--- /dev/null
+From fdcb613d49321b5bf5d5a1bd0fba8e7c241dcc70 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 26 Apr 2018 14:10:24 +0200
+Subject: ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit fdcb613d49321b5bf5d5a1bd0fba8e7c241dcc70 upstream.
+
+The LPSS PWM device on on Bay Trail and Cherry Trail devices has a set
+of private registers at offset 0x800, the current lpss_device_desc for
+them already sets the LPSS_SAVE_CTX flag to have these saved/restored
+over device-suspend, but the current lpss_device_desc was not setting
+the prv_offset field, leading to the regular device registers getting
+saved/restored instead.
+
+This is causing the PWM controller to no longer work, resulting in a black
+screen, after a suspend/resume on systems where the firmware clears the
+APB clock and reset bits at offset 0x804.
+
+This commit fixes this by properly setting prv_offset to 0x800 for
+the PWM devices.
+
+Cc: stable@vger.kernel.org
+Fixes: e1c748179754 ("ACPI / LPSS: Add Intel BayTrail ACPI mode PWM")
+Fixes: 1bfbd8eb8a7f ("ACPI / LPSS: Add ACPI IDs for Intel Braswell")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Rafael J . Wysocki <rjw@rjwysocki.net>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_lpss.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/acpi/acpi_lpss.c
++++ b/drivers/acpi/acpi_lpss.c
+@@ -230,11 +230,13 @@ static const struct lpss_device_desc lpt
+
+ static const struct lpss_device_desc byt_pwm_dev_desc = {
+ .flags = LPSS_SAVE_CTX,
++ .prv_offset = 0x800,
+ .setup = byt_pwm_setup,
+ };
+
+ static const struct lpss_device_desc bsw_pwm_dev_desc = {
+ .flags = LPSS_SAVE_CTX | LPSS_NO_D3_DELAY,
++ .prv_offset = 0x800,
+ .setup = bsw_pwm_setup,
+ };
+
--- /dev/null
+From 57cb54e53bddb59f5f542ddd4b0bfe005d31a8d5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 21 Jun 2018 13:33:53 +0200
+Subject: ALSA: hda - Force to link down at runtime suspend on ATI/AMD HDMI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 57cb54e53bddb59f5f542ddd4b0bfe005d31a8d5 upstream.
+
+Henning Kühn reported that the discrete AMD GPU on his hybrid graphics
+laptop no longer runtime-suspends due to the recent commit
+07f4f97d7b4b ("vga_switcheroo: Use device link for HDA controller").
+
+The root cause is that the HDMI codec on AMD GPU doesn't support
+CLKSTOP and EPSS, which are currently mandatory for powering down the
+HD-audio link at runtime suspend. Because the HD-audio link is still
+up, HD-audio controller driver blocks the transition to D3.
+
+For addressing the regression, this patch adds a new flag to indicate
+the forced link-down, and sets it for AMD HDMI codecs appropriately
+in the codec driver.
+
+Fixes: 07f4f97d7b4b ("vga_switcheroo: Use device link for HDA controller")
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=106957
+Reported-by: Lukas Wunner <lukas@wunner.de>
+Reported-and-tested-by: Henning Kühn <prg@cooco.de>
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_codec.c | 5 +++--
+ sound/pci/hda/hda_codec.h | 1 +
+ sound/pci/hda/patch_hdmi.c | 5 +++++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -2887,8 +2887,9 @@ static int hda_codec_runtime_suspend(str
+ list_for_each_entry(pcm, &codec->pcm_list_head, list)
+ snd_pcm_suspend_all(pcm->pcm);
+ state = hda_call_codec_suspend(codec);
+- if (codec_has_clkstop(codec) && codec_has_epss(codec) &&
+- (state & AC_PWRST_CLK_STOP_OK))
++ if (codec->link_down_at_suspend ||
++ (codec_has_clkstop(codec) && codec_has_epss(codec) &&
++ (state & AC_PWRST_CLK_STOP_OK)))
+ snd_hdac_codec_link_down(&codec->core);
+ snd_hdac_link_power(&codec->core, false);
+ return 0;
+--- a/sound/pci/hda/hda_codec.h
++++ b/sound/pci/hda/hda_codec.h
+@@ -258,6 +258,7 @@ struct hda_codec {
+ unsigned int power_save_node:1; /* advanced PM for each widget */
+ unsigned int auto_runtime_pm:1; /* enable automatic codec runtime pm */
+ unsigned int force_pin_prefix:1; /* Add location prefix */
++ unsigned int link_down_at_suspend:1; /* link down at runtime suspend */
+ #ifdef CONFIG_PM
+ unsigned long power_on_acct;
+ unsigned long power_off_acct;
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -3741,6 +3741,11 @@ static int patch_atihdmi(struct hda_code
+
+ spec->chmap.channels_max = max(spec->chmap.channels_max, 8u);
+
++ /* AMD GPUs have neither EPSS nor CLKSTOP bits, hence preventing
++ * the link-down as is. Tell the core to allow it.
++ */
++ codec->link_down_at_suspend = 1;
++
+ return 0;
+ }
+
--- /dev/null
+From 275ec0cb946cb75ac8977f662e608fce92f8b8a8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 22 Jun 2018 12:17:45 +0200
+Subject: ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 275ec0cb946cb75ac8977f662e608fce92f8b8a8 upstream.
+
+Fujitsu Seimens ESPRIMO Mobile U9210 requires the same fixup as H270
+for the correct pin configs.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200107
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -2542,6 +2542,7 @@ static const struct snd_pci_quirk alc262
+ SND_PCI_QUIRK(0x10cf, 0x1397, "Fujitsu Lifebook S7110", ALC262_FIXUP_FSC_S7110),
+ SND_PCI_QUIRK(0x10cf, 0x142d, "Fujitsu Lifebook E8410", ALC262_FIXUP_BENQ),
+ SND_PCI_QUIRK(0x10f1, 0x2915, "Tyan Thunder n6650W", ALC262_FIXUP_TYAN),
++ SND_PCI_QUIRK(0x1734, 0x1141, "FSC ESPRIMO U9210", ALC262_FIXUP_FSC_H270),
+ SND_PCI_QUIRK(0x1734, 0x1147, "FSC Celsius H270", ALC262_FIXUP_FSC_H270),
+ SND_PCI_QUIRK(0x17aa, 0x384e, "Lenovo 3000", ALC262_FIXUP_LENOVO_3000),
+ SND_PCI_QUIRK(0x17ff, 0x0560, "Benq ED8", ALC262_FIXUP_BENQ),
--- /dev/null
+From d5a6cabf02210b896a60eee7c04c670ee9ba6dca Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 13 Jun 2018 12:43:10 +0200
+Subject: ALSA: hda/realtek - Fix pop noise on Lenovo P50 & co
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d5a6cabf02210b896a60eee7c04c670ee9ba6dca upstream.
+
+Some Lenovo laptops, e.g. Lenovo P50, showed the pop noise at resume
+or runtime resume. It turned out to be reduced by applying
+alc_no_shutup() just like TPT440 quirk does.
+
+Since there are many Lenovo models showing the same behavior, put this
+workaround in ALC269_FIXUP_THINKPAD_ACPI entry so that it's applied
+commonly to all such Lenovo machines.
+
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Benjamin Berg <bberg@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4985,7 +4985,6 @@ static void alc_fixup_tpt440_dock(struct
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+- spec->shutup = alc_no_shutup; /* reduce click noise */
+ spec->reboot_notify = alc_d3_at_reboot; /* reduce noise */
+ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
+ codec->power_save_node = 0; /* avoid click noises */
+@@ -5384,6 +5383,13 @@ static void alc274_fixup_bind_dacs(struc
+ /* for hda_fixup_thinkpad_acpi() */
+ #include "thinkpad_helper.c"
+
++static void alc_fixup_thinkpad_acpi(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ alc_fixup_no_shutup(codec, fix, action); /* reduce click noise */
++ hda_fixup_thinkpad_acpi(codec, fix, action);
++}
++
+ /* for dell wmi mic mute led */
+ #include "dell_wmi_helper.c"
+
+@@ -5927,7 +5933,7 @@ static const struct hda_fixup alc269_fix
+ },
+ [ALC269_FIXUP_THINKPAD_ACPI] = {
+ .type = HDA_FIXUP_FUNC,
+- .v.func = hda_fixup_thinkpad_acpi,
++ .v.func = alc_fixup_thinkpad_acpi,
+ .chained = true,
+ .chain_id = ALC269_FIXUP_SKU_IGNORE,
+ },
--- /dev/null
+From e41fc8c5bd41b96bfae5ce4c66bee6edabc932e8 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 25 Jun 2018 14:40:56 +0800
+Subject: ALSA: hda/realtek - Fix the problem of two front mics on more machines
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit e41fc8c5bd41b96bfae5ce4c66bee6edabc932e8 upstream.
+
+We have 3 more Lenovo machines, they all have 2 front mics on them,
+so they need the fixup to change the location for one of two mics.
+
+Among these 3 Lenovo machines, one of them has the same pin cfg as the
+machine with subid 0x17aa3138, so use the pin cfg table to apply fixup
+for them. The rest machines don't share the same pin cfg, so far use
+the subid to apply fixup for them.
+
+Fixes: a3dafb2200bf ("ALSA: hda/realtek - adjust the location of one mic")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6584,8 +6584,9 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
++ SND_PCI_QUIRK(0x17aa, 0x312a, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x312f, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+- SND_PCI_QUIRK(0x17aa, 0x3138, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
++ SND_PCI_QUIRK(0x17aa, 0x3136, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x313c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION),
+ SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
+ SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
+@@ -6763,6 +6764,12 @@ static const struct snd_hda_pin_quirk al
+ {0x14, 0x90170110},
+ {0x19, 0x02a11030},
+ {0x21, 0x02211020}),
++ SND_HDA_PIN_QUIRK(0x10ec0235, 0x17aa, "Lenovo", ALC294_FIXUP_LENOVO_MIC_LOCATION,
++ {0x14, 0x90170110},
++ {0x19, 0x02a11030},
++ {0x1a, 0x02a11040},
++ {0x1b, 0x01014020},
++ {0x21, 0x0221101f}),
+ SND_HDA_PIN_QUIRK(0x10ec0236, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x12, 0x90a60140},
+ {0x14, 0x90170110},
--- /dev/null
+From b41f794f284966fd6ec634111e3b40d241389f96 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 25 Jun 2018 11:09:11 +0200
+Subject: ALSA: timer: Fix UBSAN warning at SNDRV_TIMER_IOCTL_NEXT_DEVICE ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b41f794f284966fd6ec634111e3b40d241389f96 upstream.
+
+The kernel may spew a WARNING about UBSAN undefined behavior at
+handling ALSA timer ioctl SNDRV_TIMER_IOCTL_NEXT_DEVICE:
+
+UBSAN: Undefined behaviour in sound/core/timer.c:1524:19
+signed integer overflow:
+2147483647 + 1 cannot be represented in type 'int'
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x122/0x1c8 lib/dump_stack.c:113
+ ubsan_epilogue+0x12/0x86 lib/ubsan.c:159
+ handle_overflow+0x1c2/0x21f lib/ubsan.c:190
+ __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198
+ snd_timer_user_next_device sound/core/timer.c:1524 [inline]
+ __snd_timer_user_ioctl+0x204d/0x2520 sound/core/timer.c:1939
+ snd_timer_user_ioctl+0x67/0x95 sound/core/timer.c:1994
+ ....
+
+It happens only when a value with INT_MAX is passed, as we're
+incrementing it unconditionally. So the fix is trivial, check the
+value with INT_MAX. Although the bug itself is fairly harmless, it's
+better to fix it so that fuzzers won't hit this again later.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200213
+Reported-and-tested-by: Team OWL337 <icytxw@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/timer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1517,7 +1517,7 @@ static int snd_timer_user_next_device(st
+ } else {
+ if (id.subdevice < 0)
+ id.subdevice = 0;
+- else
++ else if (id.subdevice < INT_MAX)
+ id.subdevice++;
+ }
+ }
--- /dev/null
+From c0b0d540db1a8bfb041166c4991dd6f624e8de45 Mon Sep 17 00:00:00 2001
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Wed, 11 Apr 2018 16:53:56 +0800
+Subject: arm: dts: mt7623: fix invalid memory node being generated
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+commit c0b0d540db1a8bfb041166c4991dd6f624e8de45 upstream.
+
+Below two wrong nodes in existing DTS files would cause a fail boot since
+in fact the address 0 is not the correct place the memory device locates
+at.
+
+memory {
+ device_type = "memory";
+ reg = <0x0 0x0 0x0 0x0>;
+};
+
+memory@80000000 {
+ reg = <0x0 0x80000000 0x0 0x40000000>;
+};
+
+In order to avoid having a memory node starting at address 0, we can't
+include file skeleton64.dtsi and instead need to explicitly manually
+define a few of properties the DTS relies on such as #address-cells
+and #size-cells in root node and device_type in the node memory@80000000.
