--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Afzal Mohammed <afzal.mohd.ma@gmail.com>
+Date: Sat, 7 Jan 2017 17:48:10 +0100
+Subject: ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
+
+From: Afzal Mohammed <afzal.mohd.ma@gmail.com>
+
+
+[ Upstream commit 8a792e9afbce84a0fdaf213fe42bb97382487094 ]
+
+REMAP_VECTORS_TO_RAM depends on DRAM_BASE, but since DRAM_BASE is a
+hex, REMAP_VECTORS_TO_RAM could never get enabled. Also depending on
+DRAM_BASE is redundant as whenever REMAP_VECTORS_TO_RAM makes itself
+available to Kconfig, DRAM_BASE also is available as the Kconfig
+gets sourced on !MMU.
+
+Signed-off-by: Afzal Mohammed <afzal.mohd.ma@gmail.com>
+Reviewed-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/Kconfig-nommu | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/Kconfig-nommu
++++ b/arch/arm/Kconfig-nommu
+@@ -34,8 +34,7 @@ config PROCESSOR_ID
+ used instead of the auto-probing which utilizes the register.
+
+ config REMAP_VECTORS_TO_RAM
+- bool 'Install vectors to the beginning of RAM' if DRAM_BASE
+- depends on DRAM_BASE
++ bool 'Install vectors to the beginning of RAM'
+ help
+ The kernel needs to change the hardware exception vectors.
+ In nommu mode, the hardware exception vectors are normally
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Simon Horman <horms+renesas@verge.net.au>
+Date: Tue, 20 Dec 2016 11:32:39 +0100
+Subject: ARM: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
+
+From: Simon Horman <horms+renesas@verge.net.au>
+
+
+[ Upstream commit 654450baf2afba86cf328e1849ccac61ec4630af ]
+
+Use recently added R-Car Gen 2 fallback binding for msiof nodes in
+DT for r8a7790 SoC.
+
+This has no run-time effect for the current driver as the initialisation
+sequence is the same for the SoC-specific binding for r8a7790 and the
+fallback binding for R-Car Gen 2.
+
+Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/r8a7790.dtsi | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/boot/dts/r8a7790.dtsi
++++ b/arch/arm/boot/dts/r8a7790.dtsi
+@@ -1409,7 +1409,8 @@
+ };
+
+ msiof0: spi@e6e20000 {
+- compatible = "renesas,msiof-r8a7790";
++ compatible = "renesas,msiof-r8a7790",
++ "renesas,rcar-gen2-msiof";
+ reg = <0 0xe6e20000 0 0x0064>;
+ interrupts = <0 156 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&mstp0_clks R8A7790_CLK_MSIOF0>;
+@@ -1422,7 +1423,8 @@
+ };
+
+ msiof1: spi@e6e10000 {
+- compatible = "renesas,msiof-r8a7790";
++ compatible = "renesas,msiof-r8a7790",
++ "renesas,rcar-gen2-msiof";
+ reg = <0 0xe6e10000 0 0x0064>;
+ interrupts = <0 157 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&mstp2_clks R8A7790_CLK_MSIOF1>;
+@@ -1435,7 +1437,8 @@
+ };
+
+ msiof2: spi@e6e00000 {
+- compatible = "renesas,msiof-r8a7790";
++ compatible = "renesas,msiof-r8a7790",
++ "renesas,rcar-gen2-msiof";
+ reg = <0 0xe6e00000 0 0x0064>;
+ interrupts = <0 158 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&mstp2_clks R8A7790_CLK_MSIOF2>;
+@@ -1448,7 +1451,8 @@
+ };
+
+ msiof3: spi@e6c90000 {
+- compatible = "renesas,msiof-r8a7790";
++ compatible = "renesas,msiof-r8a7790",
++ "renesas,rcar-gen2-msiof";
+ reg = <0 0xe6c90000 0 0x0064>;
+ interrupts = <0 159 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&mstp2_clks R8A7790_CLK_MSIOF3>;
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 20 Jan 2017 14:07:52 +0100
+Subject: ASoC: dapm: fix some pointer error handling
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+
+[ Upstream commit 639467c8f26d834c934215e8b59129ce442475fe ]
+
+commit 66feeec9322132689d42723df2537d60f96f8e44
+"RFC: ASoC: dapm: handle probe deferrals"
+forgot a to update some two sites where the call
+was used. The static codechecks quickly found them.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 66feeec93221 ("RFC: ASoC: dapm: handle probe deferrals")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -3794,6 +3794,16 @@ int snd_soc_dapm_new_dai_widgets(struct
+ template.name);
+
+ w = snd_soc_dapm_new_control_unlocked(dapm, &template);
++ if (IS_ERR(w)) {
++ int ret = PTR_ERR(w);
++
++ /* Do not nag about probe deferrals */
++ if (ret != -EPROBE_DEFER)
++ dev_err(dapm->dev,
++ "ASoC: Failed to create %s widget (%d)\n",
++ dai->driver->playback.stream_name, ret);
++ return ret;
++ }
+ if (!w) {
+ dev_err(dapm->dev, "ASoC: Failed to create %s widget\n",
+ dai->driver->playback.stream_name);
+@@ -3813,6 +3823,16 @@ int snd_soc_dapm_new_dai_widgets(struct
+ template.name);
+
+ w = snd_soc_dapm_new_control_unlocked(dapm, &template);
++ if (IS_ERR(w)) {
++ int ret = PTR_ERR(w);
++
++ /* Do not nag about probe deferrals */
++ if (ret != -EPROBE_DEFER)
++ dev_err(dapm->dev,
++ "ASoC: Failed to create %s widget (%d)\n",
++ dai->driver->playback.stream_name, ret);
++ return ret;
++ }
+ if (!w) {
+ dev_err(dapm->dev, "ASoC: Failed to create %s widget\n",
+ dai->driver->capture.stream_name);
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 13 Jan 2017 10:23:52 +0100
+Subject: ASoC: dapm: handle probe deferrals
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+
+[ Upstream commit 37e1df8c95e2c8a57c77eafc097648f6e40a60ff ]
+
+This starts to handle probe deferrals on regulators and clocks
+on the ASoC DAPM.
+
+I came to this patch after audio stopped working on Ux500 ages
+ago and I finally looked into it to see what is wrong. I had
+messages like this in the console since a while back:
+
+ab8500-codec.0: ASoC: Failed to request audioclk: -517
+ab8500-codec.0: ASoC: Failed to create DAPM control audioclk
+ab8500-codec.0: Failed to create new controls -12
+snd-soc-mop500.0: ASoC: failed to instantiate card -12
+snd-soc-mop500.0: Error: snd_soc_register_card failed (-12)!
+snd-soc-mop500: probe of snd-soc-mop500.0 failed with error -12
+
+Apparently because the widget table for the codec looks like
+this (sound/soc/codecs/ab8500-codec.c):
+
+static const struct snd_soc_dapm_widget ab8500_dapm_widgets[] = {
+
+ /* Clocks */
+ SND_SOC_DAPM_CLOCK_SUPPLY("audioclk"),
+
+ /* Regulators */
+ SND_SOC_DAPM_REGULATOR_SUPPLY("V-AUD", 0, 0),
+ SND_SOC_DAPM_REGULATOR_SUPPLY("V-AMIC1", 0, 0),
+ SND_SOC_DAPM_REGULATOR_SUPPLY("V-AMIC2", 0, 0),
+ SND_SOC_DAPM_REGULATOR_SUPPLY("V-DMIC", 0, 0),
+
+So when we call snd_soc_register_codec() and any of these widgets
+get a deferred probe we do not get an -EPROBE_DEFER (-517) back as
+we should and instead we just fail. Apparently the code assumes
+that clocks and regulators must be available at this point and
+not defer.
+
+After this patch it rather looks like this:
+
+ab8500-codec.0: Failed to create new controls -517
+snd-soc-mop500.0: ASoC: failed to instantiate card -517
+snd-soc-mop500.0: Error: snd_soc_register_card failed (-517)!
+(...)
+abx500-clk.0: registered clocks for ab850x
+snd-soc-mop500.0: ab8500-codec-dai.0 <-> ux500-msp-i2s.1 mapping ok
+snd-soc-mop500.0: ab8500-codec-dai.1 <-> ux500-msp-i2s.3 mapping ok
+
+I'm pretty happy about the patch as it it, but I'm a bit
+uncertain on how to proceed: there are a lot of users of the
+external functions snd_soc_dapm_new_control() (111 sites)
+and that will now return an occassional error pointer, which
+is not handled in the calling sites.
+
+I want an indication from the maintainers whether I should just
+go in and augment all these call sites, or if deferred probe
+is frowned upon when it leads to this much overhead.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/soc-dapm.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ sound/soc/soc-topology.c | 9 +++++++++
+ 2 files changed, 51 insertions(+)
+
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -358,6 +358,10 @@ static int dapm_kcontrol_data_alloc(stru
+ snd_soc_dapm_new_control_unlocked(widget->dapm,
+ &template);
+ kfree(name);
++ if (IS_ERR(data->widget)) {
++ ret = PTR_ERR(data->widget);
++ goto err_data;
++ }
+ if (!data->widget) {
+ ret = -ENOMEM;
+ goto err_data;
+@@ -392,6 +396,10 @@ static int dapm_kcontrol_data_alloc(stru
+ data->widget = snd_soc_dapm_new_control_unlocked(
+ widget->dapm, &template);
+ kfree(name);
++ if (IS_ERR(data->widget)) {
++ ret = PTR_ERR(data->widget);
++ goto err_data;
++ }
+ if (!data->widget) {
+ ret = -ENOMEM;
+ goto err_data;
+@@ -3278,11 +3286,22 @@ snd_soc_dapm_new_control(struct snd_soc_
+
+ mutex_lock_nested(&dapm->card->dapm_mutex, SND_SOC_DAPM_CLASS_RUNTIME);
+ w = snd_soc_dapm_new_control_unlocked(dapm, widget);
++ /* Do not nag about probe deferrals */
++ if (IS_ERR(w)) {
++ int ret = PTR_ERR(w);
++
++ if (ret != -EPROBE_DEFER)
++ dev_err(dapm->dev,
++ "ASoC: Failed to create DAPM control %s (%d)\n",
++ widget->name, ret);
++ goto out_unlock;
++ }
+ if (!w)
+ dev_err(dapm->dev,
+ "ASoC: Failed to create DAPM control %s\n",
+ widget->name);
+
++out_unlock:
+ mutex_unlock(&dapm->card->dapm_mutex);
+ return w;
+ }
+@@ -3304,6 +3323,8 @@ snd_soc_dapm_new_control_unlocked(struct
+ w->regulator = devm_regulator_get(dapm->dev, w->name);
+ if (IS_ERR(w->regulator)) {
+ ret = PTR_ERR(w->regulator);
++ if (ret == -EPROBE_DEFER)
++ return ERR_PTR(ret);
+ dev_err(dapm->dev, "ASoC: Failed to request %s: %d\n",
+ w->name, ret);
+ return NULL;
+@@ -3322,6 +3343,8 @@ snd_soc_dapm_new_control_unlocked(struct
+ w->clk = devm_clk_get(dapm->dev, w->name);
+ if (IS_ERR(w->clk)) {
+ ret = PTR_ERR(w->clk);
++ if (ret == -EPROBE_DEFER)
++ return ERR_PTR(ret);
+ dev_err(dapm->dev, "ASoC: Failed to request %s: %d\n",
+ w->name, ret);
+ return NULL;
+@@ -3435,6 +3458,16 @@ int snd_soc_dapm_new_controls(struct snd
+ mutex_lock_nested(&dapm->card->dapm_mutex, SND_SOC_DAPM_CLASS_INIT);
+ for (i = 0; i < num; i++) {
+ w = snd_soc_dapm_new_control_unlocked(dapm, widget);
++ if (IS_ERR(w)) {
++ ret = PTR_ERR(w);
++ /* Do not nag about probe deferrals */
++ if (ret == -EPROBE_DEFER)
++ break;
++ dev_err(dapm->dev,
++ "ASoC: Failed to create DAPM control %s (%d)\n",
++ widget->name, ret);
++ break;
++ }
+ if (!w) {
+ dev_err(dapm->dev,
+ "ASoC: Failed to create DAPM control %s\n",
+@@ -3701,6 +3734,15 @@ int snd_soc_dapm_new_pcm(struct snd_soc_
+ dev_dbg(card->dev, "ASoC: adding %s widget\n", link_name);
+
+ w = snd_soc_dapm_new_control_unlocked(&card->dapm, &template);
++ if (IS_ERR(w)) {
++ ret = PTR_ERR(w);
++ /* Do not nag about probe deferrals */
++ if (ret != -EPROBE_DEFER)
++ dev_err(card->dev,
++ "ASoC: Failed to create %s widget (%d)\n",
++ link_name, ret);
++ goto outfree_kcontrol_news;
++ }
+ if (!w) {
+ dev_err(card->dev, "ASoC: Failed to create %s widget\n",
+ link_name);
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -1481,6 +1481,15 @@ widget:
+ widget = snd_soc_dapm_new_control(dapm, &template);
+ else
+ widget = snd_soc_dapm_new_control_unlocked(dapm, &template);
++ if (IS_ERR(widget)) {
++ ret = PTR_ERR(widget);
++ /* Do not nag about probe deferrals */
++ if (ret != -EPROBE_DEFER)
++ dev_err(tplg->dev,
++ "ASoC: failed to create widget %s controls (%d)\n",
++ w->name, ret);
++ goto hdr_err;
++ }
+ if (widget == NULL) {
+ dev_err(tplg->dev, "ASoC: failed to create widget %s controls\n",
+ w->name);
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Richard Guy Briggs <rgb@redhat.com>
+Date: Tue, 17 Jan 2017 11:07:15 -0500
+Subject: audit: log 32-bit socketcalls
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+
+[ Upstream commit 62bc306e2083436675e33b5bdeb6a77907d35971 ]
+
+32-bit socketcalls were not being logged by audit on x86_64 systems.
+Log them. This is basically a duplicate of the call from
+net/socket.c:sys_socketcall(), but it addresses the impedance mismatch
+between 32-bit userspace process and 64-bit kernel audit.
