-that-do-not-support-ixgbe_mr.patch
+arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch
+arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch
+arcv2-support-manual-regfile-save-on-interrupts.patch
+phonet-fix-building-with-clang.patch
+mac80211_hwsim-propagate-genlmsg_reply-return-code.patch
+net-thunderx-make-cfg_done-message-to-run-through-ge.patch
+nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch
+nfp-bpf-fix-alu32-high-bits-clearance-bug.patch
+net-set-static-variable-an-initial-value-in-atl2_pro.patch
+tmpfs-fix-uninitialized-return-value-in-shmem_link.patch
--- /dev/null
+From 10c6e2ab16c88538323b01a9d367e22c24d3471b Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 21 Feb 2019 08:48:09 -0800
+Subject: tmpfs: fix link accounting when a tmpfile is linked in
+
+[ Upstream commit 1062af920c07f5b54cf5060fde3339da6df0cf6b ]
+
+tmpfs has a peculiarity of accounting hard links as if they were
+separate inodes: so that when the number of inodes is limited, as it is
+by default, a user cannot soak up an unlimited amount of unreclaimable
+dcache memory just by repeatedly linking a file.
+
+But when v3.11 added O_TMPFILE, and the ability to use linkat() on the
+fd, we missed accommodating this new case in tmpfs: "df -i" shows that
+an extra "inode" remains accounted after the file is unlinked and the fd
+closed and the actual inode evicted. If a user repeatedly links
+tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they
+are deleted.
+
+Just skip the extra reservation from shmem_link() in this case: there's
+a sense in which this first link of a tmpfile is then cheaper than a
+hard link of another file, but the accounting works out, and there's
+still good limiting, so no need to do anything more complicated.
+
+Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils
+Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Reported-by: Matej Kupljen <matej.kupljen@gmail.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/shmem.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 6c10f1d92251..9b78c04f532b 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -3102,10 +3102,14 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr
+ * No ordinary (disk based) filesystem counts links as inodes;
+ * but each new link needs a new dentry, pinning lowmem, and
+ * tmpfs dentries cannot be pruned until they are unlinked.
++ * But if an O_TMPFILE file is linked into the tmpfs, the
++ * first link must skip that, to get the accounting right.
+ */
+- ret = shmem_reserve_inode(inode->i_sb);
+- if (ret)
+- goto out;
++ if (inode->i_nlink) {
++ ret = shmem_reserve_inode(inode->i_sb);
++ if (ret)
++ goto out;
++ }
+
+ dir->i_size += BOGO_DIRENT_SIZE;
+ inode->i_ctime = dir->i_ctime = dir->i_mtime = current_time(inode);
+--
+2.19.1
+
--- /dev/null
+From bc0038e0376cf21b44d311d321d327ea3092703e Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Fri, 22 Feb 2019 22:35:32 -0800
+Subject: tmpfs: fix uninitialized return value in shmem_link
+
+[ Upstream commit 29b00e609960ae0fcff382f4c7079dd0874a5311 ]
+
+When we made the shmem_reserve_inode call in shmem_link conditional, we
+forgot to update the declaration for ret so that it always has a known
+value. Dan Carpenter pointed out this deficiency in the original patch.
+
+Fixes: 1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Hugh Dickins <hughd@google.com>
+Cc: Matej Kupljen <matej.kupljen@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/shmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 9b78c04f532b..037e2ee9ccac 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -3096,7 +3096,7 @@ static int shmem_create(struct inode *dir, struct dentry *dentry, umode_t mode,
+ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry)
+ {
+ struct inode *inode = d_inode(old_dentry);
+- int ret;
++ int ret = 0;
+
+ /*
+ * No ordinary (disk based) filesystem counts links as inodes;
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