+
+Cc: stable@vger.kernel.org
+Fixes: 31ac0d69a1d4 ("ARM: dts: mediatek: add MT7623 basic support")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Cc: Rob Herring <robh+dt@kernel.org>
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/mt7623.dtsi | 3 ++-
+ arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts | 1 +
+ arch/arm/boot/dts/mt7623n-rfb.dtsi | 1 +
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/mt7623.dtsi
++++ b/arch/arm/boot/dts/mt7623.dtsi
+@@ -22,11 +22,12 @@
+ #include <dt-bindings/phy/phy.h>
+ #include <dt-bindings/reset/mt2701-resets.h>
+ #include <dt-bindings/thermal/thermal.h>
+-#include "skeleton64.dtsi"
+
+ / {
+ compatible = "mediatek,mt7623";
+ interrupt-parent = <&sysirq>;
++ #address-cells = <2>;
++ #size-cells = <2>;
+
+ cpu_opp_table: opp-table {
+ compatible = "operating-points-v2";
+--- a/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts
++++ b/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts
+@@ -109,6 +109,7 @@
+ };
+
+ memory@80000000 {
++ device_type = "memory";
+ reg = <0 0x80000000 0 0x40000000>;
+ };
+ };
+--- a/arch/arm/boot/dts/mt7623n-rfb.dtsi
++++ b/arch/arm/boot/dts/mt7623n-rfb.dtsi
+@@ -47,6 +47,7 @@
+ };
+
+ memory@80000000 {
++ device_type = "memory";
+ reg = <0 0x80000000 0 0x40000000>;
+ };
+
--- /dev/null
+From 4a9c8bb2aca5b5a2a15744333729745dd9903562 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 20 Nov 2017 11:45:44 +0100
+Subject: backlight: as3711_bl: Fix Device Tree node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 4a9c8bb2aca5b5a2a15744333729745dd9903562 upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+To make things worse, the parent mfd node was also prematurely freed.
+
+Cc: stable <stable@vger.kernel.org> # 3.10
+Fixes: 59eb2b5e57ea ("drivers/video/backlight/as3711_bl.c: add OF support")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/backlight/as3711_bl.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+--- a/drivers/video/backlight/as3711_bl.c
++++ b/drivers/video/backlight/as3711_bl.c
+@@ -262,10 +262,10 @@ static int as3711_bl_register(struct pla
+ static int as3711_backlight_parse_dt(struct device *dev)
+ {
+ struct as3711_bl_pdata *pdata = dev_get_platdata(dev);
+- struct device_node *bl =
+- of_find_node_by_name(dev->parent->of_node, "backlight"), *fb;
++ struct device_node *bl, *fb;
+ int ret;
+
++ bl = of_get_child_by_name(dev->parent->of_node, "backlight");
+ if (!bl) {
+ dev_dbg(dev, "backlight node not found\n");
+ return -ENODEV;
+@@ -279,7 +279,7 @@ static int as3711_backlight_parse_dt(str
+ if (pdata->su1_max_uA <= 0)
+ ret = -EINVAL;
+ if (ret < 0)
+- return ret;
++ goto err_put_bl;
+ }
+
+ fb = of_parse_phandle(bl, "su2-dev", 0);
+@@ -292,7 +292,7 @@ static int as3711_backlight_parse_dt(str
+ if (pdata->su2_max_uA <= 0)
+ ret = -EINVAL;
+ if (ret < 0)
+- return ret;
++ goto err_put_bl;
+
+ if (of_find_property(bl, "su2-feedback-voltage", NULL)) {
+ pdata->su2_feedback = AS3711_SU2_VOLTAGE;
+@@ -314,8 +314,10 @@ static int as3711_backlight_parse_dt(str
+ pdata->su2_feedback = AS3711_SU2_CURR_AUTO;
+ count++;
+ }
+- if (count != 1)
+- return -EINVAL;
++ if (count != 1) {
++ ret = -EINVAL;
++ goto err_put_bl;
++ }
+
+ count = 0;
+ if (of_find_property(bl, "su2-fbprot-lx-sd4", NULL)) {
+@@ -334,8 +336,10 @@ static int as3711_backlight_parse_dt(str
+ pdata->su2_fbprot = AS3711_SU2_GPIO4;
+ count++;
+ }
+- if (count != 1)
+- return -EINVAL;
++ if (count != 1) {
++ ret = -EINVAL;
++ goto err_put_bl;
++ }
+
+ count = 0;
+ if (of_find_property(bl, "su2-auto-curr1", NULL)) {
+@@ -355,11 +359,20 @@ static int as3711_backlight_parse_dt(str
+ * At least one su2-auto-curr* must be specified iff
+ * AS3711_SU2_CURR_AUTO is used
+ */
+- if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO))
+- return -EINVAL;
++ if (!count ^ (pdata->su2_feedback != AS3711_SU2_CURR_AUTO)) {
++ ret = -EINVAL;
++ goto err_put_bl;
++ }
+ }
+
++ of_node_put(bl);
++
+ return 0;
++
++err_put_bl:
++ of_node_put(bl);
++
++ return ret;
+ }
+
+ static int as3711_backlight_probe(struct platform_device *pdev)
--- /dev/null
+From d1cc0ec3da23e44c23712579515494b374f111c9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 20 Nov 2017 11:45:45 +0100
+Subject: backlight: max8925_bl: Fix Device Tree node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d1cc0ec3da23e44c23712579515494b374f111c9 upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+To make things worse, the parent mfd node was also prematurely freed,
+while the child backlight node was leaked.
+
+Cc: stable <stable@vger.kernel.org> # 3.9
+Fixes: 47ec340cb8e2 ("mfd: max8925: Support dt for backlight")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/backlight/max8925_bl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/backlight/max8925_bl.c
++++ b/drivers/video/backlight/max8925_bl.c
+@@ -116,7 +116,7 @@ static void max8925_backlight_dt_init(st
+ if (!pdata)
+ return;
+
+- np = of_find_node_by_name(nproot, "backlight");
++ np = of_get_child_by_name(nproot, "backlight");
+ if (!np) {
+ dev_err(&pdev->dev, "failed to find backlight node\n");
+ return;
+@@ -125,6 +125,8 @@ static void max8925_backlight_dt_init(st
+ if (!of_property_read_u32(np, "maxim,max8925-dual-string", &val))
+ pdata->dual_string = val;
+
++ of_node_put(np);
++
+ pdev->dev.platform_data = pdata;
+ }
+
--- /dev/null
+From 2b12dfa124dbadf391cb9a616aaa6b056823bf75 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 20 Nov 2017 11:45:46 +0100
+Subject: backlight: tps65217_bl: Fix Device Tree node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2b12dfa124dbadf391cb9a616aaa6b056823bf75 upstream.
+
+Fix child-node lookup during probe, which ended up searching the whole
+device tree depth-first starting at the parent rather than just matching
+on its children.
+
+This would only cause trouble if the child node is missing while there
+is an unrelated node named "backlight" elsewhere in the tree.
+
+Cc: stable <stable@vger.kernel.org> # 3.7
+Fixes: eebfdc17cc6c ("backlight: Add TPS65217 WLED driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/backlight/tps65217_bl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/backlight/tps65217_bl.c
++++ b/drivers/video/backlight/tps65217_bl.c
+@@ -184,11 +184,11 @@ static struct tps65217_bl_pdata *
+ tps65217_bl_parse_dt(struct platform_device *pdev)
+ {
+ struct tps65217 *tps = dev_get_drvdata(pdev->dev.parent);
+- struct device_node *node = of_node_get(tps->dev->of_node);
++ struct device_node *node;
+ struct tps65217_bl_pdata *pdata, *err;
+ u32 val;
+
+- node = of_find_node_by_name(node, "backlight");
++ node = of_get_child_by_name(tps->dev->of_node, "backlight");
+ if (!node)
+ return ERR_PTR(-ENODEV);
+
--- /dev/null
+From a982e45dc150da3a08907b6dd676b735391704b4 Mon Sep 17 00:00:00 2001
+From: Marcin Ziemianowicz <marcin@ziemianowicz.com>
+Date: Sun, 29 Apr 2018 15:01:11 -0400
+Subject: clk: at91: PLL recalc_rate() now using cached MUL and DIV values
+
+From: Marcin Ziemianowicz <marcin@ziemianowicz.com>
+
+commit a982e45dc150da3a08907b6dd676b735391704b4 upstream.
+
+When a USB device is connected to the USB host port on the SAM9N12 then
+you get "-62" error which seems to indicate USB replies from the device
+are timing out. Based on a logic sniffer, I saw the USB bus was running
+at half speed.
+
+The PLL code uses cached MUL and DIV values which get set in set_rate()
+and applied in prepare(), but the recalc_rate() function instead
+queries the hardware instead of using these cached values. Therefore,
+if recalc_rate() is called between a set_rate() and prepare(), the
+wrong frequency is calculated and later the USB clock divider for the
+SAM9N12 SOC will be configured for an incorrect clock.
+
+In my case, the PLL hardware was set to 96 Mhz before the OHCI
+driver loads, and therefore the usb clock divider was being set
+to /2 even though the OHCI driver set the PLL to 48 Mhz.
+
+As an alternative explanation, I noticed this was fixed in the past by
+87e2ed338f1b ("clk: at91: fix recalc_rate implementation of PLL
+driver") but the bug was later re-introduced by 1bdf02326b71 ("clk:
+at91: make use of syscon/regmap internally").
+
+Fixes: 1bdf02326b71 ("clk: at91: make use of syscon/regmap internally)
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marcin Ziemianowicz <marcin@ziemianowicz.com>
+Acked-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/at91/clk-pll.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+--- a/drivers/clk/at91/clk-pll.c
++++ b/drivers/clk/at91/clk-pll.c
+@@ -132,19 +132,8 @@ static unsigned long clk_pll_recalc_rate
+ unsigned long parent_rate)
+ {
+ struct clk_pll *pll = to_clk_pll(hw);
+- unsigned int pllr;
+- u16 mul;
+- u8 div;
+
+- regmap_read(pll->regmap, PLL_REG(pll->id), &pllr);
+-
+- div = PLL_DIV(pllr);
+- mul = PLL_MUL(pllr, pll->layout);
+-
+- if (!div || !mul)
+- return 0;
+-
+- return (parent_rate / div) * (mul + 1);
++ return (parent_rate / pll->div) * (pll->mul + 1);
+ }
+
+ static long clk_pll_get_best_div_mul(struct clk_pll *pll, unsigned long rate,
--- /dev/null
+From 72e1f2302040398dafb64bbb93abdde78c1f2267 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sun, 20 May 2018 19:16:06 +0200
+Subject: clk: meson: meson8b: mark fclk_div2 gate clocks as CLK_IS_CRITICAL
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit 72e1f2302040398dafb64bbb93abdde78c1f2267 upstream.
+
+Until commit 05f814402d6174 ("clk: meson: add fdiv clock gates") we
+relied on the bootloader to enable the fclk_div clock gates. It turns
+out that our clock tree is incomplete at least on Meson8b (tested with
+an Odroid-C1, which uses an RGMII PHY) because after the mentioned
+commit Ethernet is not working anymore (no RX/TX activity can be seen).
+At the same time Ethernet was still working on Meson8m2 with a RMII PHY.
+
+Testing has shown that as soon as "fclk_div2" is disabled Ethernet stops
+working on Odroid-C1. Unfortunately it's currently not clear what the
+Ethernet controller IP block uses the fclk_div2 clock for. Mark the
+clock as CLK_IS_CRITICAL to keep it enabled (as it's already enabled by
+most bootloaders by default, which is why we didn't notice it before).
+
+Fixes: 05f814402d6174 ("clk: meson: add fdiv clock gates")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Tested-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/meson/meson8b.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/clk/meson/meson8b.c
++++ b/drivers/clk/meson/meson8b.c
+@@ -246,6 +246,13 @@ static struct clk_regmap meson8b_fclk_di
+ .ops = &clk_regmap_gate_ops,
+ .parent_names = (const char *[]){ "fclk_div2_div" },
+ .num_parents = 1,
++ /*
++ * FIXME: Ethernet with a RGMII PHYs is not working if
++ * fclk_div2 is disabled. it is currently unclear why this
++ * is. keep it enabled until the Ethernet driver knows how
++ * to manage this clock.
++ */
++ .flags = CLK_IS_CRITICAL,
+ },
+ };
+
--- /dev/null
+From 81114baa835b59ed02d14aa1d67f91ea874077cd Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Mon, 9 Apr 2018 20:25:06 +0800
+Subject: f2fs: don't use GFP_ZERO for page caches
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit 81114baa835b59ed02d14aa1d67f91ea874077cd upstream.
+
+Related to https://lkml.org/lkml/2018/4/8/661
+
+Sometimes, we need to write meta data to new allocated block address,
+then we will allocate a zeroed page in inner inode's address space, and
+fill partial data in it, and leave other place with zero value which means
+some fields are initial status.
+
+There are two inner inodes (meta inode and node inode) setting __GFP_ZERO,
+I have just checked them, for both of them, we can avoid using __GFP_ZERO,
+and do initialization by ourselves to avoid unneeded/redundant zeroing
+from mm.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/checkpoint.c | 4 +++-
+ fs/f2fs/inode.c | 4 ++--
+ fs/f2fs/segment.c | 3 +++
+ fs/f2fs/segment.h | 1 +
+ 4 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -100,8 +100,10 @@ repeat:
+ * readonly and make sure do not write checkpoint with non-uptodate
+ * meta page.