+
+See: https://github.com/linux-audit/audit-kernel/issues/14
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/audit.h | 20 ++++++++++++++++++++
+ net/compat.c | 17 ++++++++++++++---
+ 2 files changed, 34 insertions(+), 3 deletions(-)
+
+--- a/include/linux/audit.h
++++ b/include/linux/audit.h
+@@ -281,6 +281,20 @@ static inline int audit_socketcall(int n
+ return __audit_socketcall(nargs, args);
+ return 0;
+ }
++
++static inline int audit_socketcall_compat(int nargs, u32 *args)
++{
++ unsigned long a[AUDITSC_ARGS];
++ int i;
++
++ if (audit_dummy_context())
++ return 0;
++
++ for (i = 0; i < nargs; i++)
++ a[i] = (unsigned long)args[i];
++ return __audit_socketcall(nargs, a);
++}
++
+ static inline int audit_sockaddr(int len, void *addr)
+ {
+ if (unlikely(!audit_dummy_context()))
+@@ -407,6 +421,12 @@ static inline int audit_socketcall(int n
+ {
+ return 0;
+ }
++
++static inline int audit_socketcall_compat(int nargs, u32 *args)
++{
++ return 0;
++}
++
+ static inline void audit_fd_pair(int fd1, int fd2)
+ { }
+ static inline int audit_sockaddr(int len, void *addr)
+--- a/net/compat.c
++++ b/net/compat.c
+@@ -22,6 +22,7 @@
+ #include <linux/filter.h>
+ #include <linux/compat.h>
+ #include <linux/security.h>
++#include <linux/audit.h>
+ #include <linux/export.h>
+
+ #include <net/scm.h>
+@@ -767,14 +768,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd
+
+ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
+ {
+- int ret;
+- u32 a[6];
++ u32 a[AUDITSC_ARGS];
++ unsigned int len;
+ u32 a0, a1;
++ int ret;
+
+ if (call < SYS_SOCKET || call > SYS_SENDMMSG)
+ return -EINVAL;
+- if (copy_from_user(a, args, nas[call]))
++ len = nas[call];
++ if (len > sizeof(a))
++ return -EINVAL;
++
++ if (copy_from_user(a, args, len))
+ return -EFAULT;
++
++ ret = audit_socketcall_compat(len / sizeof(a[0]), a);
++ if (ret)
++ return ret;
++
+ a0 = a[0];
+ a1 = a[1];
+
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 10 Apr 2017 14:59:28 +0300
+Subject: bridge: netlink: register netdevice before executing changelink
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+
+[ Upstream commit 5b8d5429daa05bebef6ffd3297df3b502cc6f184 ]
+
+Peter reported a kernel oops when executing the following command:
+
+$ ip link add name test type bridge vlan_default_pvid 1
+
+[13634.939408] BUG: unable to handle kernel NULL pointer dereference at
+0000000000000190
+[13634.939436] IP: __vlan_add+0x73/0x5f0
+[...]
+[13634.939783] Call Trace:
+[13634.939791] ? pcpu_next_unpop+0x3b/0x50
+[13634.939801] ? pcpu_alloc+0x3d2/0x680
+[13634.939810] ? br_vlan_add+0x135/0x1b0
+[13634.939820] ? __br_vlan_set_default_pvid.part.28+0x204/0x2b0
+[13634.939834] ? br_changelink+0x120/0x4e0
+[13634.939844] ? br_dev_newlink+0x50/0x70
+[13634.939854] ? rtnl_newlink+0x5f5/0x8a0
+[13634.939864] ? rtnl_newlink+0x176/0x8a0
+[13634.939874] ? mem_cgroup_commit_charge+0x7c/0x4e0
+[13634.939886] ? rtnetlink_rcv_msg+0xe1/0x220
+[13634.939896] ? lookup_fast+0x52/0x370
+[13634.939905] ? rtnl_newlink+0x8a0/0x8a0
+[13634.939915] ? netlink_rcv_skb+0xa1/0xc0
+[13634.939925] ? rtnetlink_rcv+0x24/0x30
+[13634.939934] ? netlink_unicast+0x177/0x220
+[13634.939944] ? netlink_sendmsg+0x2fe/0x3b0
+[13634.939954] ? _copy_from_user+0x39/0x40
+[13634.939964] ? sock_sendmsg+0x30/0x40
+[13634.940159] ? ___sys_sendmsg+0x29d/0x2b0
+[13634.940326] ? __alloc_pages_nodemask+0xdf/0x230
+[13634.940478] ? mem_cgroup_commit_charge+0x7c/0x4e0
+[13634.940592] ? mem_cgroup_try_charge+0x76/0x1a0
+[13634.940701] ? __handle_mm_fault+0xdb9/0x10b0
+[13634.940809] ? __sys_sendmsg+0x51/0x90
+[13634.940917] ? entry_SYSCALL_64_fastpath+0x1e/0xad
+
+The problem is that the bridge's VLAN group is created after setting the
+default PVID, when registering the netdevice and executing its
+ndo_init().
+
+Fix this by changing the order of both operations, so that
+br_changelink() is only processed after the netdevice is registered,
+when the VLAN group is already initialized.
+
+Fixes: b6677449dff6 ("bridge: netlink: call br_changelink() during br_dev_newlink()")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Peter V. Saveliev <peter@svinota.eu>
+Tested-by: Peter V. Saveliev <peter@svinota.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netlink.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -1073,11 +1073,14 @@ static int br_dev_newlink(struct net *sr
+ spin_unlock_bh(&br->lock);
+ }
+
+- err = br_changelink(dev, tb, data);
++ err = register_netdevice(dev);
+ if (err)
+ return err;
+
+- return register_netdevice(dev);
++ err = br_changelink(dev, tb, data);
++ if (err)
++ unregister_netdevice(dev);
++ return err;
+ }
+
+ static size_t br_get_size(const struct net_device *brdev)
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 1 Dec 2016 16:10:42 +0800
+Subject: drm/amdkfd: fix improper return value on error
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 8bf793883da213864efc50c274d2b38ec0ca58b2 ]
+
+In function kfd_wait_on_events(), when the call to copy_from_user()
+fails, the value of return variable ret is 0. 0 indicates success, which
+is inconsistent with the execution status. This patch fixes the bug by
+assigning "-EFAULT" to ret when copy_from_user() returns an unexpected
+value.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_events.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+@@ -739,8 +739,10 @@ int kfd_wait_on_events(struct kfd_proces
+ struct kfd_event_data event_data;
+
+ if (copy_from_user(&event_data, &events[i],
+- sizeof(struct kfd_event_data)))
++ sizeof(struct kfd_event_data))) {
++ ret = -EFAULT;
+ goto fail;
++ }
+
+ ret = init_event_waiter(p, &event_waiters[i],
+ event_data.event_id, i);
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Tue, 13 Dec 2016 11:09:16 +0100
+Subject: drm: bridge: add DT bindings for TI ths8135
+
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+
+[ Upstream commit 2e644be30fcc08c736f66b60f4898d274d4873ab ]
+
+THS8135 is a configurable video DAC. Add DT bindings for this chip.
+
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Archit Taneja <architt@codeaurora.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/1481623759-12786-3-git-send-email-bgolaszewski@baylibre.com
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt | 46 ++++++++++
+ 1 file changed, 46 insertions(+)
+ create mode 100644 Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt
+
+--- /dev/null
++++ b/Documentation/devicetree/bindings/display/bridge/ti,ths8135.txt
+@@ -0,0 +1,46 @@
++THS8135 Video DAC
++-----------------
++
++This is the binding for Texas Instruments THS8135 Video DAC bridge.
++
++Required properties:
++
++- compatible: Must be "ti,ths8135"
++
++Required nodes:
++
++This device has two video ports. Their connections are modelled using the OF
++graph bindings specified in Documentation/devicetree/bindings/graph.txt.
++
++- Video port 0 for RGB input
++- Video port 1 for VGA output
++
++Example
++-------
++
++vga-bridge {
++ compatible = "ti,ths8135";
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ ports {
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ port@0 {
++ reg = <0>;
++
++ vga_bridge_in: endpoint {
++ remote-endpoint = <&lcdc_out_vga>;
++ };
++ };
++
++ port@1 {
++ reg = <1>;
++
++ vga_bridge_out: endpoint {
++ remote-endpoint = <&vga_con_in>;
++ };
++ };
++ };
++};
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: "Kristian H. Kristensen" <hoegsberg@gmail.com>
+Date: Tue, 13 Dec 2016 11:27:52 -0800
+Subject: drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define
+
+From: "Kristian H. Kristensen" <hoegsberg@gmail.com>
+
+
+[ Upstream commit af913418261d6d3e7a29f06cf35f04610ead667c ]
+
+We need to define DRM_FORMAT_MOD_VENDOR_NONE for the fourcc_mod_code()
+macro to work correctly.
+
+Signed-off-by: Kristian H. Kristensen <hoegsberg@google.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/1481657272-25975-1-git-send-email-hoegsberg@google.com
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/drm/drm_fourcc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/uapi/drm/drm_fourcc.h
++++ b/include/uapi/drm/drm_fourcc.h
+@@ -150,6 +150,7 @@
+
+ /* Vendor Ids: */
+ #define DRM_FORMAT_MOD_NONE 0
++#define DRM_FORMAT_MOD_VENDOR_NONE 0
+ #define DRM_FORMAT_MOD_VENDOR_INTEL 0x01
+ #define DRM_FORMAT_MOD_VENDOR_AMD 0x02
+ #define DRM_FORMAT_MOD_VENDOR_NV 0x03
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 19 Dec 2016 01:13:11 +0100
+Subject: extcon: axp288: Use vbus-valid instead of -present to determine cable presence
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit 5757aca10146061befd168dab37fb0db1ccd8f73 ]
+
+The vbus-present bit in the power status register also gets set to 1
+when a usb-host cable (id-pin shorted to ground) is plugged in and a 5v
+boost converter is supplying 5v to the otg usb bus.
+
+This causes a "disconnect or unknown or ID event" warning in dmesg as
+well as the extcon device to report the last detected charger cable
+type as being connected even though none is connected.
+
+This commit switches to checking the vbus-valid bit instead, which is
+only 1 when both vbus is present and the vbus-path is enabled in the
+vbus-path control register (the vbus-path gets disabled when a usb-host
+cable is detected, to avoid the pmic drawing power from the 5v boost
+converter).
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/extcon/extcon-axp288.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/extcon/extcon-axp288.c
++++ b/drivers/extcon/extcon-axp288.c
+@@ -168,7 +168,7 @@ static int axp288_handle_chrg_det_event(
+ return ret;
+ }
+
+- vbus_attach = (pwr_stat & PS_STAT_VBUS_PRESENT);
++ vbus_attach = (pwr_stat & PS_STAT_VBUS_VALID);
+ if (!vbus_attach)
+ goto notify_otg;
+
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Thibault Saunier <thibault.saunier@osg.samsung.com>
+Date: Wed, 1 Feb 2017 18:05:21 -0200
+Subject: [media] exynos-gsc: Do not swap cb/cr for semi planar formats
+
+From: Thibault Saunier <thibault.saunier@osg.samsung.com>
+
+
+[ Upstream commit d7f3e33df4fbdc9855fb151f4a328ec46447e3ba ]
+
+In the case of semi planar formats cb and cr are in the same plane
+in memory, meaning that will be set to 'cb' whatever the format is,
+and whatever the (packed) order of those components are.
+
+Suggested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Thibault Saunier <thibault.saunier@osg.samsung.com>
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/exynos-gsc/gsc-core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/media/platform/exynos-gsc/gsc-core.c
++++ b/drivers/media/platform/exynos-gsc/gsc-core.c
+@@ -849,9 +849,7 @@ int gsc_prepare_addr(struct gsc_ctx *ctx
+
+ if ((frame->fmt->pixelformat == V4L2_PIX_FMT_VYUY) ||
+ (frame->fmt->pixelformat == V4L2_PIX_FMT_YVYU) ||
+- (frame->fmt->pixelformat == V4L2_PIX_FMT_NV61) ||
+ (frame->fmt->pixelformat == V4L2_PIX_FMT_YVU420) ||
+- (frame->fmt->pixelformat == V4L2_PIX_FMT_NV21) ||
+ (frame->fmt->pixelformat == V4L2_PIX_FMT_YVU420M))
+ swap(addr->cb, addr->cr);
+
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 14 Dec 2016 08:02:03 -0600
+Subject: GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 14d37564fa3dc4e5d4c6828afcd26ac14e6796c5 ]
+
+This patch fixes a place where function gfs2_glock_iter_next can
+reference an invalid error pointer.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/glock.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -1798,16 +1798,18 @@ void gfs2_glock_exit(void)
+
+ static void gfs2_glock_iter_next(struct gfs2_glock_iter *gi)
+ {
+- do {
+- gi->gl = rhashtable_walk_next(&gi->hti);
++ while ((gi->gl = rhashtable_walk_next(&gi->hti))) {
+ if (IS_ERR(gi->gl)) {
+ if (PTR_ERR(gi->gl) == -EAGAIN)
+ continue;
+ gi->gl = NULL;
++ return;
+ }
+- /* Skip entries for other sb and dead entries */
+- } while ((gi->gl) && ((gi->sdp != gi->gl->gl_name.ln_sbd) ||
+- __lockref_is_dead(&gi->gl->gl_lockref)));
++ /* Skip entries for other sb and dead entries */
++ if (gi->sdp == gi->gl->gl_name.ln_sbd &&
++ !__lockref_is_dead(&gi->gl->gl_lockref))
++ return;
++ }
+ }
+
+ static void *gfs2_glock_seq_start(struct seq_file *seq, loff_t *pos)
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Tue, 27 Dec 2016 14:15:07 -0800
+Subject: hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+
+[ Upstream commit 87cdfa9d60f4f40e6d71b04b10b36d9df3c89282 ]
+
+Writes into limit attributes can overflow due to multplications and
+additions with unbound input values. Writing into fan limit attributes
+can result in a crash with a division by zero if very large values are
+written and the fan divider is larger than 1.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/gl520sm.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/hwmon/gl520sm.c
++++ b/drivers/hwmon/gl520sm.c
+@@ -208,11 +208,13 @@ static ssize_t get_cpu_vid(struct device
+ }
+ static DEVICE_ATTR(cpu0_vid, S_IRUGO, get_cpu_vid, NULL);
+
+-#define VDD_FROM_REG(val) (((val) * 95 + 2) / 4)
+-#define VDD_TO_REG(val) clamp_val((((val) * 4 + 47) / 95), 0, 255)
+-
+-#define IN_FROM_REG(val) ((val) * 19)
+-#define IN_TO_REG(val) clamp_val((((val) + 9) / 19), 0, 255)
++#define VDD_FROM_REG(val) DIV_ROUND_CLOSEST((val) * 95, 4)
++#define VDD_CLAMP(val) clamp_val(val, 0, 255 * 95 / 4)
++#define VDD_TO_REG(val) DIV_ROUND_CLOSEST(VDD_CLAMP(val) * 4, 95)
++
++#define IN_FROM_REG(val) ((val) * 19)
++#define IN_CLAMP(val) clamp_val(val, 0, 255 * 19)
++#define IN_TO_REG(val) DIV_ROUND_CLOSEST(IN_CLAMP(val), 19)
+
+ static ssize_t get_in_input(struct device *dev, struct device_attribute *attr,
+ char *buf)
+@@ -349,8 +351,13 @@ static SENSOR_DEVICE_ATTR(in4_max, S_IRU
+
+ #define DIV_FROM_REG(val) (1 << (val))
+ #define FAN_FROM_REG(val, div) ((val) == 0 ? 0 : (480000 / ((val) << (div))))
+-#define FAN_TO_REG(val, div) ((val) <= 0 ? 0 : \
+- clamp_val((480000 + ((val) << ((div)-1))) / ((val) << (div)), 1, 255))
++
++#define FAN_BASE(div) (480000 >> (div))
++#define FAN_CLAMP(val, div) clamp_val(val, FAN_BASE(div) / 255, \
++ FAN_BASE(div))
++#define FAN_TO_REG(val, div) ((val) == 0 ? 0 : \
++ DIV_ROUND_CLOSEST(480000, \
++ FAN_CLAMP(val, div) << (div)))
+
+ static ssize_t get_fan_input(struct device *dev, struct device_attribute *attr,
+ char *buf)
+@@ -513,9 +520,9 @@ static SENSOR_DEVICE_ATTR(fan2_div, S_IR
+ static DEVICE_ATTR(fan1_off, S_IRUGO | S_IWUSR,
+ get_fan_off, set_fan_off);
+
+-#define TEMP_FROM_REG(val) (((val) - 130) * 1000)
+-#define TEMP_TO_REG(val) clamp_val(((((val) < 0 ? \
+- (val) - 500 : (val) + 500) / 1000) + 130), 0, 255)
++#define TEMP_FROM_REG(val) (((val) - 130) * 1000)
++#define TEMP_CLAMP(val) clamp_val(val, -130000, 125000)
++#define TEMP_TO_REG(val) (DIV_ROUND_CLOSEST(TEMP_CLAMP(val), 1000) + 130)
+
+ static ssize_t get_temp_input(struct device *dev, struct device_attribute *attr,
+ char *buf)
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Tue, 7 Mar 2017 21:06:38 +0100
+Subject: i2c: meson: fix wrong variable usage in meson_i2c_put_data
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+
+[ Upstream commit 3b0277f198ac928f323c42e180680d2f79aa980d ]
+
+Most likely a copy & paste error.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Acked-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 30021e3707a7 ("i2c: add support for Amlogic Meson I2C controller")
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-meson.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-meson.c
++++ b/drivers/i2c/busses/i2c-meson.c
+@@ -175,7 +175,7 @@ static void meson_i2c_put_data(struct me
+ wdata1 |= *buf++ << ((i - 4) * 8);
+
+ writel(wdata0, i2c->regs + REG_TOK_WDATA0);
+- writel(wdata0, i2c->regs + REG_TOK_WDATA1);
++ writel(wdata1, i2c->regs + REG_TOK_WDATA1);
+
+ dev_dbg(i2c->dev, "%s: data %08x %08x len %d\n", __func__,
+ wdata0, wdata1, len);
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Wed, 28 Dec 2016 14:47:22 +0200
+Subject: IB/ipoib: Fix deadlock over vlan_mutex
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 1c3098cdb05207e740715857df7b0998e372f527 ]
+
+This patch fixes Deadlock while executing ipoib_vlan_delete.
+
+The function takes the vlan_rwsem semaphore and calls
+unregister_netdevice. The later function calls
+ipoib_mcast_stop_thread that cause workqueue flush.
+
+When the queue has one of the ipoib_ib_dev_flush_xxx events,
+a deadlock occur because these events also tries to catch the
+same vlan_rwsem semaphore.
+
+To fix, unregister_netdevice should be called after releasing
+the semaphore.
+
+Fixes: cbbe1efa4972 ("IPoIB: Fix deadlock between ipoib_open() and child interface create")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+@@ -185,7 +185,6 @@ int ipoib_vlan_delete(struct net_device
+ list_for_each_entry_safe(priv, tpriv, &ppriv->child_intfs, list) {
+ if (priv->pkey == pkey &&
+ priv->child_type == IPOIB_LEGACY_CHILD) {
+- unregister_netdevice(priv->dev);
+ list_del(&priv->list);
+ dev = priv->dev;
+ break;
+@@ -193,6 +192,11 @@ int ipoib_vlan_delete(struct net_device
+ }
+ up_write(&ppriv->vlan_rwsem);
+
++ if (dev) {
++ ipoib_dbg(ppriv, "delete child vlan %s\n", dev->name);
++ unregister_netdevice(dev);
++ }
++
+ rtnl_unlock();
+
+ if (dev) {
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Wed, 28 Dec 2016 14:47:27 +0200
+Subject: IB/ipoib: Replace list_del of the neigh->list with list_del_init
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 ]
+
+In order to resolve a situation where a few process delete
+the same list element in sequence and cause panic, list_del
+is replaced with list_del_init. In this case if the first
+process that calls list_del releases the lock before acquiring
+it again, other processes who can acquire the lock will call
+list_del_init.
+
+Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup")
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -1239,7 +1239,7 @@ static void __ipoib_reap_neigh(struct ip
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from path/mc list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ } else {
+ np = &neigh->hnext;
+@@ -1406,7 +1406,7 @@ void ipoib_neigh_free(struct ipoib_neigh
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from parent list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ return;
+ } else {
+@@ -1491,7 +1491,7 @@ void ipoib_del_neighs_by_gid(struct net_
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from parent list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ } else {
+ np = &neigh->hnext;
+@@ -1533,7 +1533,7 @@ static void ipoib_flush_neighs(struct ip
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
+ /* remove from path/mc list */
+- list_del(&neigh->list);
++ list_del_init(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ }
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Feras Daoud <ferasda@mellanox.com>
+Date: Wed, 28 Dec 2016 14:47:24 +0200
+Subject: IB/ipoib: rtnl_unlock can not come after free_netdev
+
+From: Feras Daoud <ferasda@mellanox.com>
+
+
+[ Upstream commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 ]
+
+The ipoib_vlan_add function calls rtnl_unlock after free_netdev,
+rtnl_unlock not only releases the lock, but also calls netdev_run_todo.
+The latter function browses the net_todo_list array and completes the
+unregistration of all its net_device instances. If we call free_netdev
+before rtnl_unlock, then netdev_run_todo call over the freed device causes
+panic.
+To fix, move rtnl_unlock call before free_netdev call.
+
+Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
+Cc: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+@@ -160,11 +160,11 @@ int ipoib_vlan_add(struct net_device *pd
+ out:
+ up_write(&ppriv->vlan_rwsem);
+
++ rtnl_unlock();
++
+ if (result)
+ free_netdev(priv->dev);
+
+- rtnl_unlock();
+-
+ return result;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Guilherme G Piccoli <gpiccoli@linux.vnet.ibm.com>
+Date: Thu, 10 Nov 2016 16:46:43 -0200
+Subject: igb: re-assign hw address pointer on reset after PCI error
+
+From: Guilherme G Piccoli <gpiccoli@linux.vnet.ibm.com>
+
+
+[ Upstream commit 69b97cf6dbce7403845a28bbc75d57f5be7b12ac ]
+
+Whenever the igb driver detects the result of a read operation returns
+a value composed only by F's (like 0xFFFFFFFF), it will detach the
+net_device, clear the hw_addr pointer and warn to the user that adapter's
+link is lost - those steps happen on igb_rd32().
+
+In case a PCI error happens on Power architecture, there's a recovery
+mechanism called EEH, that will reset the PCI slot and call driver's
+handlers to reset the adapter and network functionality as well.
+
+We observed that once hw_addr is NULL after the error is detected on
+igb_rd32(), it's never assigned back, so in the process of resetting
+the network functionality we got a NULL pointer dereference in both
+igb_configure_tx_ring() and igb_configure_rx_ring(). In order to avoid
+such bug, this patch re-assigns the hw_addr value in the slot_reset
+handler.
+
+Reported-by: Anthony H Thai <ahthai@us.ibm.com>
+Reported-by: Harsha Thyagaraja <hathyaga@in.ibm.com>
+Signed-off-by: Guilherme G Piccoli <gpiccoli@linux.vnet.ibm.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -7658,6 +7658,11 @@ static pci_ers_result_t igb_io_slot_rese
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
++ /* In case of PCI error, adapter lose its HW address
++ * so we should re-assign it here.
++ */
++ hw->hw_addr = adapter->io_addr;
++
+ igb_reset(adapter);
+ wr32(E1000_WUS, ~0);
+ result = PCI_ERS_RESULT_RECOVERED;
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 14 Dec 2016 14:55:25 +0100
+Subject: iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+
+[ Upstream commit fa2849e9649b5180ffc4cb3c3b005261c403093a ]
+
+For some reason the axp288_adc driver was modifying the
+AXP288_ADC_TS_PIN_CTRL register, changing bits 0-1 depending on
+whether the GP_ADC channel or another channel was written.
+
+These bits control when a bias current is send to the TS_PIN, the
+GP_ADC has its own pin and a separate bit in another register to
+control the bias current.
+
+Not only does changing when to enable the TS_PIN bias current
+(always or only when sampling) when reading the GP_ADC make no sense
+at all, the code is modifying these bits is writing the entire register,
+assuming that all the other bits have their default value.
+
+So if the firmware has configured a different bias-current for either
+pin, then that change gets clobbered by the write, likewise if the
+firmware has set bit 2 to indicate that the battery has no thermal sensor,
+this will get clobbered by the write.
+
+This commit fixes all this, by simply removing all writes to the
+AXP288_ADC_TS_PIN_CTRL register, they are not needed to read the
+GP_ADC pin, and can actually be harmful.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/axp288_adc.c | 32 +-------------------------------
+ 1 file changed, 1 insertion(+), 31 deletions(-)
+
+--- a/drivers/iio/adc/axp288_adc.c
++++ b/drivers/iio/adc/axp288_adc.c
+@@ -28,8 +28,6 @@
+ #include <linux/iio/driver.h>
+
+ #define AXP288_ADC_EN_MASK 0xF1
+-#define AXP288_ADC_TS_PIN_GPADC 0xF2
+-#define AXP288_ADC_TS_PIN_ON 0xF3
+
+ enum axp288_adc_id {
+ AXP288_ADC_TS,
+@@ -123,16 +121,6 @@ static int axp288_adc_read_channel(int *
+ return IIO_VAL_INT;
+ }
+
+-static int axp288_adc_set_ts(struct regmap *regmap, unsigned int mode,
+- unsigned long address)
+-{
+- /* channels other than GPADC do not need to switch TS pin */
+- if (address != AXP288_GP_ADC_H)
+- return 0;
+-
+- return regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, mode);
+-}
+-
+ static int axp288_adc_read_raw(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *chan,
+ int *val, int *val2, long mask)
+@@ -143,16 +131,7 @@ static int axp288_adc_read_raw(struct ii
+ mutex_lock(&indio_dev->mlock);
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
+- if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_GPADC,
+- chan->address)) {
+- dev_err(&indio_dev->dev, "GPADC mode\n");
+- ret = -EINVAL;
+- break;
+- }
+ ret = axp288_adc_read_channel(val, chan->address, info->regmap);
+- if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_ON,
+- chan->address))
+- dev_err(&indio_dev->dev, "TS pin restore\n");
+ break;
+ default:
+ ret = -EINVAL;
+@@ -162,15 +141,6 @@ static int axp288_adc_read_raw(struct ii
+ return ret;
+ }
+
+-static int axp288_adc_set_state(struct regmap *regmap)
+-{
+- /* ADC should be always enabled for internal FG to function */
+- if (regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, AXP288_ADC_TS_PIN_ON))
+- return -EIO;
+-
+- return regmap_write(regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK);
+-}
+-
+ static const struct iio_info axp288_adc_iio_info = {
+ .read_raw = &axp288_adc_read_raw,
+ .driver_module = THIS_MODULE,
+@@ -199,7 +169,7 @@ static int axp288_adc_probe(struct platf
+ * Set ADC to enabled state at all time, including system suspend.
+ * otherwise internal fuel gauge functionality may be affected.
+ */
+- ret = axp288_adc_set_state(axp20x->regmap);
++ ret = regmap_write(info->regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK);
+ if (ret) {
+ dev_err(&pdev->dev, "unable to enable ADC device\n");
+ return ret;
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Andreas Klinger <ak@it-klinger.de>
+Date: Thu, 5 Jan 2017 18:51:36 +0100
+Subject: iio: adc: hx711: Add DT binding for avia,hx711
+
+From: Andreas Klinger <ak@it-klinger.de>
+
+
+[ Upstream commit ff1293f67734da68e23fecb6ecdae7112b8c43f9 ]
+
+Add DT bindings for avia,hx711
+Add vendor avia to vendor list
+
+Signed-off-by: Andreas Klinger <ak@it-klinger.de>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/iio/adc/avia-hx711.txt | 18 +++++++++++++++
+ Documentation/devicetree/bindings/vendor-prefixes.txt | 1
+ 2 files changed, 19 insertions(+)
+ create mode 100644 Documentation/devicetree/bindings/iio/adc/avia-hx711.txt
+
+--- /dev/null
++++ b/Documentation/devicetree/bindings/iio/adc/avia-hx711.txt
+@@ -0,0 +1,18 @@
++* AVIA HX711 ADC chip for weight cells
++ Bit-banging driver
++
++Required properties:
++ - compatible: Should be "avia,hx711"
++ - sck-gpios: Definition of the GPIO for the clock
++ - dout-gpios: Definition of the GPIO for data-out
++ See Documentation/devicetree/bindings/gpio/gpio.txt
++ - avdd-supply: Definition of the regulator used as analog supply
++
++Example:
++weight@0 {
++ compatible = "avia,hx711";
++ sck-gpios = <&gpio3 10 GPIO_ACTIVE_HIGH>;
++ dout-gpios = <&gpio0 7 GPIO_ACTIVE_HIGH>;
++ avdd-suppy = <&avdd>;
++};
++
+--- a/Documentation/devicetree/bindings/vendor-prefixes.txt
++++ b/Documentation/devicetree/bindings/vendor-prefixes.txt
+@@ -31,6 +31,7 @@ asahi-kasei Asahi Kasei Corp.
+ atmel Atmel Corporation
+ auo AU Optronics Corporation
+ avago Avago Technologies
++avia avia semiconductor
+ avic Shanghai AVIC Optoelectronics Co., Ltd.