+ */
+- if (unlikely(!PageUptodate(page)))
++ if (unlikely(!PageUptodate(page))) {
++ memset(page_address(page), 0, PAGE_SIZE);
+ f2fs_stop_checkpoint(sbi, false);
++ }
+ out:
+ return page;
+ }
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -320,10 +320,10 @@ struct inode *f2fs_iget(struct super_blo
+ make_now:
+ if (ino == F2FS_NODE_INO(sbi)) {
+ inode->i_mapping->a_ops = &f2fs_node_aops;
+- mapping_set_gfp_mask(inode->i_mapping, GFP_F2FS_ZERO);
++ mapping_set_gfp_mask(inode->i_mapping, GFP_NOFS);
+ } else if (ino == F2FS_META_INO(sbi)) {
+ inode->i_mapping->a_ops = &f2fs_meta_aops;
+- mapping_set_gfp_mask(inode->i_mapping, GFP_F2FS_ZERO);
++ mapping_set_gfp_mask(inode->i_mapping, GFP_NOFS);
+ } else if (S_ISREG(inode->i_mode)) {
+ inode->i_op = &f2fs_file_inode_operations;
+ inode->i_fop = &f2fs_file_operations;
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2020,6 +2020,7 @@ static void write_current_sum_page(struc
+ struct f2fs_summary_block *dst;
+
+ dst = (struct f2fs_summary_block *)page_address(page);
++ memset(dst, 0, PAGE_SIZE);
+
+ mutex_lock(&curseg->curseg_mutex);
+
+@@ -3116,6 +3117,7 @@ static void write_compacted_summaries(st
+
+ page = grab_meta_page(sbi, blkaddr++);
+ kaddr = (unsigned char *)page_address(page);
++ memset(kaddr, 0, PAGE_SIZE);
+
+ /* Step 1: write nat cache */
+ seg_i = CURSEG_I(sbi, CURSEG_HOT_DATA);
+@@ -3140,6 +3142,7 @@ static void write_compacted_summaries(st
+ if (!page) {
+ page = grab_meta_page(sbi, blkaddr++);
+ kaddr = (unsigned char *)page_address(page);
++ memset(kaddr, 0, PAGE_SIZE);
+ written_size = 0;
+ }
+ summary = (struct f2fs_summary *)(kaddr + written_size);
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -375,6 +375,7 @@ static inline void seg_info_to_sit_page(
+ int i;
+
+ raw_sit = (struct f2fs_sit_block *)page_address(page);
++ memset(raw_sit, 0, PAGE_SIZE);
+ for (i = 0; i < end - start; i++) {
+ rs = &raw_sit->entries[i];
+ se = get_seg_entry(sbi, start + i);
--- /dev/null
+From 12b731dd46d9ee646318e6e9dc587314a3908a46 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Sat, 16 Jun 2018 21:56:36 +0900
+Subject: i2c: gpio: initialize SCL to HIGH again
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit 12b731dd46d9ee646318e6e9dc587314a3908a46 upstream.
+
+It seems that during the conversion from gpio* to gpiod*, the initial
+state of SCL was wrongly switched to LOW. Fix it to be HIGH again.
+
+Fixes: 7bb75029ef34 ("i2c: gpio: Enforce open drain through gpiolib")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-gpio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-gpio.c
++++ b/drivers/i2c/busses/i2c-gpio.c
+@@ -279,9 +279,9 @@ static int i2c_gpio_probe(struct platfor
+ * required for an I2C bus.
+ */
+ if (pdata->scl_is_open_drain)
+- gflags = GPIOD_OUT_LOW;
++ gflags = GPIOD_OUT_HIGH;
+ else
+- gflags = GPIOD_OUT_LOW_OPEN_DRAIN;
++ gflags = GPIOD_OUT_HIGH_OPEN_DRAIN;
+ priv->scl = i2c_gpio_get_desc(dev, "scl", 1, gflags);
+ if (IS_ERR(priv->scl))
+ return PTR_ERR(priv->scl);
--- /dev/null
+From 8938fc7b8fe9ccfa11751ead502a8d385b607967 Mon Sep 17 00:00:00 2001
+From: Alexandr Savca <alexandr.savca@saltedge.com>
+Date: Thu, 21 Jun 2018 17:12:54 -0700
+Subject: Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
+
+From: Alexandr Savca <alexandr.savca@saltedge.com>
+
+commit 8938fc7b8fe9ccfa11751ead502a8d385b607967 upstream.
+
+Add ELAN0618 to the list of supported touchpads; this ID is used in
+Lenovo v330 15IKB devices.
+
+Signed-off-by: Alexandr Savca <alexandr.savca@saltedge.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -1263,6 +1263,7 @@ static const struct acpi_device_id elan_
+ { "ELAN060C", 0 },
+ { "ELAN0611", 0 },
+ { "ELAN0612", 0 },
++ { "ELAN0618", 0 },
+ { "ELAN1000", 0 },
+ { }
+ };
--- /dev/null
+From 50fc7b61959af4b95fafce7fe5dd565199e0b61a Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Tue, 19 Jun 2018 11:17:32 -0700
+Subject: Input: elan_i2c_smbus - fix more potential stack buffer overflows
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 50fc7b61959af4b95fafce7fe5dd565199e0b61a upstream.
+
+Commit 40f7090bb1b4 ("Input: elan_i2c_smbus - fix corrupted stack")
+fixed most of the functions using i2c_smbus_read_block_data() to
+allocate a buffer with the maximum block size. However three
+functions were left unchanged:
+
+* In elan_smbus_initialize(), increase the buffer size in the same
+ way.
+* In elan_smbus_calibrate_result(), the buffer is provided by the
+ caller (calibrate_store()), so introduce a bounce buffer. Also
+ name the result buffer size.
+* In elan_smbus_get_report(), the buffer is provided by the caller
+ but happens to be the right length. Add a compile-time assertion
+ to ensure this remains the case.
+
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c.h | 2 ++
+ drivers/input/mouse/elan_i2c_core.c | 2 +-
+ drivers/input/mouse/elan_i2c_smbus.c | 10 ++++++++--
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/mouse/elan_i2c.h
++++ b/drivers/input/mouse/elan_i2c.h
+@@ -27,6 +27,8 @@
+ #define ETP_DISABLE_POWER 0x0001
+ #define ETP_PRESSURE_OFFSET 25
+
++#define ETP_CALIBRATE_MAX_LEN 3
++
+ /* IAP Firmware handling */
+ #define ETP_PRODUCT_ID_FORMAT_STRING "%d.0"
+ #define ETP_FW_NAME "elan_i2c_" ETP_PRODUCT_ID_FORMAT_STRING ".bin"
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -610,7 +610,7 @@ static ssize_t calibrate_store(struct de
+ int tries = 20;
+ int retval;
+ int error;
+- u8 val[3];
++ u8 val[ETP_CALIBRATE_MAX_LEN];
+
+ retval = mutex_lock_interruptible(&data->sysfs_mutex);
+ if (retval)
+--- a/drivers/input/mouse/elan_i2c_smbus.c
++++ b/drivers/input/mouse/elan_i2c_smbus.c
+@@ -56,7 +56,7 @@
+ static int elan_smbus_initialize(struct i2c_client *client)
+ {
+ u8 check[ETP_SMBUS_HELLOPACKET_LEN] = { 0x55, 0x55, 0x55, 0x55, 0x55 };
+- u8 values[ETP_SMBUS_HELLOPACKET_LEN] = { 0, 0, 0, 0, 0 };
++ u8 values[I2C_SMBUS_BLOCK_MAX] = {0};
+ int len, error;
+
+ /* Get hello packet */
+@@ -117,12 +117,16 @@ static int elan_smbus_calibrate(struct i
+ static int elan_smbus_calibrate_result(struct i2c_client *client, u8 *val)
+ {
+ int error;
++ u8 buf[I2C_SMBUS_BLOCK_MAX] = {0};
++
++ BUILD_BUG_ON(ETP_CALIBRATE_MAX_LEN > sizeof(buf));
+
+ error = i2c_smbus_read_block_data(client,
+- ETP_SMBUS_CALIBRATE_QUERY, val);
++ ETP_SMBUS_CALIBRATE_QUERY, buf);
+ if (error < 0)
+ return error;
+
++ memcpy(val, buf, ETP_CALIBRATE_MAX_LEN);
+ return 0;
+ }
+
+@@ -472,6 +476,8 @@ static int elan_smbus_get_report(struct
+ {
+ int len;
+
++ BUILD_BUG_ON(I2C_SMBUS_BLOCK_MAX > ETP_SMBUS_REPORT_LEN);
++
+ len = i2c_smbus_read_block_data(client,
+ ETP_SMBUS_PACKET_QUERY,
+ &report[ETP_SMBUS_REPORT_OFFSET]);
--- /dev/null
+From 24bb555e6e46d96e2a954aa0295029a81cc9bbaa Mon Sep 17 00:00:00 2001
+From: Aaron Ma <aaron.ma@canonical.com>
+Date: Thu, 21 Jun 2018 17:14:01 -0700
+Subject: Input: elantech - enable middle button of touchpads on ThinkPad P52
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+commit 24bb555e6e46d96e2a954aa0295029a81cc9bbaa upstream.
+
+PNPID is better way to identify the type of touchpads.
+Enable middle button support on 2 types of touchpads on Lenovo P52.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -1169,6 +1169,12 @@ static const struct dmi_system_id elante
+ { }
+ };
+
++static const char * const middle_button_pnp_ids[] = {
++ "LEN2131", /* ThinkPad P52 w/ NFC */
++ "LEN2132", /* ThinkPad P52 */
++ NULL
++};
++
+ /*
+ * Set the appropriate event bits for the input subsystem
+ */
+@@ -1188,7 +1194,8 @@ static int elantech_set_input_params(str
+ __clear_bit(EV_REL, dev->evbit);
+
+ __set_bit(BTN_LEFT, dev->keybit);
+- if (dmi_check_system(elantech_dmi_has_middle_button))
++ if (dmi_check_system(elantech_dmi_has_middle_button) ||
++ psmouse_matches_pnp_id(psmouse, middle_button_pnp_ids))
+ __set_bit(BTN_MIDDLE, dev->keybit);
+ __set_bit(BTN_RIGHT, dev->keybit);
+
--- /dev/null
+From e0ae2519ca004a628fa55aeef969c37edce522d3 Mon Sep 17 00:00:00 2001
+From: ??? <kt.liao@emc.com.tw>
+Date: Thu, 21 Jun 2018 17:15:32 -0700
+Subject: Input: elantech - fix V4 report decoding for module with middle key
+
+From: ??? <kt.liao@emc.com.tw>
+
+commit e0ae2519ca004a628fa55aeef969c37edce522d3 upstream.
+
+Some touchpad has middle key and it will be indicated in bit 2 of packet[0].
+We need to fix V4 formation's byte mask to prevent error decoding.
+
+Signed-off-by: KT Liao <kt.liao@emc.com.tw>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elantech.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/elantech.c
++++ b/drivers/input/mouse/elantech.c
+@@ -796,7 +796,7 @@ static int elantech_packet_check_v4(stru
+ else if (ic_version == 7 && etd->samples[1] == 0x2A)
+ sanity_check = ((packet[3] & 0x1c) == 0x10);
+ else
+- sanity_check = ((packet[0] & 0x0c) == 0x04 &&
++ sanity_check = ((packet[0] & 0x08) == 0x00 &&
+ (packet[3] & 0x1c) == 0x10);
+
+ if (!sanity_check)
--- /dev/null
+From 03ae3a9caf4a59edd32b65c89c375a98ce3ea1ef Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 25 Jun 2018 12:02:40 -0700
+Subject: Input: psmouse - fix button reporting for basic protocols
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 03ae3a9caf4a59edd32b65c89c375a98ce3ea1ef upstream.
+
+The commit ba667650c568 ("Input: psmouse - clean up code") was pretty
+brain-dead and broke extra buttons reporting for variety of PS/2 mice:
+Genius, Thinkmouse and Intellimouse Explorer. We need to actually inspect
+the data coming from the device when reporting events.
+
+Fixes: ba667650c568 ("Input: psmouse - clean up code")
+Reported-by: Jiri Slaby <jslaby@suse.cz>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/psmouse-base.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/mouse/psmouse-base.c
++++ b/drivers/input/mouse/psmouse-base.c
+@@ -192,8 +192,8 @@ psmouse_ret_t psmouse_process_byte(struc
+ else
+ input_report_rel(dev, REL_WHEEL, -wheel);
+
+- input_report_key(dev, BTN_SIDE, BIT(4));
+- input_report_key(dev, BTN_EXTRA, BIT(5));
++ input_report_key(dev, BTN_SIDE, packet[3] & BIT(4));
++ input_report_key(dev, BTN_EXTRA, packet[3] & BIT(5));
+ break;
+ }
+ break;
+@@ -203,13 +203,13 @@ psmouse_ret_t psmouse_process_byte(struc
+ input_report_rel(dev, REL_WHEEL, -(s8) packet[3]);
+
+ /* Extra buttons on Genius NewNet 3D */
+- input_report_key(dev, BTN_SIDE, BIT(6));
+- input_report_key(dev, BTN_EXTRA, BIT(7));
++ input_report_key(dev, BTN_SIDE, packet[0] & BIT(6));
++ input_report_key(dev, BTN_EXTRA, packet[0] & BIT(7));
+ break;
+
+ case PSMOUSE_THINKPS:
+ /* Extra button on ThinkingMouse */
+- input_report_key(dev, BTN_EXTRA, BIT(3));
++ input_report_key(dev, BTN_EXTRA, packet[0] & BIT(3));
+
+ /*
+ * Without this bit of weirdness moving up gives wildly
+@@ -223,7 +223,7 @@ psmouse_ret_t psmouse_process_byte(struc
+ * Cortron PS2 Trackball reports SIDE button in the
+ * 4th bit of the first byte.