+ axis Axis Communications AB
+ bosch Bosch Sensortec GmbH
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+Date: Mon, 27 Feb 2017 14:30:25 +0200
+Subject: iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
+
+From: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+
+
+[ Upstream commit ed46e66cc1b3d684042f92dfa2ab15ee917b4cac ]
+
+Do a check for already installed leaf entry at the current level before
+dereferencing it in order to avoid walking the page table down with
+wrong pointer to the next level.
+
+Signed-off-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+CC: Will Deacon <will.deacon@arm.com>
+CC: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/io-pgtable-arm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/io-pgtable-arm.c
++++ b/drivers/iommu/io-pgtable-arm.c
+@@ -335,8 +335,12 @@ static int __arm_lpae_map(struct arm_lpa
+ if (cfg->quirks & IO_PGTABLE_QUIRK_ARM_NS)
+ pte |= ARM_LPAE_PTE_NSTABLE;
+ __arm_lpae_set_pte(ptep, pte, cfg);
+- } else {
++ } else if (!iopte_leaf(pte, lvl)) {
+ cptep = iopte_deref(pte, data);
++ } else {
++ /* We require an unmap first */
++ WARN_ON(!selftest_running);
++ return -EEXIST;
+ }
+
+ /* Rinse, repeat */
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Fri, 3 Mar 2017 09:00:09 -0800
+Subject: libata: transport: Remove circular dependency at free time
+
+From: Gwendal Grignou <gwendal@chromium.org>
+
+
+[ Upstream commit d85fc67dd11e9a32966140677d4d6429ca540b25 ]
+
+Without this patch, failed probe would not free resources like irq.
+
+ata port tdev object currently hold a reference to the ata port
+object. Therefore the ata port object release function will not get
+called until the ata_tport_release is called. But that would never
+happen, releasing the last reference of ata port dev is done by
+scsi_host_release, which is called by ata_host_release when the ata
+port object is released.
+
+The ata device objects actually do not need to explicitly hold a
+reference to their real counterpart, given the transport objects are
+the children of these objects and device_add() is call for each child.
+We know the parent will not be deleted until we call the child's
+device_del().
+
+Reported-by: Matthew Whitehead <tedheadster@gmail.com>
+Tested-by: Matthew Whitehead <tedheadster@gmail.com>
+Suggested-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-transport.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/ata/libata-transport.c
++++ b/drivers/ata/libata-transport.c
+@@ -224,7 +224,6 @@ static DECLARE_TRANSPORT_CLASS(ata_port_
+
+ static void ata_tport_release(struct device *dev)
+ {
+- put_device(dev->parent);
+ }
+
+ /**
+@@ -284,7 +283,7 @@ int ata_tport_add(struct device *parent,
+ device_initialize(dev);
+ dev->type = &ata_port_type;
+
+- dev->parent = get_device(parent);
++ dev->parent = parent;
+ dev->release = ata_tport_release;
+ dev_set_name(dev, "ata%d", ap->print_id);
+ transport_setup_device(dev);
+@@ -348,7 +347,6 @@ static DECLARE_TRANSPORT_CLASS(ata_link_
+
+ static void ata_tlink_release(struct device *dev)
+ {
+- put_device(dev->parent);
+ }
+
+ /**
+@@ -410,7 +408,7 @@ int ata_tlink_add(struct ata_link *link)
+ int error;
+
+ device_initialize(dev);
+- dev->parent = get_device(&ap->tdev);
++ dev->parent = &ap->tdev;
+ dev->release = ata_tlink_release;
+ if (ata_is_host_link(link))
+ dev_set_name(dev, "link%d", ap->print_id);
+@@ -588,7 +586,6 @@ static DECLARE_TRANSPORT_CLASS(ata_dev_c
+
+ static void ata_tdev_release(struct device *dev)
+ {
+- put_device(dev->parent);
+ }
+
+ /**
+@@ -661,7 +658,7 @@ static int ata_tdev_add(struct ata_devic
+ int error;
+
+ device_initialize(dev);
+- dev->parent = get_device(&link->tdev);
++ dev->parent = &link->tdev;
+ dev->release = ata_tdev_release;
+ if (ata_is_host_link(link))
+ dev_set_name(dev, "dev%d.%d", ap->print_id,ata_dev->devno);
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Shaohua Li <shli@fb.com>
+Date: Thu, 23 Feb 2017 12:26:41 -0800
+Subject: md/raid10: submit bio directly to replacement disk
+
+From: Shaohua Li <shli@fb.com>
+
+
+[ Upstream commit 6d399783e9d4e9bd44931501948059d24ad96ff8 ]
+
+Commit 57c67df(md/raid10: submit IO from originating thread instead of
+md thread) submits bio directly for normal disks but not for replacement
+disks. There is no point we shouldn't do this for replacement disks.
+
+Cc: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid10.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1414,11 +1414,24 @@ retry_write:
+ mbio->bi_private = r10_bio;
+
+ atomic_inc(&r10_bio->remaining);
++
++ cb = blk_check_plugged(raid10_unplug, mddev,
++ sizeof(*plug));
++ if (cb)
++ plug = container_of(cb, struct raid10_plug_cb,
++ cb);
++ else
++ plug = NULL;
+ spin_lock_irqsave(&conf->device_lock, flags);
+- bio_list_add(&conf->pending_bio_list, mbio);
+- conf->pending_count++;
++ if (plug) {
++ bio_list_add(&plug->pending, mbio);
++ plug->pending_cnt++;
++ } else {
++ bio_list_add(&conf->pending_bio_list, mbio);
++ conf->pending_count++;
++ }
+ spin_unlock_irqrestore(&conf->device_lock, flags);
+- if (!mddev_check_plugged(mddev))
++ if (!plug)
+ md_wakeup_thread(mddev->thread);
+ }
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Mon, 7 Nov 2016 11:52:19 +0000
+Subject: MIPS: Ensure bss section ends on a long-aligned address
+
+From: Paul Burton <paul.burton@imgtec.com>
+
+
+[ Upstream commit 3f00f4d8f083bc61005d0a1ef592b149f5c88bbd ]
+
+When clearing the .bss section in kernel_entry we do so using LONG_S
+instructions, and branch whilst the current write address doesn't equal
+the end of the .bss section minus the size of a long integer. The .bss
+section always begins at a long-aligned address and we always increment
+the write pointer by the size of a long integer - we therefore rely upon
+the .bss section ending at a long-aligned address. If this is not the
+case then the long-aligned write address can never be equal to the
+non-long-aligned end address & we will continue to increment past the
+end of the .bss section, attempting to zero the rest of memory.
+
+Despite this requirement that .bss end at a long-aligned address we pass
+0 as the end alignment requirement to the BSS_SECTION macro and thus
+don't guarantee any particular alignment, allowing us to hit the error
+condition described above.
+
+Fix this by instead passing 8 bytes as the end alignment argument to
+the BSS_SECTION macro, ensuring that the end of the .bss section is
+always at least long-aligned.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/14526/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/kernel/vmlinux.lds.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/vmlinux.lds.S
++++ b/arch/mips/kernel/vmlinux.lds.S
+@@ -159,7 +159,7 @@ SECTIONS
+ * Force .bss to 64K alignment so that .bss..swapper_pg_dir
+ * gets that alignment. .sbss should be empty, so there will be
+ * no holes after __init_end. */
+- BSS_SECTION(0, 0x10000, 0)
++ BSS_SECTION(0, 0x10000, 8)
+
+ _end = . ;
+
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Tue, 21 Mar 2017 14:52:25 +0000
+Subject: MIPS: IRQ Stack: Unwind IRQ stack onto task stack
+
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+
+
+[ Upstream commit db8466c581cca1a08b505f1319c3ecd246f16fa8 ]
+
+When the separate IRQ stack was introduced, stack unwinding only
+proceeded as far as the top of the IRQ stack, leading to kernel
+backtraces being less useful, lacking the trace of what was interrupted.
+
+Fix this by providing a means for the kernel to unwind the IRQ stack
+onto the interrupted task stack. The processor state is saved to the
+kernel task stack on interrupt. The IRQ_STACK_START macro reserves an
+unsigned long at the top of the IRQ stack where the interrupted task
+stack pointer can be saved. After the active stack is switched to the
+IRQ stack, save the interrupted tasks stack pointer to the reserved
+location.
+
+Fix the stack unwinding code to look for the frame being the top of the
+IRQ stack and if so get the next frame from the saved location. The
+existing test does not work with the separate stack since the ra is no
+longer pointed at ret_from_{irq,exception}.
+
+The test to stop unwinding the stack 32 bytes from the top of a stack
+must be modified to allow unwinding to continue up to the location of
+the saved task stack pointer when on the IRQ stack. The low / high marks
+of the stack are set depending on whether the sp is on an irq stack or
+not.
+
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
+Cc: Masanari Iida <standby24x7@gmail.com>
+Cc: Chris Metcalf <cmetcalf@mellanox.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: Paul Burton <paul.burton@imgtec.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jason A. Donenfeld <jason@zx2c4.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/15788/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/irq.h | 15 ++++++++++
+ arch/mips/kernel/asm-offsets.c | 1
+ arch/mips/kernel/genex.S | 8 ++++-
+ arch/mips/kernel/process.c | 56 +++++++++++++++++++++++++++--------------
+ 4 files changed, 60 insertions(+), 20 deletions(-)
+
+--- a/arch/mips/include/asm/irq.h
++++ b/arch/mips/include/asm/irq.h
+@@ -18,9 +18,24 @@
+ #include <irq.h>
+
+ #define IRQ_STACK_SIZE THREAD_SIZE
++#define IRQ_STACK_START (IRQ_STACK_SIZE - sizeof(unsigned long))
+
+ extern void *irq_stack[NR_CPUS];
+
++/*
++ * The highest address on the IRQ stack contains a dummy frame put down in
++ * genex.S (handle_int & except_vec_vi_handler) which is structured as follows:
++ *
++ * top ------------
++ * | task sp | <- irq_stack[cpu] + IRQ_STACK_START
++ * ------------
++ * | | <- First frame of IRQ context
++ * ------------
++ *
++ * task sp holds a copy of the task stack pointer where the struct pt_regs
++ * from exception entry can be found.
++ */
++
+ static inline bool on_irq_stack(int cpu, unsigned long sp)
+ {
+ unsigned long low = (unsigned long)irq_stack[cpu];
+--- a/arch/mips/kernel/asm-offsets.c
++++ b/arch/mips/kernel/asm-offsets.c
+@@ -102,6 +102,7 @@ void output_thread_info_defines(void)
+ DEFINE(_THREAD_SIZE, THREAD_SIZE);
+ DEFINE(_THREAD_MASK, THREAD_MASK);
+ DEFINE(_IRQ_STACK_SIZE, IRQ_STACK_SIZE);
++ DEFINE(_IRQ_STACK_START, IRQ_STACK_START);
+ BLANK();
+ }
+
+--- a/arch/mips/kernel/genex.S
++++ b/arch/mips/kernel/genex.S
+@@ -216,9 +216,11 @@ NESTED(handle_int, PT_SIZE, sp)
+ beq t0, t1, 2f
+
+ /* Switch to IRQ stack */
+- li t1, _IRQ_STACK_SIZE
++ li t1, _IRQ_STACK_START
+ PTR_ADD sp, t0, t1
+
++ /* Save task's sp on IRQ stack so that unwinding can follow it */
++ LONG_S s1, 0(sp)
+ 2:
+ jal plat_irq_dispatch
+
+@@ -326,9 +328,11 @@ NESTED(except_vec_vi_handler, 0, sp)
+ beq t0, t1, 2f
+
+ /* Switch to IRQ stack */
+- li t1, _IRQ_STACK_SIZE
++ li t1, _IRQ_STACK_START
+ PTR_ADD sp, t0, t1
+
++ /* Save task's sp on IRQ stack so that unwinding can follow it */
++ LONG_S s1, 0(sp)
+ 2:
+ jalr v0
+
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -483,31 +483,52 @@ unsigned long notrace unwind_stack_by_ad
+ unsigned long pc,
+ unsigned long *ra)
+ {
++ unsigned long low, high, irq_stack_high;
+ struct mips_frame_info info;
+ unsigned long size, ofs;
++ struct pt_regs *regs;
+ int leaf;
+- extern void ret_from_irq(void);
+- extern void ret_from_exception(void);
+
+ if (!stack_page)
+ return 0;
+
+ /*
+- * If we reached the bottom of interrupt context,
+- * return saved pc in pt_regs.
++ * IRQ stacks start at IRQ_STACK_START
++ * task stacks at THREAD_SIZE - 32
+ */
+- if (pc == (unsigned long)ret_from_irq ||
+- pc == (unsigned long)ret_from_exception) {
+- struct pt_regs *regs;
+- if (*sp >= stack_page &&
+- *sp + sizeof(*regs) <= stack_page + THREAD_SIZE - 32) {
+- regs = (struct pt_regs *)*sp;
+- pc = regs->cp0_epc;
+- if (!user_mode(regs) && __kernel_text_address(pc)) {
+- *sp = regs->regs[29];
+- *ra = regs->regs[31];
+- return pc;
+- }
++ low = stack_page;
++ if (!preemptible() && on_irq_stack(raw_smp_processor_id(), *sp)) {
++ high = stack_page + IRQ_STACK_START;
++ irq_stack_high = high;
++ } else {
++ high = stack_page + THREAD_SIZE - 32;
++ irq_stack_high = 0;
++ }
++
++ /*
++ * If we reached the top of the interrupt stack, start unwinding
++ * the interrupted task stack.
++ */
++ if (unlikely(*sp == irq_stack_high)) {
++ unsigned long task_sp = *(unsigned long *)*sp;
++
++ /*
++ * Check that the pointer saved in the IRQ stack head points to
++ * something within the stack of the current task
++ */
++ if (!object_is_on_stack((void *)task_sp))
++ return 0;
++
++ /*
++ * Follow pointer to tasks kernel stack frame where interrupted
++ * state was saved.
++ */
++ regs = (struct pt_regs *)task_sp;
++ pc = regs->cp0_epc;
++ if (!user_mode(regs) && __kernel_text_address(pc)) {
++ *sp = regs->regs[29];
++ *ra = regs->regs[31];
++ return pc;
+ }
+ return 0;
+ }
+@@ -528,8 +549,7 @@ unsigned long notrace unwind_stack_by_ad
+ if (leaf < 0)
+ return 0;
+
+- if (*sp < stack_page ||
+- *sp + info.frame_size > stack_page + THREAD_SIZE - 32)
++ if (*sp < low || *sp + info.frame_size > high)
+ return 0;
+
+ if (leaf)
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 17 Jan 2017 16:18:40 +0100
+Subject: MIPS: Lantiq: Fix another request_mem_region() return code check
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit 98ea51cb0c8ce009d9da1fd7b48f0ff1d7a9bbb0 ]
+
+Hauke already fixed a couple of them, but one instance remains
+that checks for a negative integer when it should check
+for a NULL pointer:
+
+arch/mips/lantiq/xway/sysctrl.c: In function 'ltq_soc_init':
+arch/mips/lantiq/xway/sysctrl.c:473:19: error: ordered comparison of pointer with integer zero [-Werror=extra]
+
+Fixes: 6e807852676a ("MIPS: Lantiq: Fix check for return value of request_mem_region()")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: John Crispin <john@phrozen.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/15043/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/lantiq/xway/sysctrl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/lantiq/xway/sysctrl.c
++++ b/arch/mips/lantiq/xway/sysctrl.c
+@@ -469,8 +469,8 @@ void __init ltq_soc_init(void)
+ panic("Failed to load xbar nodes from devicetree");
+ if (of_address_to_resource(np_xbar, 0, &res_xbar))
+ panic("Failed to get xbar resources");
+- if (request_mem_region(res_xbar.start, resource_size(&res_xbar),
+- res_xbar.name) < 0)
++ if (!request_mem_region(res_xbar.start, resource_size(&res_xbar),
++ res_xbar.name))
+ panic("Failed to get xbar resources");
+
+ ltq_xbar_membase = ioremap_nocache(res_xbar.start,
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 22 Dec 2016 23:52:58 +0000
+Subject: MIPS: ralink: Fix incorrect assignment on ralink_soc
+
+From: Colin Ian King <colin.king@canonical.com>
+
+
+[ Upstream commit 08d90c81b714482dceb5323d14f6617bcf55ee61 ]
+
+ralink_soc sould be assigned to RT3883_SOC, replace incorrect
+comparision with assignment.
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Fixes: 418d29c87061 ("MIPS: ralink: Unify SoC id handling")
+Cc: John Crispin <john@phrozen.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/14903/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/ralink/rt3883.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/ralink/rt3883.c
++++ b/arch/mips/ralink/rt3883.c
+@@ -144,5 +144,5 @@ void prom_soc_init(struct ralink_soc_inf
+
+ rt2880_pinmux_data = rt3883_pinmux_data;
+
+- ralink_soc == RT3883_SOC;
++ ralink_soc = RT3883_SOC;
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 29 Mar 2017 20:54:37 +0200
+Subject: mmc: sdio: fix alignment issue in struct sdio_func
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+
+[ Upstream commit 5ef1ecf060f28ecef313b5723f1fd39bf5a35f56 ]
+
+Certain 64-bit systems (e.g. Amlogic Meson GX) require buffers to be
+used for DMA to be 8-byte-aligned. struct sdio_func has an embedded
+small DMA buffer not meeting this requirement.
+When testing switching to descriptor chain mode in meson-gx driver
+SDIO is broken therefore. Fix this by allocating the small DMA buffer
+separately as kmalloc ensures that the returned memory area is
+properly aligned for every basic data type.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Tested-by: Helmut Klein <hgkr.klein@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sdio_bus.c | 12 +++++++++++-
+ include/linux/mmc/sdio_func.h | 2 +-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/core/sdio_bus.c
++++ b/drivers/mmc/core/sdio_bus.c
+@@ -266,7 +266,7 @@ static void sdio_release_func(struct dev
+ sdio_free_func_cis(func);
+
+ kfree(func->info);
+-
++ kfree(func->tmpbuf);
+ kfree(func);
+ }
+
+@@ -281,6 +281,16 @@ struct sdio_func *sdio_alloc_func(struct
+ if (!func)
+ return ERR_PTR(-ENOMEM);
+
++ /*
++ * allocate buffer separately to make sure it's properly aligned for
++ * DMA usage (incl. 64 bit DMA)
++ */
++ func->tmpbuf = kmalloc(4, GFP_KERNEL);
++ if (!func->tmpbuf) {
++ kfree(func);
++ return ERR_PTR(-ENOMEM);
++ }
++
+ func->card = card;
+
+ device_initialize(&func->dev);
+--- a/include/linux/mmc/sdio_func.h
++++ b/include/linux/mmc/sdio_func.h
+@@ -53,7 +53,7 @@ struct sdio_func {
+ unsigned int state; /* function state */
+ #define SDIO_STATE_PRESENT (1<<0) /* present in sysfs */
+
+- u8 tmpbuf[4]; /* DMA:able scratch buffer */
++ u8 *tmpbuf; /* DMA:able scratch buffer */
+
+ unsigned num_info; /* number of info strings */
+ const char **info; /* info strings */
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Myungho Jung <mhjungk@gmail.com>
+Date: Tue, 25 Apr 2017 11:58:15 -0700
+Subject: net: core: Prevent from dereferencing null pointer when releasing SKB
+
+From: Myungho Jung <mhjungk@gmail.com>
+
+
+[ Upstream commit 9899886d5e8ec5b343b1efe44f185a0e68dc6454 ]
+
+Added NULL check to make __dev_kfree_skb_irq consistent with kfree
+family of functions.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289
+
+Signed-off-by: Myungho Jung <mhjungk@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2338,6 +2338,9 @@ void __dev_kfree_skb_irq(struct sk_buff
+ {
+ unsigned long flags;
+
++ if (unlikely(!skb))
++ return;
++
+ if (likely(atomic_read(&skb->users) == 1)) {
+ smp_rmb();
+ atomic_set(&skb->users, 0);
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Tue, 25 Apr 2017 18:51:46 +0200
+Subject: net/packet: check length in getsockopt() called with PACKET_HDRLEN
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit fd2c83b35752f0a8236b976978ad4658df14a59f ]
+
+In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4
+|val| remains uninitialized and the syscall may behave differently
+depending on its value, and even copy garbage to userspace on certain
+architectures. To fix this we now return -EINVAL if optlen is too small.
+
+This bug has been detected with KMSAN.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3802,6 +3802,8 @@ static int packet_getsockopt(struct sock
+ case PACKET_HDRLEN:
+ if (len > sizeof(int))
+ len = sizeof(int);
++ if (len < sizeof(int))
++ return -EINVAL;
+ if (copy_from_user(&val, optval, len))
+ return -EFAULT;
+ switch (val) {
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sat, 25 Mar 2017 08:53:12 +0800
+Subject: netfilter: invoke synchronize_rcu after set the _hook_ to NULL
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b ]
+
+Otherwise, another CPU may access the invalid pointer. For example:
+ CPU0 CPU1
+ - rcu_read_lock();
+ - pfunc = _hook_;
+ _hook_ = NULL; -
+ mod unload -
+ - pfunc(); // invalid, panic
+ - rcu_read_unlock();
+
+So we must call synchronize_rcu() to wait the rcu reader to finish.
+
+Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
+by later nf_conntrack_helper_unregister, but I'm inclined to add a
+explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
+on such obscure assumptions is not a good idea.
+
+Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
+so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
+remove it too.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 +
+ net/netfilter/nf_conntrack_ecache.c | 2 ++
+ net/netfilter/nf_conntrack_netlink.c | 1 +
+ net/netfilter/nf_nat_core.c | 2 ++
+ net/netfilter/nfnetlink_cttimeout.c | 2 +-
+ 5 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init
+ static void __exit nf_nat_snmp_basic_fini(void)
+ {
+ RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
++ synchronize_rcu();
+ nf_conntrack_helper_unregister(&snmp_trap_helper);
+ }
+
+--- a/net/netfilter/nf_conntrack_ecache.c
++++ b/net/netfilter/nf_conntrack_ecache.c
+@@ -200,6 +200,7 @@ void nf_conntrack_unregister_notifier(st
+ BUG_ON(notify != new);
+ RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);
+ mutex_unlock(&nf_ct_ecache_mutex);
++ /* synchronize_rcu() is called from ctnetlink_exit. */
+ }
+ EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);
+
+@@ -236,6 +237,7 @@ void nf_ct_expect_unregister_notifier(st
+ BUG_ON(notify != new);
+ RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL);
+ mutex_unlock(&nf_ct_ecache_mutex);
++ /* synchronize_rcu() is called from ctnetlink_exit. */
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier);
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -3415,6 +3415,7 @@ static void __exit ctnetlink_exit(void)
+ #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
+ RCU_INIT_POINTER(nfnl_ct_hook, NULL);
+ #endif
++ synchronize_rcu();
+ }
+
+ module_init(ctnetlink_init);
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -892,6 +892,8 @@ static void __exit nf_nat_cleanup(void)
+ #ifdef CONFIG_XFRM
+ RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL);
+ #endif
++ synchronize_rcu();
++
+ for (i = 0; i < NFPROTO_NUMPROTO; i++)
+ kfree(nf_nat_l4protos[i]);
+ synchronize_net();
+--- a/net/netfilter/nfnetlink_cttimeout.c
++++ b/net/netfilter/nfnetlink_cttimeout.c
+@@ -611,8 +611,8 @@ static void __exit cttimeout_exit(void)
+ #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+ RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);
+ RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);
++ synchronize_rcu();
+ #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+- rcu_barrier();
+ }
+
+ module_init(cttimeout_init);
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sun, 19 Mar 2017 22:35:59 +0800
+Subject: netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit ae5c682113f9f94cc5e76f92cf041ee624c173ee ]
+
+The helper->expect_class_max must be set to the total number of
+expect_policy minus 1, since we will use the statement "if (class >
+helper->expect_class_max)" to validate the CTA_EXPECT_CLASS attr in
+ctnetlink_alloc_expect.
+
+So for compatibility, set the helper->expect_class_max to the
+NFCTH_POLICY_SET_NUM attr's value minus 1.
+
+Also: it's invalid when the NFCTH_POLICY_SET_NUM attr's value is zero.
+1. this will result "expect_policy = kzalloc(0, GFP_KERNEL);";
+2. we cannot set the helper->expect_class_max to a proper value.
+
+So if nla_get_be32(tb[NFCTH_POLICY_SET_NUM]) is zero, report -EINVAL to
+the userspace.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -161,6 +161,7 @@ nfnl_cthelper_parse_expect_policy(struct
+ int i, ret;
+ struct nf_conntrack_expect_policy *expect_policy;
+ struct nlattr *tb[NFCTH_POLICY_SET_MAX+1];
++ unsigned int class_max;
+
+ ret = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
+ nfnl_cthelper_expect_policy_set);
+@@ -170,19 +171,18 @@ nfnl_cthelper_parse_expect_policy(struct
+ if (!tb[NFCTH_POLICY_SET_NUM])
+ return -EINVAL;
+
+- helper->expect_class_max =
+- ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
+-
+- if (helper->expect_class_max != 0 &&
+- helper->expect_class_max > NF_CT_MAX_EXPECT_CLASSES)
++ class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
++ if (class_max == 0)
++ return -EINVAL;
++ if (class_max > NF_CT_MAX_EXPECT_CLASSES)
+ return -EOVERFLOW;
+
+ expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) *
+- helper->expect_class_max, GFP_KERNEL);
++ class_max, GFP_KERNEL);
+ if (expect_policy == NULL)
+ return -ENOMEM;
+
+- for (i=0; i<helper->expect_class_max; i++) {
++ for (i = 0; i < class_max; i++) {
+ if (!tb[NFCTH_POLICY_SET+i])
+ goto err;
+
+@@ -191,6 +191,8 @@ nfnl_cthelper_parse_expect_policy(struct
+ if (ret < 0)
+ goto err;
+ }
++
++ helper->expect_class_max = class_max - 1;
+ helper->expect_policy = expect_policy;
+ return 0;
+ err:
+@@ -377,10 +379,10 @@ nfnl_cthelper_dump_policy(struct sk_buff
+ goto nla_put_failure;
+
+ if (nla_put_be32(skb, NFCTH_POLICY_SET_NUM,
+- htonl(helper->expect_class_max)))
++ htonl(helper->expect_class_max + 1)))
+ goto nla_put_failure;
+
+- for (i=0; i<helper->expect_class_max; i++) {
++ for (i = 0; i < helper->expect_class_max + 1; i++) {
+ nest_parms2 = nla_nest_start(skb,
+ (NFCTH_POLICY_SET+i) | NLA_F_NESTED);
+ if (nest_parms2 == NULL)
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 14 Mar 2017 15:24:51 +0530
+Subject: parisc: perf: Fix potential NULL pointer dereference
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit 74e3f6e63da6c8e8246fba1689e040bc926b4a1a ]
+
+Fix potential NULL pointer dereference and clean up
+coding style errors (code indent, trailing whitespaces).
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/perf.c | 94 +++++++++++++++++++++++-----------------------
+ 1 file changed, 49 insertions(+), 45 deletions(-)
+
+--- a/arch/parisc/kernel/perf.c
++++ b/arch/parisc/kernel/perf.c
+@@ -39,7 +39,7 @@
+ * the PDC INTRIGUE calls. This is done to eliminate bugs introduced
+ * in various PDC revisions. The code is much more maintainable
+ * and reliable this way vs having to debug on every version of PDC
+- * on every box.
++ * on every box.
+ */
+
+ #include <linux/capability.h>
+@@ -195,8 +195,8 @@ static int perf_config(uint32_t *image_p
+ static int perf_release(struct inode *inode, struct file *file);
+ static int perf_open(struct inode *inode, struct file *file);
+ static ssize_t perf_read(struct file *file, char __user *buf, size_t cnt, loff_t *ppos);
+-static ssize_t perf_write(struct file *file, const char __user *buf, size_t count,
+- loff_t *ppos);
++static ssize_t perf_write(struct file *file, const char __user *buf,
++ size_t count, loff_t *ppos);
+ static long perf_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+ static void perf_start_counters(void);
+ static int perf_stop_counters(uint32_t *raddr);
+@@ -222,7 +222,7 @@ extern void perf_intrigue_disable_perf_c
+ /*
+ * configure:
+ *
+- * Configure the cpu with a given data image. First turn off the counters,
++ * Configure the cpu with a given data image. First turn off the counters,
+ * then download the image, then turn the counters back on.