+ */
+- input_report_key(dev, BTN_SIDE, BIT(3));
++ input_report_key(dev, BTN_SIDE, packet[0] & BIT(3));
+ packet[0] |= BIT(3);
+ break;
+
--- /dev/null
+From fc573af632b44f355f8fa15ab505f5593368078d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 5 Jun 2018 09:34:22 -0700
+Subject: Input: silead - add MSSL0002 ACPI HID
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit fc573af632b44f355f8fa15ab505f5593368078d upstream.
+
+The Silead touchscreen on the Chuwi Vi8 tablet uses MSSL0002 as ACPI HID,
+rather then the usual MSSL1680 id.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/silead.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/touchscreen/silead.c
++++ b/drivers/input/touchscreen/silead.c
+@@ -603,6 +603,7 @@ static const struct acpi_device_id silea
+ { "GSL3692", 0 },
+ { "MSSL1680", 0 },
+ { "MSSL0001", 0 },
++ { "MSSL0002", 0 },
+ { }
+ };
+ MODULE_DEVICE_TABLE(acpi, silead_ts_acpi_match);
--- /dev/null
+From dd6bee81c942c0ea01030da9356026afb88f9d18 Mon Sep 17 00:00:00 2001
+From: Enno Boland <gottox@voidlinux.eu>
+Date: Tue, 19 Jun 2018 11:55:33 -0700
+Subject: Input: xpad - fix GPD Win 2 controller name
+
+From: Enno Boland <gottox@voidlinux.eu>
+
+commit dd6bee81c942c0ea01030da9356026afb88f9d18 upstream.
+
+This fixes using the controller with SDL2.
+
+SDL2 has a naive algorithm to apply the correct settings to a controller.
+For X-Box compatible controllers it expects that the controller name
+contains a variation of a 'XBOX'-string.
+
+This patch changes the identifier to contain "X-Box" as substring. Tested
+with Steam and C-Dogs-SDL which both detect the controller properly after
+adding this patch.
+
+Fixes: c1ba08390a8b ("Input: xpad - add GPD Win 2 Controller USB IDs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Enno Boland <gottox@voidlinux.eu>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -123,7 +123,7 @@ static const struct xpad_device {
+ u8 mapping;
+ u8 xtype;
+ } xpad_device[] = {
+- { 0x0079, 0x18d4, "GPD Win 2 Controller", 0, XTYPE_XBOX360 },
++ { 0x0079, 0x18d4, "GPD Win 2 X-Box Controller", 0, XTYPE_XBOX360 },
+ { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX },
+ { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX },
+ { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX },
--- /dev/null
+From dd275caf4a0d9b219fffe49288b6cc33cd564312 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 27 Jun 2018 23:26:20 -0700
+Subject: kasan: depend on CONFIG_SLUB_DEBUG
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit dd275caf4a0d9b219fffe49288b6cc33cd564312 upstream.
+
+KASAN depends on having access to some of the accounting that SLUB_DEBUG
+does; without it, there are immediate crashes [1]. So, the natural
+thing to do is to make KASAN select SLUB_DEBUG.
+
+[1] http://lkml.kernel.org/r/CAHmME9rtoPwxUSnktxzKso14iuVCWT7BE_-_8PAC=pGw1iJnQg@mail.gmail.com
+
+Link: http://lkml.kernel.org/r/20180622154623.25388-1-Jason@zx2c4.com
+Fixes: f9e13c0a5a33 ("slab, slub: skip unnecessary kasan_cache_shutdown()")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Christoph Lameter <cl@linux.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/Kconfig.kasan | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/Kconfig.kasan
++++ b/lib/Kconfig.kasan
+@@ -6,6 +6,7 @@ if HAVE_ARCH_KASAN
+ config KASAN
+ bool "KASan: runtime memory debugger"
+ depends on SLUB || (SLAB && !DEBUG_SLAB)
++ select SLUB_DEBUG if SLUB
+ select CONSTRUCTORS
+ select STACKDEPOT
+ help
--- /dev/null
+From ce7f11a230d5b7165480b96c0cc7a90358b5b5e2 Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Wed, 6 Jun 2018 10:45:13 -0600
+Subject: libnvdimm, pmem: Unconditionally deep flush on *sync
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit ce7f11a230d5b7165480b96c0cc7a90358b5b5e2 upstream.
+
+Prior to this commit we would only do a "deep flush" (have nvdimm_flush()
+write to each of the flush hints for a region) in response to an
+msync/fsync/sync call if the nvdimm_has_cache() returned true at the time
+we were setting up the request queue. This happens due to the write cache
+value passed in to blk_queue_write_cache(), which then causes the block
+layer to send down BIOs with REQ_FUA and REQ_PREFLUSH set. We do have a
+"write_cache" sysfs entry for namespaces, i.e.:
+
+ /sys/bus/nd/devices/pfn0.1/block/pmem0/dax/write_cache
+
+which can be used to control whether or not the kernel thinks a given
+namespace has a write cache, but this didn't modify the deep flush behavior
+that we set up when the driver was initialized. Instead, it only modified
+whether or not DAX would flush CPU caches via dax_flush() in response to
+*sync calls.
+
+Simplify this by making the *sync deep flush always happen, regardless of
+the write cache setting of a namespace. The DAX CPU cache flushing will
+still be controlled the write_cache setting of the namespace.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 5fdf8e5ba566 ("libnvdimm: re-enable deep flush for pmem devices via fsync()")
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/pmem.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/nvdimm/pmem.c
++++ b/drivers/nvdimm/pmem.c
+@@ -299,7 +299,7 @@ static int pmem_attach_disk(struct devic
+ {
+ struct nd_namespace_io *nsio = to_nd_namespace_io(&ndns->dev);
+ struct nd_region *nd_region = to_nd_region(dev->parent);
+- int nid = dev_to_node(dev), fua, wbc;
++ int nid = dev_to_node(dev), fua;
+ struct resource *res = &nsio->res;
+ struct resource bb_res;
+ struct nd_pfn *nd_pfn = NULL;
+@@ -335,7 +335,6 @@ static int pmem_attach_disk(struct devic
+ dev_warn(dev, "unable to guarantee persistence of writes\n");
+ fua = 0;
+ }
+- wbc = nvdimm_has_cache(nd_region);
+
+ if (!devm_request_mem_region(dev, res->start, resource_size(res),
+ dev_name(&ndns->dev))) {
+@@ -382,7 +381,7 @@ static int pmem_attach_disk(struct devic
+ return PTR_ERR(addr);
+ pmem->virt_addr = addr;
+
+- blk_queue_write_cache(q, wbc, fua);
++ blk_queue_write_cache(q, true, fua);
+ blk_queue_make_request(q, pmem_make_request);
+ blk_queue_physical_block_size(q, PAGE_SIZE);
+ blk_queue_logical_block_size(q, pmem_sector_size(ndns));
+@@ -413,7 +412,7 @@ static int pmem_attach_disk(struct devic
+ put_disk(disk);
+ return -ENOMEM;
+ }
+- dax_write_cache(dax_dev, wbc);
++ dax_write_cache(dax_dev, nvdimm_has_cache(nd_region));
+ pmem->dax_dev = dax_dev;
+
+ gendev = disk_to_dev(disk);
--- /dev/null
+From 254a4cd50b9fe2291a12b8902e08e56dcc4e9b10 Mon Sep 17 00:00:00 2001
+From: Robert Elliott <elliott@hpe.com>
+Date: Thu, 31 May 2018 18:36:36 -0500
+Subject: linvdimm, pmem: Preserve read-only setting for pmem devices
+
+From: Robert Elliott <elliott@hpe.com>
+
+commit 254a4cd50b9fe2291a12b8902e08e56dcc4e9b10 upstream.
+
+The pmem driver does not honor a forced read-only setting for very long:
+ $ blockdev --setro /dev/pmem0
+ $ blockdev --getro /dev/pmem0
+ 1
+
+followed by various commands like these:
+ $ blockdev --rereadpt /dev/pmem0
+ or
+ $ mkfs.ext4 /dev/pmem0
+
+results in this in the kernel serial log:
+ nd_pmem namespace0.0: region0 read-write, marking pmem0 read-write
+
+with the read-only setting lost:
+ $ blockdev --getro /dev/pmem0
+ 0
+
+That's from bus.c nvdimm_revalidate_disk(), which always applies the
+setting from nd_region (which is initially based on the ACPI NFIT
+NVDIMM state flags not_armed bit).
+
+In contrast, commit 20bd1d026aac ("scsi: sd: Keep disk read-only when
+re-reading partition") fixed this issue for SCSI devices to preserve
+the previous setting if it was set to read-only.
+
+This patch modifies bus.c to preserve any previous read-only setting.
+It also eliminates the kernel serial log print except for cases where
+read-write is changed to read-only, so it doesn't print read-only to
+read-only non-changes.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 581388209405 ("libnvdimm, nfit: handle unarmed dimms, mark namespaces read-only")
+Signed-off-by: Robert Elliott <elliott@hpe.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nvdimm/bus.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/nvdimm/bus.c
++++ b/drivers/nvdimm/bus.c
+@@ -566,14 +566,18 @@ int nvdimm_revalidate_disk(struct gendis
+ {
+ struct device *dev = disk_to_dev(disk)->parent;
+ struct nd_region *nd_region = to_nd_region(dev->parent);
+- const char *pol = nd_region->ro ? "only" : "write";
++ int disk_ro = get_disk_ro(disk);
+
+- if (nd_region->ro == get_disk_ro(disk))
++ /*
++ * Upgrade to read-only if the region is read-only preserve as
++ * read-only if the disk is already read-only.
++ */
++ if (disk_ro || nd_region->ro == disk_ro)
+ return 0;
+
+- dev_info(dev, "%s read-%s, marking %s read-%s\n",
+- dev_name(&nd_region->dev), pol, disk->disk_name, pol);
+- set_disk_ro(disk, nd_region->ro);
++ dev_info(dev, "%s read-only, marking %s read-only\n",
++ dev_name(&nd_region->dev), disk->disk_name);
++ set_disk_ro(disk, 1);
+
+ return 0;
+
--- /dev/null
+From 011abdc9df559ec75779bb7c53a744c69b2a94c6 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Thu, 26 Apr 2018 14:46:29 +1000
+Subject: md: fix two problems with setting the "re-add" device state.
+
+From: NeilBrown <neilb@suse.com>
+
+commit 011abdc9df559ec75779bb7c53a744c69b2a94c6 upstream.
+
+If "re-add" is written to the "state" file for a device
+which is faulty, this has an effect similar to removing
+and re-adding the device. It should take up the
+same slot in the array that it previously had, and
+an accelerated (e.g. bitmap-based) rebuild should happen.
+
+The slot that "it previously had" is determined by
+rdev->saved_raid_disk.
+However this is not set when a device fails (only when a device
+is added), and it is cleared when resync completes.
+This means that "re-add" will normally work once, but may not work a
+second time.
+
+This patch includes two fixes.
+1/ when a device fails, record the ->raid_disk value in
+ ->saved_raid_disk before clearing ->raid_disk
+2/ when "re-add" is written to a device for which
+ ->saved_raid_disk is not set, fail.
+
+I think this is suitable for stable as it can
+cause re-adding a device to be forced to do a full
+resync which takes a lot longer and so puts data at
+more risk.
+
+Cc: <stable@vger.kernel.org> (v4.1)
+Fixes: 97f6cd39da22 ("md-cluster: re-add capabilities")
+Signed-off-by: NeilBrown <neilb@suse.com>
+Reviewed-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -2853,7 +2853,8 @@ state_store(struct md_rdev *rdev, const
+ err = 0;
+ }
+ } else if (cmd_match(buf, "re-add")) {
+- if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1)) {
++ if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
++ rdev->saved_raid_disk >= 0) {
+ /* clear_bit is performed _after_ all the devices
+ * have their local Faulty bit cleared. If any writes
+ * happen in the meantime in the local node, they
+@@ -8641,6 +8642,7 @@ static int remove_and_add_spares(struct
+ if (mddev->pers->hot_remove_disk(
+ mddev, rdev) == 0) {
+ sysfs_unlink_rdev(mddev, rdev);
++ rdev->saved_raid_disk = rdev->raid_disk;
+ rdev->raid_disk = -1;
+ removed++;
+ }
--- /dev/null
+From 29e61d6ef061b012d320327af7dbb3990e75be45 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 26 Mar 2018 02:06:16 -0400
+Subject: media: cx231xx: Add support for AverMedia DVD EZMaker 7
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 29e61d6ef061b012d320327af7dbb3990e75be45 upstream.
+
+User reports AverMedia DVD EZMaker 7 can be driven by VIDEO_GRABBER.
+Add the device to the id_table to make it work.
+
+BugLink: https://bugs.launchpad.net/bugs/1620762
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-cards.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -1024,6 +1024,9 @@ struct usb_device_id cx231xx_id_table[]
+ .driver_info = CX231XX_BOARD_CNXT_RDE_250},
+ {USB_DEVICE(0x0572, 0x58A0),
+ .driver_info = CX231XX_BOARD_CNXT_RDU_250},
++ /* AverMedia DVD EZMaker 7 */
++ {USB_DEVICE(0x07ca, 0xc039),
++ .driver_info = CX231XX_BOARD_CNXT_VIDEO_GRABBER},
+ {USB_DEVICE(0x2040, 0xb110),
+ .driver_info = CX231XX_BOARD_HAUPPAUGE_USB2_FM_PAL},
+ {USB_DEVICE(0x2040, 0xb111),
--- /dev/null
+From 13a257f8d5a530bd2aa004a067ba1f2b8f5ef76d Mon Sep 17 00:00:00 2001
+From: Brad Love <brad@nextdimension.cc>
+Date: Thu, 3 May 2018 17:20:10 -0400
+Subject: media: cx231xx: Ignore an i2c mux adapter
+
+From: Brad Love <brad@nextdimension.cc>
+
+commit 13a257f8d5a530bd2aa004a067ba1f2b8f5ef76d upstream.