+ */
+ static int perf_config(uint32_t *image_ptr)
+@@ -234,7 +234,7 @@ static int perf_config(uint32_t *image_p
+ error = perf_stop_counters(raddr);
+ if (error != 0) {
+ printk("perf_config: perf_stop_counters = %ld\n", error);
+- return -EINVAL;
++ return -EINVAL;
+ }
+
+ printk("Preparing to write image\n");
+@@ -242,7 +242,7 @@ printk("Preparing to write image\n");
+ error = perf_write_image((uint64_t *)image_ptr);
+ if (error != 0) {
+ printk("perf_config: DOWNLOAD = %ld\n", error);
+- return -EINVAL;
++ return -EINVAL;
+ }
+
+ printk("Preparing to start counters\n");
+@@ -254,7 +254,7 @@ printk("Preparing to start counters\n");
+ }
+
+ /*
+- * Open the device and initialize all of its memory. The device is only
++ * Open the device and initialize all of its memory. The device is only
+ * opened once, but can be "queried" by multiple processes that know its
+ * file descriptor.
+ */
+@@ -298,8 +298,8 @@ static ssize_t perf_read(struct file *fi
+ * called on the processor that the download should happen
+ * on.
+ */
+-static ssize_t perf_write(struct file *file, const char __user *buf, size_t count,
+- loff_t *ppos)
++static ssize_t perf_write(struct file *file, const char __user *buf,
++ size_t count, loff_t *ppos)
+ {
+ int err;
+ size_t image_size;
+@@ -307,11 +307,11 @@ static ssize_t perf_write(struct file *f
+ uint32_t interface_type;
+ uint32_t test;
+
+- if (perf_processor_interface == ONYX_INTF)
++ if (perf_processor_interface == ONYX_INTF)
+ image_size = PCXU_IMAGE_SIZE;
+- else if (perf_processor_interface == CUDA_INTF)
++ else if (perf_processor_interface == CUDA_INTF)
+ image_size = PCXW_IMAGE_SIZE;
+- else
++ else
+ return -EFAULT;
+
+ if (!capable(CAP_SYS_ADMIN))
+@@ -331,22 +331,22 @@ static ssize_t perf_write(struct file *f
+
+ /* First check the machine type is correct for
+ the requested image */
+- if (((perf_processor_interface == CUDA_INTF) &&
+- (interface_type != CUDA_INTF)) ||
+- ((perf_processor_interface == ONYX_INTF) &&
+- (interface_type != ONYX_INTF)))
++ if (((perf_processor_interface == CUDA_INTF) &&
++ (interface_type != CUDA_INTF)) ||
++ ((perf_processor_interface == ONYX_INTF) &&
++ (interface_type != ONYX_INTF)))
+ return -EINVAL;
+
+ /* Next check to make sure the requested image
+ is valid */
+- if (((interface_type == CUDA_INTF) &&
++ if (((interface_type == CUDA_INTF) &&
+ (test >= MAX_CUDA_IMAGES)) ||
+- ((interface_type == ONYX_INTF) &&
+- (test >= MAX_ONYX_IMAGES)))
++ ((interface_type == ONYX_INTF) &&
++ (test >= MAX_ONYX_IMAGES)))
+ return -EINVAL;
+
+ /* Copy the image into the processor */
+- if (interface_type == CUDA_INTF)
++ if (interface_type == CUDA_INTF)
+ return perf_config(cuda_images[test]);
+ else
+ return perf_config(onyx_images[test]);
+@@ -360,7 +360,7 @@ static ssize_t perf_write(struct file *f
+ static void perf_patch_images(void)
+ {
+ #if 0 /* FIXME!! */
+-/*
++/*
+ * NOTE: this routine is VERY specific to the current TLB image.
+ * If the image is changed, this routine might also need to be changed.
+ */
+@@ -368,9 +368,9 @@ static void perf_patch_images(void)
+ extern void $i_dtlb_miss_2_0();
+ extern void PA2_0_iva();
+
+- /*
++ /*
+ * We can only use the lower 32-bits, the upper 32-bits should be 0
+- * anyway given this is in the kernel
++ * anyway given this is in the kernel
+ */
+ uint32_t itlb_addr = (uint32_t)&($i_itlb_miss_2_0);
+ uint32_t dtlb_addr = (uint32_t)&($i_dtlb_miss_2_0);
+@@ -378,21 +378,21 @@ static void perf_patch_images(void)
+
+ if (perf_processor_interface == ONYX_INTF) {
+ /* clear last 2 bytes */
+- onyx_images[TLBMISS][15] &= 0xffffff00;
++ onyx_images[TLBMISS][15] &= 0xffffff00;
+ /* set 2 bytes */
+ onyx_images[TLBMISS][15] |= (0x000000ff&((dtlb_addr) >> 24));
+ onyx_images[TLBMISS][16] = (dtlb_addr << 8)&0xffffff00;
+ onyx_images[TLBMISS][17] = itlb_addr;
+
+ /* clear last 2 bytes */
+- onyx_images[TLBHANDMISS][15] &= 0xffffff00;
++ onyx_images[TLBHANDMISS][15] &= 0xffffff00;
+ /* set 2 bytes */
+ onyx_images[TLBHANDMISS][15] |= (0x000000ff&((dtlb_addr) >> 24));
+ onyx_images[TLBHANDMISS][16] = (dtlb_addr << 8)&0xffffff00;
+ onyx_images[TLBHANDMISS][17] = itlb_addr;
+
+ /* clear last 2 bytes */
+- onyx_images[BIG_CPI][15] &= 0xffffff00;
++ onyx_images[BIG_CPI][15] &= 0xffffff00;
+ /* set 2 bytes */
+ onyx_images[BIG_CPI][15] |= (0x000000ff&((dtlb_addr) >> 24));
+ onyx_images[BIG_CPI][16] = (dtlb_addr << 8)&0xffffff00;
+@@ -405,24 +405,24 @@ static void perf_patch_images(void)
+
+ } else if (perf_processor_interface == CUDA_INTF) {
+ /* Cuda interface */
+- cuda_images[TLBMISS][16] =
++ cuda_images[TLBMISS][16] =
+ (cuda_images[TLBMISS][16]&0xffff0000) |
+ ((dtlb_addr >> 8)&0x0000ffff);
+- cuda_images[TLBMISS][17] =
++ cuda_images[TLBMISS][17] =
+ ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff);
+ cuda_images[TLBMISS][18] = (itlb_addr << 16)&0xffff0000;
+
+- cuda_images[TLBHANDMISS][16] =
++ cuda_images[TLBHANDMISS][16] =
+ (cuda_images[TLBHANDMISS][16]&0xffff0000) |
+ ((dtlb_addr >> 8)&0x0000ffff);
+- cuda_images[TLBHANDMISS][17] =
++ cuda_images[TLBHANDMISS][17] =
+ ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff);
+ cuda_images[TLBHANDMISS][18] = (itlb_addr << 16)&0xffff0000;
+
+- cuda_images[BIG_CPI][16] =
++ cuda_images[BIG_CPI][16] =
+ (cuda_images[BIG_CPI][16]&0xffff0000) |
+ ((dtlb_addr >> 8)&0x0000ffff);
+- cuda_images[BIG_CPI][17] =
++ cuda_images[BIG_CPI][17] =
+ ((dtlb_addr << 24)&0xff000000) | ((itlb_addr >> 16)&0x000000ff);
+ cuda_images[BIG_CPI][18] = (itlb_addr << 16)&0xffff0000;
+ } else {
+@@ -434,7 +434,7 @@ static void perf_patch_images(void)
+
+ /*
+ * ioctl routine
+- * All routines effect the processor that they are executed on. Thus you
++ * All routines effect the processor that they are executed on. Thus you
+ * must be running on the processor that you wish to change.
+ */
+
+@@ -460,7 +460,7 @@ static long perf_ioctl(struct file *file
+ }
+
+ /* copy out the Counters */
+- if (copy_to_user((void __user *)arg, raddr,
++ if (copy_to_user((void __user *)arg, raddr,
+ sizeof (raddr)) != 0) {
+ error = -EFAULT;
+ break;
+@@ -488,7 +488,7 @@ static const struct file_operations perf
+ .open = perf_open,
+ .release = perf_release
+ };
+-
++
+ static struct miscdevice perf_dev = {
+ MISC_DYNAMIC_MINOR,
+ PA_PERF_DEV,
+@@ -596,7 +596,7 @@ static int perf_stop_counters(uint32_t *
+ /* OR sticky2 (bit 1496) to counter2 bit 32 */
+ tmp64 |= (userbuf[23] >> 8) & 0x0000000080000000;
+ raddr[2] = (uint32_t)tmp64;
+-
++
+ /* Counter3 is bits 1497 to 1528 */
+ tmp64 = (userbuf[23] >> 7) & 0x00000000ffffffff;
+ /* OR sticky3 (bit 1529) to counter3 bit 32 */
+@@ -618,7 +618,7 @@ static int perf_stop_counters(uint32_t *
+ userbuf[22] = 0;
+ userbuf[23] = 0;
+
+- /*
++ /*
+ * Write back the zeroed bytes + the image given
+ * the read was destructive.
+ */
+@@ -626,13 +626,13 @@ static int perf_stop_counters(uint32_t *
+ } else {
+
+ /*
+- * Read RDR-15 which contains the counters and sticky bits
++ * Read RDR-15 which contains the counters and sticky bits
+ */
+ if (!perf_rdr_read_ubuf(15, userbuf)) {
+ return -13;
+ }
+
+- /*
++ /*
+ * Clear out the counters
+ */
+ perf_rdr_clear(15);
+@@ -645,7 +645,7 @@ static int perf_stop_counters(uint32_t *
+ raddr[2] = (uint32_t)((userbuf[1] >> 32) & 0x00000000ffffffffUL);
+ raddr[3] = (uint32_t)(userbuf[1] & 0x00000000ffffffffUL);
+ }
+-
++
+ return 0;
+ }
+
+@@ -683,7 +683,7 @@ static int perf_rdr_read_ubuf(uint32_t r
+ i = tentry->num_words;
+ while (i--) {
+ buffer[i] = 0;
+- }
++ }
+
+ /* Check for bits an even number of 64 */
+ if ((xbits = width & 0x03f) != 0) {
+@@ -809,18 +809,22 @@ static int perf_write_image(uint64_t *me
+ }
+
+ runway = ioremap_nocache(cpu_device->hpa.start, 4096);
++ if (!runway) {
++ pr_err("perf_write_image: ioremap failed!\n");
++ return -ENOMEM;
++ }
+
+ /* Merge intrigue bits into Runway STATUS 0 */
+ tmp64 = __raw_readq(runway + RUNWAY_STATUS) & 0xffecfffffffffffful;
+- __raw_writeq(tmp64 | (*memaddr++ & 0x0013000000000000ul),
++ __raw_writeq(tmp64 | (*memaddr++ & 0x0013000000000000ul),
+ runway + RUNWAY_STATUS);
+-
++
+ /* Write RUNWAY DEBUG registers */
+ for (i = 0; i < 8; i++) {
+ __raw_writeq(*memaddr++, runway + RUNWAY_DEBUG);
+ }
+
+- return 0;
++ return 0;
+ }
+
+ /*
+@@ -844,7 +848,7 @@ printk("perf_rdr_write\n");
+ perf_rdr_shift_out_U(rdr_num, buffer[i]);
+ } else {
+ perf_rdr_shift_out_W(rdr_num, buffer[i]);
+- }
++ }
+ }
+ printk("perf_rdr_write done\n");
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Alden Tondettar <alden.tondettar@gmail.com>
+Date: Sun, 15 Jan 2017 15:31:56 -0700
+Subject: partitions/efi: Fix integer overflow in GPT size calculation
+
+From: Alden Tondettar <alden.tondettar@gmail.com>
+
+
+[ Upstream commit c5082b70adfe8e1ea1cf4a8eff92c9f260e364d2 ]
+
+If a GUID Partition Table claims to have more than 2**25 entries, the
+calculation of the partition table size in alloc_read_gpt_entries() will
+overflow a 32-bit integer and not enough space will be allocated for the
+table.
+
+Nothing seems to get written out of bounds, but later efi_partition() will
+read up to 32768 bytes from a 128 byte buffer, possibly OOPSing or exposing
+information to /proc/partitions and uevents.
+
+The problem exists on both 64-bit and 32-bit platforms.
+
+Fix the overflow and also print a meaningful debug message if the table
+size is too large.
+
+Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partitions/efi.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/block/partitions/efi.c
++++ b/block/partitions/efi.c
+@@ -293,7 +293,7 @@ static gpt_entry *alloc_read_gpt_entries
+ if (!gpt)
+ return NULL;
+
+- count = le32_to_cpu(gpt->num_partition_entries) *
++ count = (size_t)le32_to_cpu(gpt->num_partition_entries) *
+ le32_to_cpu(gpt->sizeof_partition_entry);
+ if (!count)
+ return NULL;
+@@ -352,7 +352,7 @@ static int is_gpt_valid(struct parsed_pa
+ gpt_header **gpt, gpt_entry **ptes)
+ {
+ u32 crc, origcrc;
+- u64 lastlba;
++ u64 lastlba, pt_size;
+
+ if (!ptes)
+ return 0;
+@@ -434,13 +434,20 @@ static int is_gpt_valid(struct parsed_pa
+ goto fail;
+ }
+
++ /* Sanity check partition table size */
++ pt_size = (u64)le32_to_cpu((*gpt)->num_partition_entries) *
++ le32_to_cpu((*gpt)->sizeof_partition_entry);
++ if (pt_size > KMALLOC_MAX_SIZE) {
++ pr_debug("GUID Partition Table is too large: %llu > %lu bytes\n",
++ (unsigned long long)pt_size, KMALLOC_MAX_SIZE);
++ goto fail;
++ }
++
+ if (!(*ptes = alloc_read_gpt_entries(state, *gpt)))
+ goto fail;
+
+ /* Check the GUID Partition Entry Array CRC */
+- crc = efi_crc32((const unsigned char *) (*ptes),
+- le32_to_cpu((*gpt)->num_partition_entries) *
+- le32_to_cpu((*gpt)->sizeof_partition_entry));
++ crc = efi_crc32((const unsigned char *) (*ptes), pt_size);
+
+ if (crc != le32_to_cpu((*gpt)->partition_entry_array_crc32)) {
+ pr_debug("GUID Partitition Entry Array CRC check failed.\n");
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Markus Elfring <elfring@users.sourceforge.net>
+Date: Thu, 12 Jan 2017 16:51:00 +0100
+Subject: pinctrl: mvebu: Use seq_puts() in mvebu_pinconf_group_dbg_show()
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+
+[ Upstream commit 420dc61642920849d824a0de2aa853db59f5244f ]
+
+Strings which did not contain data format specifications should be put
+into a sequence. Thus use the corresponding function "seq_puts".
+
+This issue was detected by using the Coccinelle software.