+
+Hauppauge 935C cannot communicate with the si2157
+when using the mux adapter returned by the si2168,
+so disable it to fix the device.
+
+Signed-off-by: Brad Love <brad@nextdimension.cc>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-dvb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-dvb.c
++++ b/drivers/media/usb/cx231xx/cx231xx-dvb.c
+@@ -1151,7 +1151,7 @@ static int dvb_init(struct cx231xx *dev)
+ info.platform_data = &si2157_config;
+ request_module("si2157");
+
+- client = i2c_new_device(adapter, &info);
++ client = i2c_new_device(tuner_i2c, &info);
+ if (client == NULL || client->dev.driver == NULL) {
+ module_put(dvb->i2c_client_demod[0]->dev.driver->owner);
+ i2c_unregister_device(dvb->i2c_client_demod[0]);
--- /dev/null
+From 76d81243a487c09619822ef8e7201a756e58a87d Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Thu, 5 Apr 2018 05:30:52 -0400
+Subject: media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
+
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+
+commit 76d81243a487c09619822ef8e7201a756e58a87d upstream.
+
+As warned by smatch:
+ drivers/media/dvb-core/dvb_frontend.c:314 dvb_frontend_get_event() warn: inconsistent returns 'sem:&fepriv->sem'.
+ Locked on: line 288
+ line 295
+ line 306
+ line 314
+ Unlocked on: line 303
+
+The lock implementation for get event is wrong, as, if an
+interrupt occurs, down_interruptible() will fail, and the
+routine will call up() twice when userspace calls the ioctl
+again.
+
+The bad code is there since when Linux migrated to git, in
+2005.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-core/dvb_frontend.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -275,8 +275,20 @@ static void dvb_frontend_add_event(struc
+ wake_up_interruptible (&events->wait_queue);
+ }
+
++static int dvb_frontend_test_event(struct dvb_frontend_private *fepriv,
++ struct dvb_fe_events *events)
++{
++ int ret;
++
++ up(&fepriv->sem);
++ ret = events->eventw != events->eventr;
++ down(&fepriv->sem);
++
++ return ret;
++}
++
+ static int dvb_frontend_get_event(struct dvb_frontend *fe,
+- struct dvb_frontend_event *event, int flags)
++ struct dvb_frontend_event *event, int flags)
+ {
+ struct dvb_frontend_private *fepriv = fe->frontend_priv;
+ struct dvb_fe_events *events = &fepriv->events;
+@@ -294,13 +306,8 @@ static int dvb_frontend_get_event(struct
+ if (flags & O_NONBLOCK)
+ return -EWOULDBLOCK;
+
+- up(&fepriv->sem);
+-
+- ret = wait_event_interruptible (events->wait_queue,
+- events->eventw != events->eventr);
+-
+- if (down_interruptible (&fepriv->sem))
+- return -ERESTARTSYS;
++ ret = wait_event_interruptible(events->wait_queue,
++ dvb_frontend_test_event(fepriv, events));
+
+ if (ret < 0)
+ return ret;
--- /dev/null
+From 63039c29f7a4ce8a8bd165173840543c0098d7b0 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Sun, 8 Apr 2018 06:36:40 -0400
+Subject: media: rc: mce_kbd decoder: fix stuck keys
+
+From: Sean Young <sean@mess.org>
+
+commit 63039c29f7a4ce8a8bd165173840543c0098d7b0 upstream.
+
+The MCE Remote sends a 0 scancode when keys are released. If this is not
+received or decoded, then keys can get "stuck"; the keyup event is not
+sent since the input_sync() is missing from the timeout handler.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/ir-mce_kbd-decoder.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/rc/ir-mce_kbd-decoder.c
++++ b/drivers/media/rc/ir-mce_kbd-decoder.c
+@@ -130,6 +130,8 @@ static void mce_kbd_rx_timeout(struct ti
+
+ for (i = 0; i < MCIR2_MASK_KEYS_START; i++)
+ input_report_key(raw->mce_kbd.idev, kbd_keycodes[i], 0);
++
++ input_sync(raw->mce_kbd.idev);
+ }
+
+ static enum mce_kbd_mode mce_kbd_mode(struct mce_kbd_dec *data)
--- /dev/null
+From f620d1d7afc7db57ab59f35000752840c91f67e7 Mon Sep 17 00:00:00 2001
+From: ming_qian <ming_qian@realsil.com.cn>
+Date: Tue, 8 May 2018 22:13:08 -0400
+Subject: media: uvcvideo: Support realtek's UVC 1.5 device
+
+From: ming_qian <ming_qian@realsil.com.cn>
+
+commit f620d1d7afc7db57ab59f35000752840c91f67e7 upstream.
+
+media: uvcvideo: Support UVC 1.5 video probe & commit controls
+
+The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1.
+Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be
+recognized.
+
+More changes to the driver are needed for full UVC 1.5 compatibility.
+However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been
+reported to work well.
+
+[laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: ming_qian <ming_qian@realsil.com.cn>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_video.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -163,14 +163,27 @@ static void uvc_fixup_video_ctrl(struct
+ }
+ }
+
++static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
++{
++ /*
++ * Return the size of the video probe and commit controls, which depends
++ * on the protocol version.
++ */
++ if (stream->dev->uvc_version < 0x0110)
++ return 26;
++ else if (stream->dev->uvc_version < 0x0150)
++ return 34;
++ else
++ return 48;
++}
++
+ static int uvc_get_video_ctrl(struct uvc_streaming *stream,
+ struct uvc_streaming_control *ctrl, int probe, u8 query)
+ {
++ u16 size = uvc_video_ctrl_size(stream);
+ u8 *data;
+- u16 size;
+ int ret;
+
+- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
+ if ((stream->dev->quirks & UVC_QUIRK_PROBE_DEF) &&
+ query == UVC_GET_DEF)
+ return -EIO;
+@@ -225,7 +238,7 @@ static int uvc_get_video_ctrl(struct uvc
+ ctrl->dwMaxVideoFrameSize = get_unaligned_le32(&data[18]);
+ ctrl->dwMaxPayloadTransferSize = get_unaligned_le32(&data[22]);
+
+- if (size == 34) {
++ if (size >= 34) {
+ ctrl->dwClockFrequency = get_unaligned_le32(&data[26]);
+ ctrl->bmFramingInfo = data[30];
+ ctrl->bPreferedVersion = data[31];
+@@ -254,11 +267,10 @@ out:
+ static int uvc_set_video_ctrl(struct uvc_streaming *stream,
+ struct uvc_streaming_control *ctrl, int probe)
+ {
++ u16 size = uvc_video_ctrl_size(stream);
+ u8 *data;
+- u16 size;
+ int ret;
+
+- size = stream->dev->uvc_version >= 0x0110 ? 34 : 26;
+ data = kzalloc(size, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+@@ -275,7 +287,7 @@ static int uvc_set_video_ctrl(struct uvc
+ put_unaligned_le32(ctrl->dwMaxVideoFrameSize, &data[18]);
+ put_unaligned_le32(ctrl->dwMaxPayloadTransferSize, &data[22]);
+
+- if (size == 34) {
++ if (size >= 34) {
+ put_unaligned_le32(ctrl->dwClockFrequency, &data[26]);
+ data[30] = ctrl->bmFramingInfo;
+ data[31] = ctrl->bPreferedVersion;
--- /dev/null
+From ea72fbf588ac9c017224dcdaa2019ff52ca56fee Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Wed, 11 Apr 2018 11:47:32 -0400
+Subject: media: v4l2-compat-ioctl32: prevent go past max size
+
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+
+commit ea72fbf588ac9c017224dcdaa2019ff52ca56fee upstream.
+
+As warned by smatch:
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c:879 put_v4l2_ext_controls32() warn: check for integer overflow 'count'
+
+The access_ok() logic should check for too big arrays too.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -871,7 +871,7 @@ static int put_v4l2_ext_controls32(struc
+ get_user(kcontrols, &kp->controls))
+ return -EFAULT;
+
+- if (!count)
++ if (!count || count > (U32_MAX/sizeof(*ucontrols)))
+ return 0;
+ if (get_user(p, &up->controls))
+ return -EFAULT;
--- /dev/null
+From 83967993f2320575c0ab27a80bf1d7535909c2f4 Mon Sep 17 00:00:00 2001
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Date: Fri, 18 May 2018 16:41:54 -0400
+Subject: media: vsp1: Release buffers for each video node
+
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+
+commit 83967993f2320575c0ab27a80bf1d7535909c2f4 upstream.
+
+Commit 372b2b0399fc ("media: v4l: vsp1: Release buffers in
+start_streaming error path") introduced a helper to clean up buffers on
+error paths, but inadvertently changed the code such that only the
+output WPF buffers were cleaned, rather than the video node being
+operated on.
+
+Since then vsp1_video_cleanup_pipeline() has grown to perform both video
+node cleanup, as well as pipeline cleanup. Split the implementation into
+two distinct functions that perform the required work, so that each
+video node can release its buffers correctly on streamoff. The pipe
+cleanup that was performed in the vsp1_video_stop_streaming() (releasing
+the pipe->dl) is moved to the function for clarity.
+
+Fixes: 372b2b0399fc ("media: v4l: vsp1: Release buffers in start_streaming error path")
+
+Cc: stable@vger.kernel.org # v4.14+
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vsp1/vsp1_video.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/platform/vsp1/vsp1_video.c
++++ b/drivers/media/platform/vsp1/vsp1_video.c
+@@ -849,9 +849,8 @@ static int vsp1_video_setup_pipeline(str
+ return 0;
+ }
+
+-static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe)
++static void vsp1_video_release_buffers(struct vsp1_video *video)
+ {
+- struct vsp1_video *video = pipe->output->video;
+ struct vsp1_vb2_buffer *buffer;
+ unsigned long flags;
+
+@@ -861,12 +860,18 @@ static void vsp1_video_cleanup_pipeline(
+ vb2_buffer_done(&buffer->buf.vb2_buf, VB2_BUF_STATE_ERROR);
+ INIT_LIST_HEAD(&video->irqqueue);
+ spin_unlock_irqrestore(&video->irqlock, flags);
++}
++
++static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe)
++{
++ lockdep_assert_held(&pipe->lock);
+
+ /* Release our partition table allocation */
+- mutex_lock(&pipe->lock);
+ kfree(pipe->part_table);
+ pipe->part_table = NULL;
+- mutex_unlock(&pipe->lock);
++
++ vsp1_dl_list_put(pipe->dl);
++ pipe->dl = NULL;
+ }
+
+ static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count)
+@@ -881,8 +886,9 @@ static int vsp1_video_start_streaming(st
+ if (pipe->stream_count == pipe->num_inputs) {
+ ret = vsp1_video_setup_pipeline(pipe);
+ if (ret < 0) {
+- mutex_unlock(&pipe->lock);
++ vsp1_video_release_buffers(video);
+ vsp1_video_cleanup_pipeline(pipe);
++ mutex_unlock(&pipe->lock);
+ return ret;
+ }
+
+@@ -932,13 +938,12 @@ static void vsp1_video_stop_streaming(st
+ if (ret == -ETIMEDOUT)
+ dev_err(video->vsp1->dev, "pipeline stop timeout\n");
+
+- vsp1_dl_list_put(pipe->dl);
+- pipe->dl = NULL;
++ vsp1_video_cleanup_pipeline(pipe);
+ }
+ mutex_unlock(&pipe->lock);
+
+ media_pipeline_stop(&video->video.entity);
+- vsp1_video_cleanup_pipeline(pipe);
++ vsp1_video_release_buffers(video);
+ vsp1_video_pipeline_put(pipe);
+ }
+
--- /dev/null
+From 4e93a658576ab115977225c9d0992b97ff19ba8c Mon Sep 17 00:00:00 2001
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Date: Fri, 18 May 2018 11:38:27 +0300
+Subject: mfd: intel-lpss: Fix Intel Cannon Lake LPSS I2C input clock
+
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+
+commit 4e93a658576ab115977225c9d0992b97ff19ba8c upstream.
+
+Intel Cannon Lake PCH has much higher 216 MHz input clock to LPSS I2C
+than Sunrisepoint which uses 120 MHz. Preliminary information was that
+both share the same clock rate but actual silicon implements elevated
+rate for better support for 3.4 MHz high-speed I2C.
+
+This incorrect input clock rate results too high I2C bus clock in case
+ACPI doesn't provide tuned I2C timing parameters since I2C host
+controller driver calculates them from input clock rate.
+
+Fix this by using the correct rate. We still share the same 230 ns SDA
+hold time value than Sunrisepoint.