+
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/mvebu/pinctrl-mvebu.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
++++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
+@@ -195,11 +195,12 @@ static void mvebu_pinconf_group_dbg_show
+ seq_printf(s, "o");
+ seq_printf(s, ")");
+ }
+- } else
+- seq_printf(s, "current: UNKNOWN");
++ } else {
++ seq_puts(s, "current: UNKNOWN");
++ }
+
+ if (grp->num_settings > 1) {
+- seq_printf(s, ", available = [");
++ seq_puts(s, ", available = [");
+ for (n = 0; n < grp->num_settings; n++) {
+ if (curr == &grp->settings[n])
+ continue;
+@@ -222,7 +223,7 @@ static void mvebu_pinconf_group_dbg_show
+ seq_printf(s, ")");
+ }
+ }
+- seq_printf(s, " ]");
++ seq_puts(s, " ]");
+ }
+ return;
+ }
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+Date: Tue, 7 Mar 2017 02:48:36 -0500
+Subject: rds: ib: add error handle
+
+From: Zhu Yanjun <yanjun.zhu@oracle.com>
+
+
+[ Upstream commit 3b12f73a5c2977153f28a224392fd4729b50d1dc ]
+
+In the function rds_ib_setup_qp, the error handle is missing. When some
+error occurs, it is possible that memory leak occurs. As such, error
+handle is added.
+
+Cc: Joe Jin <joe.jin@oracle.com>
+Reviewed-by: Junxiao Bi <junxiao.bi@oracle.com>
+Reviewed-by: Guanglei Li <guanglei.li@oracle.com>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_cm.c | 47 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 36 insertions(+), 11 deletions(-)
+
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -381,7 +381,7 @@ static int rds_ib_setup_qp(struct rds_co
+ ret = PTR_ERR(ic->i_send_cq);
+ ic->i_send_cq = NULL;
+ rdsdebug("ib_create_cq send failed: %d\n", ret);
+- goto out;
++ goto rds_ibdev_out;
+ }
+
+ cq_attr.cqe = ic->i_recv_ring.w_nr;
+@@ -392,19 +392,19 @@ static int rds_ib_setup_qp(struct rds_co
+ ret = PTR_ERR(ic->i_recv_cq);
+ ic->i_recv_cq = NULL;
+ rdsdebug("ib_create_cq recv failed: %d\n", ret);
+- goto out;
++ goto send_cq_out;
+ }
+
+ ret = ib_req_notify_cq(ic->i_send_cq, IB_CQ_NEXT_COMP);
+ if (ret) {
+ rdsdebug("ib_req_notify_cq send failed: %d\n", ret);
+- goto out;
++ goto recv_cq_out;
+ }
+
+ ret = ib_req_notify_cq(ic->i_recv_cq, IB_CQ_SOLICITED);
+ if (ret) {
+ rdsdebug("ib_req_notify_cq recv failed: %d\n", ret);
+- goto out;
++ goto recv_cq_out;
+ }
+
+ /* XXX negotiate max send/recv with remote? */
+@@ -428,7 +428,7 @@ static int rds_ib_setup_qp(struct rds_co
+ ret = rdma_create_qp(ic->i_cm_id, ic->i_pd, &attr);
+ if (ret) {
+ rdsdebug("rdma_create_qp failed: %d\n", ret);
+- goto out;
++ goto recv_cq_out;
+ }
+
+ ic->i_send_hdrs = ib_dma_alloc_coherent(dev,
+@@ -438,7 +438,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_send_hdrs) {
+ ret = -ENOMEM;
+ rdsdebug("ib_dma_alloc_coherent send failed\n");
+- goto out;
++ goto qp_out;
+ }
+
+ ic->i_recv_hdrs = ib_dma_alloc_coherent(dev,
+@@ -448,7 +448,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_recv_hdrs) {
+ ret = -ENOMEM;
+ rdsdebug("ib_dma_alloc_coherent recv failed\n");
+- goto out;
++ goto send_hdrs_dma_out;
+ }
+
+ ic->i_ack = ib_dma_alloc_coherent(dev, sizeof(struct rds_header),
+@@ -456,7 +456,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_ack) {
+ ret = -ENOMEM;
+ rdsdebug("ib_dma_alloc_coherent ack failed\n");
+- goto out;
++ goto recv_hdrs_dma_out;
+ }
+
+ ic->i_sends = vzalloc_node(ic->i_send_ring.w_nr * sizeof(struct rds_ib_send_work),
+@@ -464,7 +464,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_sends) {
+ ret = -ENOMEM;
+ rdsdebug("send allocation failed\n");
+- goto out;
++ goto ack_dma_out;
+ }
+
+ ic->i_recvs = vzalloc_node(ic->i_recv_ring.w_nr * sizeof(struct rds_ib_recv_work),
+@@ -472,7 +472,7 @@ static int rds_ib_setup_qp(struct rds_co
+ if (!ic->i_recvs) {
+ ret = -ENOMEM;
+ rdsdebug("recv allocation failed\n");
+- goto out;
++ goto sends_out;
+ }
+
+ rds_ib_recv_init_ack(ic);
+@@ -480,8 +480,33 @@ static int rds_ib_setup_qp(struct rds_co
+ rdsdebug("conn %p pd %p cq %p %p\n", conn, ic->i_pd,
+ ic->i_send_cq, ic->i_recv_cq);
+
+-out:
++ return ret;
++
++sends_out:
++ vfree(ic->i_sends);
++ack_dma_out:
++ ib_dma_free_coherent(dev, sizeof(struct rds_header),
++ ic->i_ack, ic->i_ack_dma);
++recv_hdrs_dma_out:
++ ib_dma_free_coherent(dev, ic->i_recv_ring.w_nr *
++ sizeof(struct rds_header),
++ ic->i_recv_hdrs, ic->i_recv_hdrs_dma);
++send_hdrs_dma_out:
++ ib_dma_free_coherent(dev, ic->i_send_ring.w_nr *
++ sizeof(struct rds_header),
++ ic->i_send_hdrs, ic->i_send_hdrs_dma);
++qp_out:
++ rdma_destroy_qp(ic->i_cm_id);
++recv_cq_out:
++ if (!ib_destroy_cq(ic->i_recv_cq))
++ ic->i_recv_cq = NULL;
++send_cq_out:
++ if (!ib_destroy_cq(ic->i_send_cq))
++ ic->i_send_cq = NULL;
++rds_ibdev_out:
++ rds_ib_remove_conn(rds_ibdev, conn);
+ rds_ib_dev_put(rds_ibdev);
++
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Date: Thu, 18 Feb 2016 20:06:47 -0800
+Subject: RDS: RDMA: Fix the composite message user notification
+
+From: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+
+
+[ Upstream commit 941f8d55f6d613a460a5e080d25a38509f45eb75 ]
+
+When application sends an RDS RDMA composite message consist of
+RDMA transfer to be followed up by non RDMA payload, it expect to
+be notified *only* when the full message gets delivered. RDS RDMA
+notification doesn't behave this way though.
+
+Thanks to Venkat for debug and root casuing the issue
+where only first part of the message(RDMA) was
+successfully delivered but remainder payload delivery failed.
+In that case, application should not be notified with
+a false positive of message delivery success.
+
+Fix this case by making sure the user gets notified only after
+the full message delivery.
+
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/ib_send.c | 25 +++++++++++++++----------
+ net/rds/rdma.c | 10 ++++++++++
+ net/rds/rds.h | 1 +
+ net/rds/send.c | 4 +++-
+ 4 files changed, 29 insertions(+), 11 deletions(-)
+
+--- a/net/rds/ib_send.c
++++ b/net/rds/ib_send.c
+@@ -68,16 +68,6 @@ static void rds_ib_send_complete(struct
+ complete(rm, notify_status);
+ }
+
+-static void rds_ib_send_unmap_data(struct rds_ib_connection *ic,
+- struct rm_data_op *op,
+- int wc_status)
+-{
+- if (op->op_nents)
+- ib_dma_unmap_sg(ic->i_cm_id->device,
+- op->op_sg, op->op_nents,
+- DMA_TO_DEVICE);
+-}
+-
+ static void rds_ib_send_unmap_rdma(struct rds_ib_connection *ic,
+ struct rm_rdma_op *op,
+ int wc_status)
+@@ -138,6 +128,21 @@ static void rds_ib_send_unmap_atomic(str
+ rds_ib_stats_inc(s_ib_atomic_fadd);
+ }
+
++static void rds_ib_send_unmap_data(struct rds_ib_connection *ic,
++ struct rm_data_op *op,
++ int wc_status)
++{
++ struct rds_message *rm = container_of(op, struct rds_message, data);
++
++ if (op->op_nents)
++ ib_dma_unmap_sg(ic->i_cm_id->device,
++ op->op_sg, op->op_nents,
++ DMA_TO_DEVICE);
++
++ if (rm->rdma.op_active && rm->data.op_notify)
++ rds_ib_send_unmap_rdma(ic, &rm->rdma, wc_status);
++}
++
+ /*
+ * Unmap the resources associated with a struct send_work.
+ *
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -626,6 +626,16 @@ int rds_cmsg_rdma_args(struct rds_sock *
+ }
+ op->op_notifier->n_user_token = args->user_token;
+ op->op_notifier->n_status = RDS_RDMA_SUCCESS;
++
++ /* Enable rmda notification on data operation for composite
++ * rds messages and make sure notification is enabled only
++ * for the data operation which follows it so that application
++ * gets notified only after full message gets delivered.
++ */
++ if (rm->data.op_sg) {
++ rm->rdma.op_notify = 0;
++ rm->data.op_notify = !!(args->flags & RDS_RDMA_NOTIFY_ME);
++ }
+ }
+
+ /* The cookie contains the R_Key of the remote memory region, and
+--- a/net/rds/rds.h
++++ b/net/rds/rds.h
+@@ -378,6 +378,7 @@ struct rds_message {
+ } rdma;
+ struct rm_data_op {
+ unsigned int op_active:1;
++ unsigned int op_notify:1;
+ unsigned int op_nents;
+ unsigned int op_count;
+ unsigned int op_dmasg;
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -467,12 +467,14 @@ void rds_rdma_send_complete(struct rds_m
+ struct rm_rdma_op *ro;
+ struct rds_notifier *notifier;
+ unsigned long flags;
++ unsigned int notify = 0;
+
+ spin_lock_irqsave(&rm->m_rs_lock, flags);
+
++ notify = rm->rdma.op_notify | rm->data.op_notify;
+ ro = &rm->rdma;
+ if (test_bit(RDS_MSG_ON_SOCK, &rm->m_flags) &&
+- ro->op_active && ro->op_notify && ro->op_notifier) {
++ ro->op_active && notify && ro->op_notifier) {
+ notifier = ro->op_notifier;
+ rs = rm->m_rs;
+ sock_hold(rds_rs_to_sk(rs));
--- /dev/null
+drm_fourcc-fix-drm_format_mod_linear-define.patch
+drm-bridge-add-dt-bindings-for-ti-ths8135.patch
+gfs2-fix-reference-to-err_ptr-in-gfs2_glock_iter_next.patch
+rds-rdma-fix-the-composite-message-user-notification.patch
+arm-dts-r8a7790-use-r-car-gen-2-fallback-binding-for-msiof-nodes.patch
+mips-ensure-bss-section-ends-on-a-long-aligned-address.patch
+mips-ralink-fix-incorrect-assignment-on-ralink_soc.patch
+igb-re-assign-hw-address-pointer-on-reset-after-pci-error.patch
+extcon-axp288-use-vbus-valid-instead-of-present-to-determine-cable-presence.patch
+sh_eth-use-correct-name-for-ecmr_mpde-bit.patch
+hwmon-gl520sm-fix-overflows-and-crash-seen-when-writing-into-limit-attributes.patch
+iio-adc-axp288-drop-bogus-axp288_adc_ts_pin_ctrl-register-modifications.patch
+iio-adc-hx711-add-dt-binding-for-avia-hx711.patch
+arm-8635-1-nommu-allow-enabling-remap_vectors_to_ram.patch
+tty-goldfish-fix-a-parameter-of-a-call-to-free_irq.patch
+ib-ipoib-fix-deadlock-over-vlan_mutex.patch
+ib-ipoib-rtnl_unlock-can-not-come-after-free_netdev.patch
+ib-ipoib-replace-list_del-of-the-neigh-list-with-list_del_init.patch
+drm-amdkfd-fix-improper-return-value-on-error.patch
+usb-serial-mos7720-fix-control-message-error-handling.patch
+usb-serial-mos7840-fix-control-message-error-handling.patch
+pinctrl-mvebu-use-seq_puts-in-mvebu_pinconf_group_dbg_show.patch
+partitions-efi-fix-integer-overflow-in-gpt-size-calculation.patch
+asoc-dapm-handle-probe-deferrals.patch
+audit-log-32-bit-socketcalls.patch
+usb-chipidea-vbus-event-may-exist-before-starting-gadget.patch
+asoc-dapm-fix-some-pointer-error-handling.patch
+mips-lantiq-fix-another-request_mem_region-return-code-check.patch
+net-core-prevent-from-dereferencing-null-pointer-when-releasing-skb.patch
+net-packet-check-length-in-getsockopt-called-with-packet_hdrlen.patch
+team-fix-memory-leaks.patch
+usb-plusb-add-support-for-pl-27a1.patch
+mmc-sdio-fix-alignment-issue-in-struct-sdio_func.patch
+bridge-netlink-register-netdevice-before-executing-changelink.patch
+netfilter-invoke-synchronize_rcu-after-set-the-_hook_-to-null.patch
+mips-irq-stack-unwind-irq-stack-onto-task-stack.patch
+exynos-gsc-do-not-swap-cb-cr-for-semi-planar-formats.patch
+netfilter-nfnl_cthelper-fix-incorrect-helper-expect_class_max.patch
+parisc-perf-fix-potential-null-pointer-dereference.patch
+iommu-io-pgtable-arm-check-for-leaf-entry-before-dereferencing-it.patch
+rds-ib-add-error-handle.patch
+md-raid10-submit-bio-directly-to-replacement-disk.patch
+i2c-meson-fix-wrong-variable-usage-in-meson_i2c_put_data.patch
+xfs-remove-kmem_zalloc_greedy.patch
+libata-transport-remove-circular-dependency-at-free-time.patch
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Date: Mon, 9 Jan 2017 16:34:04 +0100
+Subject: sh_eth: use correct name for ECMR_MPDE bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+
+[ Upstream commit 6dcf45e514974a1ff10755015b5e06746a033e5f ]
+
+This bit was wrongly named due to a typo, Sergei checked the SH7734/63
+manuals and this bit should be named MPDE.