+
+Cc: stable@vger.kernel.org
+Fixes: b418bbff36dd ("mfd: intel-lpss: Add Intel Cannonlake PCI IDs")
+Reported-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Reported-by: Chris Chiu <chiu@endlessm.com>
+Reported-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Tested-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/intel-lpss-pci.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/drivers/mfd/intel-lpss-pci.c
++++ b/drivers/mfd/intel-lpss-pci.c
+@@ -124,6 +124,11 @@ static const struct intel_lpss_platform_
+ .properties = apl_i2c_properties,
+ };
+
++static const struct intel_lpss_platform_info cnl_i2c_info = {
++ .clk_rate = 216000000,
++ .properties = spt_i2c_properties,
++};
++
+ static const struct pci_device_id intel_lpss_pci_ids[] = {
+ /* BXT A-Step */
+ { PCI_VDEVICE(INTEL, 0x0aac), (kernel_ulong_t)&bxt_i2c_info },
+@@ -207,13 +212,13 @@ static const struct pci_device_id intel_
+ { PCI_VDEVICE(INTEL, 0x9daa), (kernel_ulong_t)&spt_info },
+ { PCI_VDEVICE(INTEL, 0x9dab), (kernel_ulong_t)&spt_info },
+ { PCI_VDEVICE(INTEL, 0x9dfb), (kernel_ulong_t)&spt_info },
+- { PCI_VDEVICE(INTEL, 0x9dc5), (kernel_ulong_t)&spt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x9dc6), (kernel_ulong_t)&spt_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x9dc5), (kernel_ulong_t)&cnl_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x9dc6), (kernel_ulong_t)&cnl_i2c_info },
+ { PCI_VDEVICE(INTEL, 0x9dc7), (kernel_ulong_t)&spt_uart_info },
+- { PCI_VDEVICE(INTEL, 0x9de8), (kernel_ulong_t)&spt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x9de9), (kernel_ulong_t)&spt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x9dea), (kernel_ulong_t)&spt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x9deb), (kernel_ulong_t)&spt_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x9de8), (kernel_ulong_t)&cnl_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x9de9), (kernel_ulong_t)&cnl_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x9dea), (kernel_ulong_t)&cnl_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x9deb), (kernel_ulong_t)&cnl_i2c_info },
+ /* SPT-H */
+ { PCI_VDEVICE(INTEL, 0xa127), (kernel_ulong_t)&spt_uart_info },
+ { PCI_VDEVICE(INTEL, 0xa128), (kernel_ulong_t)&spt_uart_info },
+@@ -240,10 +245,10 @@ static const struct pci_device_id intel_
+ { PCI_VDEVICE(INTEL, 0xa32b), (kernel_ulong_t)&spt_info },
+ { PCI_VDEVICE(INTEL, 0xa37b), (kernel_ulong_t)&spt_info },
+ { PCI_VDEVICE(INTEL, 0xa347), (kernel_ulong_t)&spt_uart_info },
+- { PCI_VDEVICE(INTEL, 0xa368), (kernel_ulong_t)&spt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0xa369), (kernel_ulong_t)&spt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0xa36a), (kernel_ulong_t)&spt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0xa36b), (kernel_ulong_t)&spt_i2c_info },
++ { PCI_VDEVICE(INTEL, 0xa368), (kernel_ulong_t)&cnl_i2c_info },
++ { PCI_VDEVICE(INTEL, 0xa369), (kernel_ulong_t)&cnl_i2c_info },
++ { PCI_VDEVICE(INTEL, 0xa36a), (kernel_ulong_t)&cnl_i2c_info },
++ { PCI_VDEVICE(INTEL, 0xa36b), (kernel_ulong_t)&cnl_i2c_info },
+ { }
+ };
+ MODULE_DEVICE_TABLE(pci, intel_lpss_pci_ids);
--- /dev/null
+From d28b62520830b2d0bffa2d98e81afc9f5e537e8b Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 24 Apr 2018 18:00:10 +0300
+Subject: mfd: intel-lpss: Program REMAP register in PIO mode
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit d28b62520830b2d0bffa2d98e81afc9f5e537e8b upstream.
+
+According to documentation REMAP register has to be programmed in
+either DMA or PIO mode of the slice.
+
+Move the DMA capability check below to let REMAP register be programmed
+in PIO mode.
+
+Cc: stable@vger.kernel.org # 4.3+
+Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/intel-lpss.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mfd/intel-lpss.c
++++ b/drivers/mfd/intel-lpss.c
+@@ -275,11 +275,11 @@ static void intel_lpss_init_dev(const st
+
+ intel_lpss_deassert_reset(lpss);
+
++ intel_lpss_set_remap_addr(lpss);
++
+ if (!intel_lpss_has_idma(lpss))
+ return;
+
+- intel_lpss_set_remap_addr(lpss);
+-
+ /* Make sure that SPI multiblock DMA transfers are re-enabled */
+ if (lpss->type == LPSS_DEV_SPI)
+ writel(value, lpss->priv + LPSS_PRIV_SSP_REG);
--- /dev/null
+From c218b3b242bd04539621b468f01ecd2af5a21a45 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Mon, 9 Apr 2018 11:45:39 +0300
+Subject: mfd: twl-core: Fix clock initialization
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit c218b3b242bd04539621b468f01ecd2af5a21a45 upstream.
+
+When looking up the clock we must use the client->dev as device since that
+is the one which is probed via DT.
+
+Cc: stable@vger.kernel.org # 4.16+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/twl-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/twl-core.c
++++ b/drivers/mfd/twl-core.c
+@@ -1177,7 +1177,7 @@ twl_probe(struct i2c_client *client, con
+ twl_priv->ready = true;
+
+ /* setup clock framework */
+- clocks_init(&pdev->dev, pdata ? pdata->clock : NULL);
++ clocks_init(&client->dev, pdata ? pdata->clock : NULL);
+
+ /* read TWL IDCODE Register */
+ if (twl_class_is_4030()) {
--- /dev/null
+From a9b6de77b1a3ff729f7bfc54b2e17711776a416c Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 19 Apr 2018 21:32:19 -0700
+Subject: mm: fix __gup_device_huge vs unmap
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit a9b6de77b1a3ff729f7bfc54b2e17711776a416c upstream.
+
+get_user_pages_fast() for device pages is missing the typical validation
+that all page references have been taken while the mapping was valid.
+Without this validation truncate operations can not reliably coordinate
+against new page reference events like O_DIRECT.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings")
+Reported-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/gup.c | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -1459,32 +1459,48 @@ static int __gup_device_huge(unsigned lo
+ return 1;
+ }
+
+-static int __gup_device_huge_pmd(pmd_t pmd, unsigned long addr,
++static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
+ unsigned long end, struct page **pages, int *nr)
+ {
+ unsigned long fault_pfn;
++ int nr_start = *nr;
+
+- fault_pfn = pmd_pfn(pmd) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+- return __gup_device_huge(fault_pfn, addr, end, pages, nr);
++ fault_pfn = pmd_pfn(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
++ if (!__gup_device_huge(fault_pfn, addr, end, pages, nr))
++ return 0;
++
++ if (unlikely(pmd_val(orig) != pmd_val(*pmdp))) {
++ undo_dev_pagemap(nr, nr_start, pages);
++ return 0;
++ }
++ return 1;
+ }
+
+-static int __gup_device_huge_pud(pud_t pud, unsigned long addr,
++static int __gup_device_huge_pud(pud_t orig, pud_t *pudp, unsigned long addr,
+ unsigned long end, struct page **pages, int *nr)
+ {
+ unsigned long fault_pfn;
++ int nr_start = *nr;
+
+- fault_pfn = pud_pfn(pud) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
+- return __gup_device_huge(fault_pfn, addr, end, pages, nr);
++ fault_pfn = pud_pfn(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
++ if (!__gup_device_huge(fault_pfn, addr, end, pages, nr))
++ return 0;
++
++ if (unlikely(pud_val(orig) != pud_val(*pudp))) {
++ undo_dev_pagemap(nr, nr_start, pages);
++ return 0;
++ }
++ return 1;
+ }
+ #else
+-static int __gup_device_huge_pmd(pmd_t pmd, unsigned long addr,
++static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
+ unsigned long end, struct page **pages, int *nr)
+ {
+ BUILD_BUG();
+ return 0;
+ }
+
+-static int __gup_device_huge_pud(pud_t pud, unsigned long addr,
++static int __gup_device_huge_pud(pud_t pud, pud_t *pudp, unsigned long addr,
+ unsigned long end, struct page **pages, int *nr)
+ {
+ BUILD_BUG();
+@@ -1502,7 +1518,7 @@ static int gup_huge_pmd(pmd_t orig, pmd_
+ return 0;
+
+ if (pmd_devmap(orig))
+- return __gup_device_huge_pmd(orig, addr, end, pages, nr);
++ return __gup_device_huge_pmd(orig, pmdp, addr, end, pages, nr);
+
+ refs = 0;
+ page = pmd_page(orig) + ((addr & ~PMD_MASK) >> PAGE_SHIFT);
+@@ -1540,7 +1556,7 @@ static int gup_huge_pud(pud_t orig, pud_
+ return 0;
+
+ if (pud_devmap(orig))
+- return __gup_device_huge_pud(orig, addr, end, pages, nr);
++ return __gup_device_huge_pud(orig, pudp, addr, end, pages, nr);
+
+ refs = 0;
+ page = pud_page(orig) + ((addr & ~PUD_MASK) >> PAGE_SHIFT);
--- /dev/null
+From 2bdce74412c249ac01dfe36b6b0043ffd7a5361e Mon Sep 17 00:00:00 2001
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Thu, 14 Jun 2018 15:26:24 -0700
+Subject: mm: fix devmem_is_allowed() for sub-page System RAM intersections
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+commit 2bdce74412c249ac01dfe36b6b0043ffd7a5361e upstream.
+
+Hussam reports:
+
+ I was poking around and for no real reason, I did cat /dev/mem and
+ strings /dev/mem. Then I saw the following warning in dmesg. I saved it
+ and rebooted immediately.
+
+ memremap attempted on mixed range 0x000000000009c000 size: 0x1000
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 11810 at kernel/memremap.c:98 memremap+0x104/0x170
+ [..]
+ Call Trace:
+ xlate_dev_mem_ptr+0x25/0x40
+ read_mem+0x89/0x1a0
+ __vfs_read+0x36/0x170
+
+The memremap() implementation checks for attempts to remap System RAM
+with MEMREMAP_WB and instead redirects those mapping attempts to the
+linear map. However, that only works if the physical address range
+being remapped is page aligned. In low memory we have situations like
+the following:
+
+ 00000000-00000fff : Reserved
+ 00001000-0009fbff : System RAM
+ 0009fc00-0009ffff : Reserved
+
+...where System RAM intersects Reserved ranges on a sub-page page
+granularity.
+
+Given that devmem_is_allowed() special cases any attempt to map System
+RAM in the first 1MB of memory, replace page_is_ram() with the more
+precise region_intersects() to trap attempts to map disallowed ranges.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199999
+Link: http://lkml.kernel.org/r/152856436164.18127.2847888121707136898.stgit@dwillia2-desk3.amr.corp.intel.com
+Fixes: 92281dee825f ("arch: introduce memremap()")
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reported-by: Hussam Al-Tayeb <me@hussam.eu.org>
+Tested-by: Hussam Al-Tayeb <me@hussam.eu.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/mm/init.c
++++ b/arch/x86/mm/init.c
+@@ -706,7 +706,9 @@ void __init init_mem_mapping(void)
+ */
+ int devmem_is_allowed(unsigned long pagenr)
+ {
+- if (page_is_ram(pagenr)) {
++ if (region_intersects(PFN_PHYS(pagenr), PAGE_SIZE,
++ IORESOURCE_SYSTEM_RAM, IORES_DESC_NONE)
++ != REGION_DISJOINT) {
+ /*
+ * For disallowed memory regions in the low 1MB range,
+ * request that the page be shown as all zeros.
--- /dev/null
+From 1105a2fc022f3c7482e32faf516e8bc44095f778 Mon Sep 17 00:00:00 2001
+From: Jia He <jia.he@hxt-semitech.com>
+Date: Thu, 14 Jun 2018 15:26:14 -0700
+Subject: mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm()
+
+From: Jia He <jia.he@hxt-semitech.com>
+
+commit 1105a2fc022f3c7482e32faf516e8bc44095f778 upstream.
+
+In our armv8a server(QDF2400), I noticed lots of WARN_ON caused by
+PAGE_SIZE unaligned for rmap_item->address under memory pressure
+tests(start 20 guests and run memhog in the host).
+
+ WARNING: CPU: 4 PID: 4641 at virt/kvm/arm/mmu.c:1826 kvm_age_hva_handler+0xc0/0xc8
+ CPU: 4 PID: 4641 Comm: memhog Tainted: G W 4.17.0-rc3+ #8
+ Call trace:
+ kvm_age_hva_handler+0xc0/0xc8
+ handle_hva_to_gpa+0xa8/0xe0
+ kvm_age_hva+0x4c/0xe8
+ kvm_mmu_notifier_clear_flush_young+0x54/0x98
+ __mmu_notifier_clear_flush_young+0x6c/0xa0
+ page_referenced_one+0x154/0x1d8
+ rmap_walk_ksm+0x12c/0x1d0
+ rmap_walk+0x94/0xa0
+ page_referenced+0x194/0x1b0
+ shrink_page_list+0x674/0xc28
+ shrink_inactive_list+0x26c/0x5b8
+ shrink_node_memcg+0x35c/0x620
+ shrink_node+0x100/0x430
+ do_try_to_free_pages+0xe0/0x3a8
+ try_to_free_pages+0xe4/0x230
+ __alloc_pages_nodemask+0x564/0xdc0
+ alloc_pages_vma+0x90/0x228
+ do_anonymous_page+0xc8/0x4d0
+ __handle_mm_fault+0x4a0/0x508
+ handle_mm_fault+0xf8/0x1b0
+ do_page_fault+0x218/0x4b8
+ do_translation_fault+0x90/0xa0
+ do_mem_abort+0x68/0xf0
+ el0_da+0x24/0x28
+
+In rmap_walk_ksm, the rmap_item->address might still have the
+STABLE_FLAG, then the start and end in handle_hva_to_gpa might not be
+PAGE_SIZE aligned. Thus it will cause exceptions in handle_hva_to_gpa
+on arm64.