+
+Suggested-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.h
++++ b/drivers/net/ethernet/renesas/sh_eth.h
+@@ -339,7 +339,7 @@ enum FELIC_MODE_BIT {
+ ECMR_DPAD = 0x00200000, ECMR_RZPF = 0x00100000,
+ ECMR_ZPF = 0x00080000, ECMR_PFR = 0x00040000, ECMR_RXF = 0x00020000,
+ ECMR_TXF = 0x00010000, ECMR_MCT = 0x00002000, ECMR_PRCEF = 0x00001000,
+- ECMR_PMDE = 0x00000200, ECMR_RE = 0x00000040, ECMR_TE = 0x00000020,
++ ECMR_MPDE = 0x00000200, ECMR_RE = 0x00000040, ECMR_TE = 0x00000020,
+ ECMR_RTM = 0x00000010, ECMR_ILB = 0x00000008, ECMR_ELB = 0x00000004,
+ ECMR_DM = 0x00000002, ECMR_PRM = 0x00000001,
+ };
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Pan Bian <bianpan2016@163.com>
+Date: Mon, 24 Apr 2017 18:29:16 +0800
+Subject: team: fix memory leaks
+
+From: Pan Bian <bianpan2016@163.com>
+
+
+[ Upstream commit 72ec0bc64b9a5d8e0efcb717abfc757746b101b7 ]
+
+In functions team_nl_send_port_list_get() and
+team_nl_send_options_get(), pointer skb keeps the return value of
+nlmsg_new(). When the call to genlmsg_put() fails, the memory is not
+freed(). This will result in memory leak bugs.
+
+Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2343,8 +2343,10 @@ start_again:
+
+ hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI,
+ TEAM_CMD_OPTIONS_GET);
+- if (!hdr)
++ if (!hdr) {
++ nlmsg_free(skb);
+ return -EMSGSIZE;
++ }
+
+ if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex))
+ goto nla_put_failure;
+@@ -2611,8 +2613,10 @@ start_again:
+
+ hdr = genlmsg_put(skb, portid, seq, &team_nl_family, flags | NLM_F_MULTI,
+ TEAM_CMD_PORT_LIST_GET);
+- if (!hdr)
++ if (!hdr) {
++ nlmsg_free(skb);
+ return -EMSGSIZE;
++ }
+
+ if (nla_put_u32(skb, TEAM_ATTR_TEAM_IFINDEX, team->dev->ifindex))
+ goto nla_put_failure;
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Mon, 9 Jan 2017 01:26:37 +0100
+Subject: tty: goldfish: Fix a parameter of a call to free_irq
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 1a5c2d1de7d35f5eb9793266237903348989502b ]
+
+'request_irq()' and 'free_irq()' should be called with the same dev_id.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/goldfish.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/goldfish.c
++++ b/drivers/tty/goldfish.c
+@@ -293,7 +293,7 @@ static int goldfish_tty_probe(struct pla
+ return 0;
+
+ err_tty_register_device_failed:
+- free_irq(irq, pdev);
++ free_irq(irq, qtty);
+ err_request_irq_failed:
+ goldfish_tty_current_line_count--;
+ if (goldfish_tty_current_line_count == 0)
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Peter Chen <peter.chen@nxp.com>
+Date: Wed, 19 Oct 2016 15:32:58 +0800
+Subject: usb: chipidea: vbus event may exist before starting gadget
+
+From: Peter Chen <peter.chen@nxp.com>
+
+
+[ Upstream commit c3b674a04b8ab62a1d35e86714d466af0a0ecc18 ]
+
+At some situations, the vbus may already be there before starting
+gadget. So we need to check vbus event after switching to gadget in
+order to handle missing vbus event. The typical use cases are plugging
+vbus cable before driver load or the vbus has already been there
+after stopping host but before starting gadget.
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Tested-by: Stephen Boyd <stephen.boyd@linaro.org>
+Reported-by: Stephen Boyd <stephen.boyd@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/otg.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/chipidea/otg.c
++++ b/drivers/usb/chipidea/otg.c
+@@ -134,9 +134,9 @@ void ci_handle_vbus_change(struct ci_hdr
+ if (!ci->is_otg)
+ return;
+
+- if (hw_read_otgsc(ci, OTGSC_BSV))
++ if (hw_read_otgsc(ci, OTGSC_BSV) && !ci->vbus_active)
+ usb_gadget_vbus_connect(&ci->gadget);
+- else
++ else if (!hw_read_otgsc(ci, OTGSC_BSV) && ci->vbus_active)
+ usb_gadget_vbus_disconnect(&ci->gadget);
+ }
+
+@@ -175,14 +175,21 @@ static void ci_handle_id_switch(struct c
+
+ ci_role_stop(ci);
+
+- if (role == CI_ROLE_GADGET)
++ if (role == CI_ROLE_GADGET &&
++ IS_ERR(ci->platdata->vbus_extcon.edev))
+ /*
+- * wait vbus lower than OTGSC_BSV before connecting
+- * to host
++ * Wait vbus lower than OTGSC_BSV before connecting
++ * to host. If connecting status is from an external
++ * connector instead of register, we don't need to
++ * care vbus on the board, since it will not affect
++ * external connector status.
+ */
+ hw_wait_vbus_lower_bsv(ci);
+
+ ci_role_start(ci, role);
++ /* vbus change may have already occurred */
++ if (role == CI_ROLE_GADGET)
++ ci_handle_vbus_change(ci);
+ }
+ }
+ /**
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Roman Spychała <roed@onet.eu>
+Date: Thu, 20 Apr 2017 12:04:10 +0200
+Subject: usb: plusb: Add support for PL-27A1
+
+From: Roman Spychała <roed@onet.eu>
+
+
+[ Upstream commit 6f2aee0c0de65013333bbc26fe50c9c7b09a37f7 ]
+
+This patch adds support for the PL-27A1 by adding the appropriate
+USB ID's. This chip is used in the goobay Active USB 3.0 Data Link
+and Unitek Y-3501 cables.
+
+Signed-off-by: Roman Spychała <roed@onet.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/Kconfig | 2 +-
+ drivers/net/usb/plusb.c | 15 +++++++++++++--
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/Kconfig
++++ b/drivers/net/usb/Kconfig
+@@ -364,7 +364,7 @@ config USB_NET_NET1080
+ optionally with LEDs that indicate traffic
+
+ config USB_NET_PLUSB
+- tristate "Prolific PL-2301/2302/25A1 based cables"
++ tristate "Prolific PL-2301/2302/25A1/27A1 based cables"
+ # if the handshake/init/reset problems, from original 'plusb',
+ # are ever resolved ... then remove "experimental"
+ depends on USB_USBNET
+--- a/drivers/net/usb/plusb.c
++++ b/drivers/net/usb/plusb.c
+@@ -102,7 +102,7 @@ static int pl_reset(struct usbnet *dev)
+ }
+
+ static const struct driver_info prolific_info = {
+- .description = "Prolific PL-2301/PL-2302/PL-25A1",
++ .description = "Prolific PL-2301/PL-2302/PL-25A1/PL-27A1",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT,
+ /* some PL-2302 versions seem to fail usb_set_interface() */
+ .reset = pl_reset,
+@@ -139,6 +139,17 @@ static const struct usb_device_id produc
+ * Host-to-Host Cable
+ */
+ .driver_info = (unsigned long) &prolific_info,
++
++},
++
++/* super speed cables */
++{
++ USB_DEVICE(0x067b, 0x27a1), /* PL-27A1, no eeprom
++ * also: goobay Active USB 3.0
++ * Data Link,
++ * Unitek Y-3501
++ */
++ .driver_info = (unsigned long) &prolific_info,
+ },
+
+ { }, // END
+@@ -158,5 +169,5 @@ static struct usb_driver plusb_driver =
+ module_usb_driver(plusb_driver);
+
+ MODULE_AUTHOR("David Brownell");
+-MODULE_DESCRIPTION("Prolific PL-2301/2302/25A1 USB Host to Host Link Driver");
++MODULE_DESCRIPTION("Prolific PL-2301/2302/25A1/27A1 USB Host to Host Link Driver");
+ MODULE_LICENSE("GPL");
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:17 +0100
+Subject: USB: serial: mos7720: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit 0d130367abf582e7cbf60075c2a7ab53817b1d14 ]
+
+Make sure to log an error on short transfers when reading a device
+register.
+
+Also clear the provided buffer (which if often an uninitialised
+automatic variable) on errors as the driver currently does not bother to
+check for errors.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7720.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -234,11 +234,16 @@ static int read_mos_reg(struct usb_seria
+
+ status = usb_control_msg(usbdev, pipe, request, requesttype, value,
+ index, buf, 1, MOS_WDR_TIMEOUT);
+- if (status == 1)
++ if (status == 1) {
+ *data = *buf;
+- else if (status < 0)
++ } else {
+ dev_err(&usbdev->dev,
+ "mos7720: usb_control_msg() failed: %d\n", status);
++ if (status >= 0)
++ status = -EIO;
++ *data = 0;
++ }
++
+ kfree(buf);
+
+ return status;
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Jan 2017 14:56:18 +0100
+Subject: USB: serial: mos7840: fix control-message error handling
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit cd8db057e93ddaacbec025b567490555d2bca280 ]
+
+Make sure to detect short transfers when reading a device register.
+
+The modem-status handling had sufficient error checks in place, but move
+handling of short transfers into the register accessor function itself
+for consistency.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7840.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -285,9 +285,15 @@ static int mos7840_get_reg_sync(struct u
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ,
+ MCS_RD_RTYPE, 0, reg, buf, VENDOR_READ_LENGTH,
+ MOS_WDR_TIMEOUT);
++ if (ret < VENDOR_READ_LENGTH) {
++ if (ret >= 0)
++ ret = -EIO;
++ goto out;
++ }
++
+ *val = buf[0];
+ dev_dbg(&port->dev, "%s offset is %x, return val %x\n", __func__, reg, *val);
+-
++out:
+ kfree(buf);
+ return ret;
+ }
+@@ -353,8 +359,13 @@ static int mos7840_get_uart_reg(struct u
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), MCS_RDREQ,
+ MCS_RD_RTYPE, Wval, reg, buf, VENDOR_READ_LENGTH,
+ MOS_WDR_TIMEOUT);
++ if (ret < VENDOR_READ_LENGTH) {
++ if (ret >= 0)
++ ret = -EIO;
++ goto out;
++ }
+ *val = buf[0];
+-
++out:
+ kfree(buf);
+ return ret;
+ }
+@@ -1490,10 +1501,10 @@ static int mos7840_tiocmget(struct tty_s
+ return -ENODEV;
+
+ status = mos7840_get_uart_reg(port, MODEM_STATUS_REGISTER, &msr);
+- if (status != 1)
++ if (status < 0)
+ return -EIO;
+ status = mos7840_get_uart_reg(port, MODEM_CONTROL_REGISTER, &mcr);
+- if (status != 1)
++ if (status < 0)
+ return -EIO;
+ result = ((mcr & MCR_DTR) ? TIOCM_DTR : 0)
+ | ((mcr & MCR_RTS) ? TIOCM_RTS : 0)
--- /dev/null
+From foo@baz Thu Oct 5 10:49:14 CEST 2017
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 6 Mar 2017 11:58:20 -0800
+Subject: xfs: remove kmem_zalloc_greedy
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+
+[ Upstream commit 08b005f1333154ae5b404ca28766e0ffb9f1c150 ]
+
+The sole remaining caller of kmem_zalloc_greedy is bulkstat, which uses
+it to grab 1-4 pages for staging of inobt records. The infinite loop in
+the greedy allocation function is causing hangs[1] in generic/269, so
+just get rid of the greedy allocator in favor of kmem_zalloc_large.
+This makes bulkstat somewhat more likely to ENOMEM if there's really no
+pages to spare, but eliminates a source of hangs.
+
+[1] http://lkml.kernel.org/r/20170301044634.rgidgdqqiiwsmfpj%40XZHOUW.usersys.redhat.com
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+v2: remove single-page fallback
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/kmem.c | 18 ------------------
+ fs/xfs/kmem.h | 2 --
+ fs/xfs/xfs_itable.c | 6 ++----
+ 3 files changed, 2 insertions(+), 24 deletions(-)
+
+--- a/fs/xfs/kmem.c
++++ b/fs/xfs/kmem.c
+@@ -24,24 +24,6 @@
+ #include "kmem.h"
+ #include "xfs_message.h"
+
+-/*
+- * Greedy allocation. May fail and may return vmalloced memory.
+- */
+-void *
+-kmem_zalloc_greedy(size_t *size, size_t minsize, size_t maxsize)
+-{
+- void *ptr;
+- size_t kmsize = maxsize;
+-
+- while (!(ptr = vzalloc(kmsize))) {
+- if ((kmsize >>= 1) <= minsize)
+- kmsize = minsize;
+- }
+- if (ptr)
+- *size = kmsize;
+- return ptr;
+-}
+-
+ void *
+ kmem_alloc(size_t size, xfs_km_flags_t flags)
+ {
+--- a/fs/xfs/kmem.h
++++ b/fs/xfs/kmem.h
+@@ -69,8 +69,6 @@ static inline void kmem_free(const void
+ }
+
+
+-extern void *kmem_zalloc_greedy(size_t *, size_t, size_t);
+-
+ static inline void *
+ kmem_zalloc(size_t size, xfs_km_flags_t flags)
+ {
+--- a/fs/xfs/xfs_itable.c
++++ b/fs/xfs/xfs_itable.c
+@@ -351,7 +351,6 @@ xfs_bulkstat(
+ xfs_agino_t agino; /* inode # in allocation group */
+ xfs_agnumber_t agno; /* allocation group number */
+ xfs_btree_cur_t *cur; /* btree cursor for ialloc btree */
+- size_t irbsize; /* size of irec buffer in bytes */
+ xfs_inobt_rec_incore_t *irbuf; /* start of irec buffer */
+ int nirbuf; /* size of irbuf */
+ int ubcount; /* size of user's buffer */
+@@ -378,11 +377,10 @@ xfs_bulkstat(
+ *ubcountp = 0;
+ *done = 0;
+
+- irbuf = kmem_zalloc_greedy(&irbsize, PAGE_SIZE, PAGE_SIZE * 4);
++ irbuf = kmem_zalloc_large(PAGE_SIZE * 4, KM_SLEEP);
+ if (!irbuf)
+ return -ENOMEM;
+-
+- nirbuf = irbsize / sizeof(*irbuf);
++ nirbuf = (PAGE_SIZE * 4) / sizeof(*irbuf);
+
+ /*
+ * Loop over the allocation groups, starting from the last
projects / thirdparty / kernel / stable-queue.git / commitdiff