+
+This patch fixes it by ignoring (not removing) the low bits of address
+when doing rmap_walk_ksm.
+
+IMO, it should be backported to stable tree. the storm of WARN_ONs is
+very easy for me to reproduce. More than that, I watched a panic (not
+reproducible) as follows:
+
+ page:ffff7fe003742d80 count:-4871 mapcount:-2126053375 mapping: (null) index:0x0
+ flags: 0x1fffc00000000000()
+ raw: 1fffc00000000000 0000000000000000 0000000000000000 ffffecf981470000
+ raw: dead000000000100 dead000000000200 ffff8017c001c000 0000000000000000
+ page dumped because: nonzero _refcount
+ CPU: 29 PID: 18323 Comm: qemu-kvm Tainted: G W 4.14.15-5.hxt.aarch64 #1
+ Hardware name: <snip for confidential issues>
+ Call trace:
+ dump_backtrace+0x0/0x22c
+ show_stack+0x24/0x2c
+ dump_stack+0x8c/0xb0
+ bad_page+0xf4/0x154
+ free_pages_check_bad+0x90/0x9c
+ free_pcppages_bulk+0x464/0x518
+ free_hot_cold_page+0x22c/0x300
+ __put_page+0x54/0x60
+ unmap_stage2_range+0x170/0x2b4
+ kvm_unmap_hva_handler+0x30/0x40
+ handle_hva_to_gpa+0xb0/0xec
+ kvm_unmap_hva_range+0x5c/0xd0
+
+I even injected a fault on purpose in kvm_unmap_hva_range by seting
+size=size-0x200, the call trace is similar as above. So I thought the
+panic is similarly caused by the root cause of WARN_ON.
+
+Andrea said:
+
+: It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would
+: zap those bits and hide the misalignment caused by the low metadata
+: bits being erroneously left set in the address, but the arm code
+: notices when that's the last page in the memslot and the hva_end is
+: getting aligned and the size is below one page.
+:
+: I think the problem triggers in the addr += PAGE_SIZE of
+: unmap_stage2_ptes that never matches end because end is aligned but
+: addr is not.
+:
+: } while (pte++, addr += PAGE_SIZE, addr != end);
+:
+: x86 again only works on hva_start/hva_end after converting it to
+: gfn_start/end and that being in pfn units the bits are zapped before
+: they risk to cause trouble.
+
+Jia He said:
+
+: I've tested by myself in arm64 server (QDF2400,46 cpus,96G mem) Without
+: this patch, the WARN_ON is very easy for reproducing. After this patch, I
+: have run the same benchmarch for a whole day without any WARN_ONs
+
+Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@gmail.com
+Signed-off-by: Jia He <jia.he@hxt-semitech.com>
+Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
+Tested-by: Jia He <hejianet@gmail.com>
+Cc: Suzuki K Poulose <Suzuki.Poulose@arm.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
+Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/ksm.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -199,6 +199,8 @@ struct rmap_item {
+ #define SEQNR_MASK 0x0ff /* low bits of unstable tree seqnr */
+ #define UNSTABLE_FLAG 0x100 /* is a node of the unstable tree */
+ #define STABLE_FLAG 0x200 /* is listed from the stable tree */
++#define KSM_FLAG_MASK (SEQNR_MASK|UNSTABLE_FLAG|STABLE_FLAG)
++ /* to mask all the flags */
+
+ /* The stable and unstable tree heads */
+ static struct rb_root one_stable_tree[1] = { RB_ROOT };
+@@ -2570,10 +2572,15 @@ again:
+ anon_vma_lock_read(anon_vma);
+ anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root,
+ 0, ULONG_MAX) {
++ unsigned long addr;
++
+ cond_resched();
+ vma = vmac->vma;
+- if (rmap_item->address < vma->vm_start ||
+- rmap_item->address >= vma->vm_end)
++
++ /* Ignore the stable/unstable/sqnr flags */
++ addr = rmap_item->address & ~KSM_FLAG_MASK;
++
++ if (addr < vma->vm_start || addr >= vma->vm_end)
+ continue;
+ /*
+ * Initially we examine only the vma which covers this
+@@ -2587,8 +2594,7 @@ again:
+ if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg))
+ continue;
+
+- if (!rwc->rmap_one(page, vma,
+- rmap_item->address, rwc->arg)) {
++ if (!rwc->rmap_one(page, vma, addr, rwc->arg)) {
+ anon_vma_unlock_read(anon_vma);
+ return;
+ }
--- /dev/null
+From dc45519eb181b5687ac8382361a8aa085acd1fe1 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Date: Tue, 19 Jun 2018 14:44:00 +0200
+Subject: net: ethernet: fix suspend/resume in davinci_emac
+
+From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+
+commit dc45519eb181b5687ac8382361a8aa085acd1fe1 upstream.
+
+This patch reverts commit 3243ff2a05ec ("net: ethernet: davinci_emac:
+Deduplicate bus_find_device() by name matching") and adds a comment
+which should stop anyone from reintroducing the same "fix" in the future.
+
+We can't use bus_find_device_by_name() here because the device name is
+not guaranteed to be 'davinci_mdio'. On some systems it can be
+'davinci_mdio.0' so we need to use strncmp() against the first part of
+the string to correctly match it.
+
+Fixes: 3243ff2a05ec ("net: ethernet: davinci_emac: Deduplicate bus_find_device() by name matching")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Acked-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -1385,6 +1385,11 @@ static int emac_devioctl(struct net_devi
+ return -EOPNOTSUPP;
+ }
+
++static int match_first_device(struct device *dev, void *data)
++{
++ return !strncmp(dev_name(dev), "davinci_mdio", 12);
++}
++
+ /**
+ * emac_dev_open - EMAC device open
+ * @ndev: The DaVinci EMAC network adapter
+@@ -1484,8 +1489,14 @@ static int emac_dev_open(struct net_devi
+
+ /* use the first phy on the bus if pdata did not give us a phy id */
+ if (!phydev && !priv->phy_id) {
+- phy = bus_find_device_by_name(&mdio_bus_type, NULL,
+- "davinci_mdio");
++ /* NOTE: we can't use bus_find_device_by_name() here because
++ * the device name is not guaranteed to be 'davinci_mdio'. On
++ * some systems it can be 'davinci_mdio.0' so we need to use
++ * strncmp() against the first part of the string to correctly
++ * match it.
++ */
++ phy = bus_find_device(&mdio_bus_type, NULL, NULL,
++ match_first_device);
+ if (phy) {
+ priv->phy_id = dev_name(phy);
+ if (!priv->phy_id || !*priv->phy_id)
--- /dev/null
+From 9c2ece6ef67e9d376f32823086169b489c422ed0 Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Mon, 7 May 2018 09:01:08 -0400
+Subject: nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit 9c2ece6ef67e9d376f32823086169b489c422ed0 upstream.
+
+nfsd4_readdir_rsize restricts rd_maxcount to svc_max_payload when
+estimating the size of the readdir reply, but nfsd_encode_readdir
+restricts it to INT_MAX when encoding the reply. This can result in log
+messages like "kernel: RPC request reserved 32896 but used 1049444".
+
+Restrict rd_dircount similarly (no reason it should be larger than
+svc_max_payload).
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3651,7 +3651,8 @@ nfsd4_encode_readdir(struct nfsd4_compou
+ nfserr = nfserr_resource;
+ goto err_no_verf;
+ }
+- maxcount = min_t(u32, readdir->rd_maxcount, INT_MAX);
++ maxcount = svc_max_payload(resp->rqstp);
++ maxcount = min_t(u32, readdir->rd_maxcount, maxcount);
+ /*
+ * Note the rfc defines rd_maxcount as the size of the
+ * READDIR4resok structure, which includes the verifier above
+@@ -3665,7 +3666,7 @@ nfsd4_encode_readdir(struct nfsd4_compou
+
+ /* RFC 3530 14.2.24 allows us to ignore dircount when it's 0: */
+ if (!readdir->rd_dircount)
+- readdir->rd_dircount = INT_MAX;
++ readdir->rd_dircount = svc_max_payload(resp->rqstp);
+
+ readdir->xdr = xdr;
+ readdir->rd_maxcount = maxcount;
--- /dev/null
+From 995891006ccbb73c0c9c3923cf9d25c4d07ec16b Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 9 Jun 2018 12:50:50 -0400
+Subject: NFSv4: Fix a typo in nfs41_sequence_process
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 995891006ccbb73c0c9c3923cf9d25c4d07ec16b upstream.
+
+We want to compare the slot_id to the highest slot number advertised by the
+server.
+
+Fixes: 3be0f80b5fe9c ("NFSv4.1: Fix up replays of interrupted requests")
+Cc: stable@vger.kernel.org # 4.15+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -751,7 +751,7 @@ static int nfs41_sequence_process(struct
+ * The slot id we used was probably retired. Try again
+ * using a different slot id.
+ */
+- if (slot->seq_nr < slot->table->target_highest_slotid)
++ if (slot->slot_nr < slot->table->target_highest_slotid)
+ goto session_recover;
+ goto retry_nowait;
+ case -NFS4ERR_SEQ_MISORDERED:
--- /dev/null
+From d68894800ec5712d7ddf042356f11e36f87d7f78 Mon Sep 17 00:00:00 2001
+From: Dave Wysochanski <dwysocha@redhat.com>
+Date: Tue, 29 May 2018 17:47:30 -0400
+Subject: NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message
+
+From: Dave Wysochanski <dwysocha@redhat.com>
+
+commit d68894800ec5712d7ddf042356f11e36f87d7f78 upstream.
+
+In nfs_idmap_read_and_verify_message there is an incorrect sprintf '%d'
+that converts the __u32 'im_id' from struct idmap_msg to 'id_str', which
+is a stack char array variable of length NFS_UINT_MAXLEN == 11.
+If a uid or gid value is > 2147483647 = 0x7fffffff, the conversion
+overflows into a negative value, for example:
+crash> p (unsigned) (0x80000000)
+$1 = 2147483648
+crash> p (signed) (0x80000000)
+$2 = -2147483648
+The '-' sign is written to the buffer and this causes a 1 byte overflow
+when the NULL byte is written, which corrupts kernel stack memory. If
+CONFIG_CC_STACKPROTECTOR_STRONG is set we see a stack-protector panic:
+
+[11558053.616565] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffffa05b8a8c
+[11558053.639063] CPU: 6 PID: 9423 Comm: rpc.idmapd Tainted: G W ------------ T 3.10.0-514.el7.x86_64 #1
+[11558053.641990] Hardware name: Red Hat OpenStack Compute, BIOS 1.10.2-3.el7_4.1 04/01/2014
+[11558053.644462] ffffffff818c7bc0 00000000b1f3aec1 ffff880de0f9bd48 ffffffff81685eac
+[11558053.646430] ffff880de0f9bdc8 ffffffff8167f2b3 ffffffff00000010 ffff880de0f9bdd8
+[11558053.648313] ffff880de0f9bd78 00000000b1f3aec1 ffffffff811dcb03 ffffffffa05b8a8c
+[11558053.650107] Call Trace:
+[11558053.651347] [<ffffffff81685eac>] dump_stack+0x19/0x1b
+[11558053.653013] [<ffffffff8167f2b3>] panic+0xe3/0x1f2
+[11558053.666240] [<ffffffff811dcb03>] ? kfree+0x103/0x140
+[11558053.682589] [<ffffffffa05b8a8c>] ? idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
+[11558053.689710] [<ffffffff810855db>] __stack_chk_fail+0x1b/0x30
+[11558053.691619] [<ffffffffa05b8a8c>] idmap_pipe_downcall+0x1cc/0x1e0 [nfsv4]
+[11558053.693867] [<ffffffffa00209d6>] rpc_pipe_write+0x56/0x70 [sunrpc]
+[11558053.695763] [<ffffffff811fe12d>] vfs_write+0xbd/0x1e0
+[11558053.702236] [<ffffffff810acccc>] ? task_work_run+0xac/0xe0
+[11558053.704215] [<ffffffff811fec4f>] SyS_write+0x7f/0xe0
+[11558053.709674] [<ffffffff816964c9>] system_call_fastpath+0x16/0x1b
+
+Fix this by calling the internally defined nfs_map_numeric_to_string()
+function which properly uses '%u' to convert this __u32. For consistency,
+also replace the one other place where snprintf is called.
+
+Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
+Reported-by: Stephen Johnston <sjohnsto@redhat.com>
+Fixes: cf4ab538f1516 ("NFSv4: Fix the string length returned by the idmapper")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4idmap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4idmap.c
++++ b/fs/nfs/nfs4idmap.c
+@@ -343,7 +343,7 @@ static ssize_t nfs_idmap_lookup_name(__u
+ int id_len;
+ ssize_t ret;
+
+- id_len = snprintf(id_str, sizeof(id_str), "%u", id);
++ id_len = nfs_map_numeric_to_string(id, id_str, sizeof(id_str));
+ ret = nfs_idmap_get_key(id_str, id_len, type, buf, buflen, idmap);
+ if (ret < 0)
+ return -EINVAL;
+@@ -627,7 +627,8 @@ static int nfs_idmap_read_and_verify_mes
+ if (strcmp(upcall->im_name, im->im_name) != 0)
+ break;
+ /* Note: here we store the NUL terminator too */
+- len = sprintf(id_str, "%d", im->im_id) + 1;
++ len = 1 + nfs_map_numeric_to_string(im->im_id, id_str,
++ sizeof(id_str));
+ ret = nfs_idmap_instantiate(key, authkey, id_str, len);
+ break;
+ case IDMAP_CONV_IDTONAME:
--- /dev/null
+From fc40724fc6731d90cc7fb6d62d66135f85a33dd2 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 9 Jun 2018 12:43:06 -0400
+Subject: NFSv4: Revert commit 5f83d86cf531d ("NFSv4.x: Fix wraparound issues..")
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit fc40724fc6731d90cc7fb6d62d66135f85a33dd2 upstream.
+
+The correct behaviour for NFSv4 sequence IDs is to wrap around
+to the value 0 after 0xffffffff.
+See https://tools.ietf.org/html/rfc5661#section-2.10.6.1
+
+Fixes: 5f83d86cf531d ("NFSv4.x: Fix wraparound issues when validing...")
+Cc: stable@vger.kernel.org # 4.6+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/callback_proc.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -420,11 +420,8 @@ validate_seqid(const struct nfs4_slot_ta
+ return htonl(NFS4ERR_SEQ_FALSE_RETRY);
+ }
+
+- /* Wraparound */
+- if (unlikely(slot->seq_nr == 0xFFFFFFFFU)) {
+- if (args->csa_sequenceid == 1)
+- return htonl(NFS4_OK);
+- } else if (likely(args->csa_sequenceid == slot->seq_nr + 1))
++ /* Note: wraparound relies on seq_nr being of type u32 */
++ if (likely(args->csa_sequenceid == slot->seq_nr + 1))
+ return htonl(NFS4_OK);
+
+ /* Misordered request */
--- /dev/null
+From bd2e49ec48feb1855f7624198849eea4610e2286 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:43 +0300
+Subject: perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit bd2e49ec48feb1855f7624198849eea4610e2286 upstream.
+
+It is possible to have a CBR packet between a FUP packet and
+corresponding TIP packet. Stop treating it as an error.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-3-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1604,7 +1604,6 @@ static int intel_pt_walk_fup_tip(struct
+ case INTEL_PT_PSB:
+ case INTEL_PT_TSC:
+ case INTEL_PT_TMA:
+- case INTEL_PT_CBR:
+ case INTEL_PT_MODE_TSX:
+ case INTEL_PT_BAD:
+ case INTEL_PT_PSBEND:
+@@ -1620,6 +1619,10 @@ static int intel_pt_walk_fup_tip(struct
+ decoder->pkt_step = 0;
+ return -ENOENT;
+
++ case INTEL_PT_CBR:
++ intel_pt_calc_cbr(decoder);
++ break;
++
+ case INTEL_PT_OVF:
+ return intel_pt_overflow(decoder);
+
--- /dev/null
+From dd27b87ab5fcf3ea1c060b5e3ab5d31cc78e9f4c Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:44 +0300
+Subject: perf intel-pt: Fix MTC timing after overflow
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit dd27b87ab5fcf3ea1c060b5e3ab5d31cc78e9f4c upstream.
+
+On some platforms, overflows will clear before MTC wraparound, and there
+is no following TSC/TMA packet. In that case the previous TMA is valid.
+Since there will be a valid TMA either way, stop setting 'have_tma' to
+false upon overflow.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-4-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -1376,7 +1376,6 @@ static int intel_pt_overflow(struct inte
+ {
+ intel_pt_log("ERROR: Buffer overflow\n");
+ intel_pt_clear_tx_flags(decoder);
+- decoder->have_tma = false;
+ decoder->cbr = 0;
+ decoder->timestamp_insn_cnt = 0;
+ decoder->pkt_state = INTEL_PT_STATE_ERR_RESYNC;
--- /dev/null
+From 621a5a327c1e36ffd7bb567f44a559f64f76358f Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 7 Jun 2018 14:30:02 +0300
+Subject: perf intel-pt: Fix packet decoding of CYC packets
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 621a5a327c1e36ffd7bb567f44a559f64f76358f upstream.
+
+Use a 64-bit type so that the cycle count is not limited to 32-bits.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1528371002-8862-1-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-pkt-decoder.c
+@@ -366,7 +366,7 @@ static int intel_pt_get_cyc(unsigned int
+ if (len < offs)
+ return INTEL_PT_NEED_MORE_BYTES;
+ byte = buf[offs++];
+- payload |= (byte >> 1) << shift;
++ payload |= ((uint64_t)byte >> 1) << shift;
+ }
+
+ packet->type = INTEL_PT_CYC;
--- /dev/null
+From dbcb82b93f3e8322891e47472c89e63058b81e99 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:42 +0300
+Subject: perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit dbcb82b93f3e8322891e47472c89e63058b81e99 upstream.
+
+sync_switch is a facility to synchronize decoding more closely with the
+point in the kernel when the context actually switched.
+
+In one case, INTEL_PT_SS_NOT_TRACING state was not correctly
+transitioning to INTEL_PT_SS_TRACING state due to a missing case clause.
+Add it.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-2-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -1523,6 +1523,7 @@ static int intel_pt_sample(struct intel_
+
+ if (intel_pt_is_switch_ip(ptq, state->to_ip)) {
+ switch (ptq->switch_state) {
++ case INTEL_PT_SS_NOT_TRACING:
+ case INTEL_PT_SS_UNKNOWN:
+ case INTEL_PT_SS_EXPECTING_SWITCH_IP:
+ err = intel_pt_next_tid(pt, ptq);
--- /dev/null
+From 9fb523363f6e3984457fee95bb7019395384ffa7 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Thu, 31 May 2018 13:23:45 +0300
+Subject: perf intel-pt: Fix "Unexpected indirect branch" error
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 9fb523363f6e3984457fee95bb7019395384ffa7 upstream.
+
+Some Atom CPUs can produce FUP packets that contain NLIP (next linear
+instruction pointer) instead of CLIP (current linear instruction
+pointer). That will result in "Unexpected indirect branch" errors. Fix
+by comparing IP to NLIP in that case.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/1527762225-26024-5-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 17 +++++++++++++++--
+ tools/perf/util/intel-pt-decoder/intel-pt-decoder.h | 9 +++++++++
+ tools/perf/util/intel-pt.c | 4 ++++
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+@@ -113,6 +113,7 @@ struct intel_pt_decoder {
+ bool have_cyc;
+ bool fixup_last_mtc;
+ bool have_last_ip;
++ enum intel_pt_param_flags flags;
+ uint64_t pos;
+ uint64_t last_ip;
+ uint64_t ip;
+@@ -226,6 +227,8 @@ struct intel_pt_decoder *intel_pt_decode
+ decoder->return_compression = params->return_compression;
+ decoder->branch_enable = params->branch_enable;
+
++ decoder->flags = params->flags;
++
+ decoder->period = params->period;
+ decoder->period_type = params->period_type;
+
+@@ -1097,6 +1100,15 @@ static bool intel_pt_fup_event(struct in
+ return ret;
+ }
+
++static inline bool intel_pt_fup_with_nlip(struct intel_pt_decoder *decoder,
++ struct intel_pt_insn *intel_pt_insn,
++ uint64_t ip, int err)
++{
++ return decoder->flags & INTEL_PT_FUP_WITH_NLIP && !err &&
++ intel_pt_insn->branch == INTEL_PT_BR_INDIRECT &&
++ ip == decoder->ip + intel_pt_insn->length;
++}
++
+ static int intel_pt_walk_fup(struct intel_pt_decoder *decoder)
+ {
+ struct intel_pt_insn intel_pt_insn;
+@@ -1109,10 +1121,11 @@ static int intel_pt_walk_fup(struct inte
+ err = intel_pt_walk_insn(decoder, &intel_pt_insn, ip);
+ if (err == INTEL_PT_RETURN)
+ return 0;
+- if (err == -EAGAIN) {
++ if (err == -EAGAIN ||
++ intel_pt_fup_with_nlip(decoder, &intel_pt_insn, ip, err)) {
+ if (intel_pt_fup_event(decoder))
+ return 0;
+- return err;
++ return -EAGAIN;
+ }
+ decoder->set_fup_tx_flags = false;
+ if (err)
+--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.h
+@@ -60,6 +60,14 @@ enum {
+ INTEL_PT_ERR_MAX,
+ };
+
++enum intel_pt_param_flags {
++ /*
++ * FUP packet can contain next linear instruction pointer instead of
++ * current linear instruction pointer.
++ */
++ INTEL_PT_FUP_WITH_NLIP = 1 << 0,
++};
++
+ struct intel_pt_state {
+ enum intel_pt_sample_type type;
+ int err;
+@@ -106,6 +114,7 @@ struct intel_pt_params {
+ unsigned int mtc_period;
+ uint32_t tsc_ctc_ratio_n;
+ uint32_t tsc_ctc_ratio_d;
++ enum intel_pt_param_flags flags;
+ };
+
+ struct intel_pt_decoder;
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -751,6 +751,7 @@ static struct intel_pt_queue *intel_pt_a
+ unsigned int queue_nr)
+ {
+ struct intel_pt_params params = { .get_trace = 0, };
++ struct perf_env *env = pt->machine->env;
+ struct intel_pt_queue *ptq;
+
+ ptq = zalloc(sizeof(struct intel_pt_queue));
+@@ -832,6 +833,9 @@ static struct intel_pt_queue *intel_pt_a
+ }
+ }
+
++ if (env->cpuid && !strncmp(env->cpuid, "GenuineIntel,6,92,", 18))
++ params.flags |= INTEL_PT_FUP_WITH_NLIP;
++
+ ptq->decoder = intel_pt_decoder_new(¶ms);
+ if (!ptq->decoder)
+ goto out_free;
--- /dev/null
+From aef4feace285f27c8ed35830a5d575bec7f3e90a Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Mon, 4 Jun 2018 15:56:54 +0300
+Subject: perf tools: Fix symbol and object code resolution for vdso32 and vdsox32
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit aef4feace285f27c8ed35830a5d575bec7f3e90a upstream.
+
+Fix __kmod_path__parse() so that perf tools does not treat vdso32 and
+vdsox32 as kernel modules and fail to find the object.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Cc: stable@vger.kernel.org
+Fixes: 1f121b03d058 ("perf tools: Deal with kernel module names in '[]' correctly")
+Link: http://lkml.kernel.org/r/1528117014-30032-3-git-send-email-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/dso.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/perf/util/dso.c
++++ b/tools/perf/util/dso.c
+@@ -354,6 +354,8 @@ int __kmod_path__parse(struct kmod_path
+ if ((strncmp(name, "[kernel.kallsyms]", 17) == 0) ||
+ (strncmp(name, "[guest.kernel.kallsyms", 22) == 0) ||
+ (strncmp(name, "[vdso]", 6) == 0) ||
++ (strncmp(name, "[vdso32]", 8) == 0) ||
++ (strncmp(name, "[vdsox32]", 9) == 0) ||
+ (strncmp(name, "[vsyscall]", 10) == 0)) {
+ m->kmod = false;
+
--- /dev/null
+From 1d375b58c12f08d8570b30b865def4734517f04f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 26 Apr 2018 14:10:23 +0200
+Subject: pwm: lpss: platform: Save/restore the ctrl register over a suspend/resume
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 1d375b58c12f08d8570b30b865def4734517f04f upstream.
+
+On some devices the contents of the ctrl register get lost over a
+suspend/resume and the PWM comes back up disabled after the resume.
+
+This is seen on some Bay Trail devices with the PWM in ACPI enumerated
+mode, so it shows up as a platform device instead of a PCI device.
+
+If we still think it is enabled and then try to change the duty-cycle
+after this, we end up with a "PWM_SW_UPDATE was not cleared" error and
+the PWM is stuck in that state from then on.
+
+This commit adds suspend and resume pm callbacks to the pwm-lpss-platform
+code, which save/restore the ctrl register over a suspend/resume, fixing
+this.
+
+Note that:
+
+1) There is no need to do this over a runtime suspend, since we
+only runtime suspend when disabled and then we properly set the enable
+bit and reprogram the timings when we re-enable the PWM.
+
+2) This may be happening on more systems then we realize, but has been
+covered up sofar by a bug in the acpi-lpss.c code which was save/restoring
+the regular device registers instead of the lpss private registers due to
+lpss_device_desc.prv_offset not being set. This is fixed by a later patch
+in this series.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pwm/pwm-lpss-platform.c | 5 +++++
+ drivers/pwm/pwm-lpss.c | 30 ++++++++++++++++++++++++++++++
+ drivers/pwm/pwm-lpss.h | 2 ++
+ 3 files changed, 37 insertions(+)
+
+--- a/drivers/pwm/pwm-lpss-platform.c
++++ b/drivers/pwm/pwm-lpss-platform.c
+@@ -74,6 +74,10 @@ static int pwm_lpss_remove_platform(stru
+ return pwm_lpss_remove(lpwm);
+ }
+
++static SIMPLE_DEV_PM_OPS(pwm_lpss_platform_pm_ops,
++ pwm_lpss_suspend,
++ pwm_lpss_resume);
++
+ static const struct acpi_device_id pwm_lpss_acpi_match[] = {
+ { "80860F09", (unsigned long)&pwm_lpss_byt_info },
+ { "80862288", (unsigned long)&pwm_lpss_bsw_info },
+@@ -86,6 +90,7 @@ static struct platform_driver pwm_lpss_d
+ .driver = {
+ .name = "pwm-lpss",
+ .acpi_match_table = pwm_lpss_acpi_match,
++ .pm = &pwm_lpss_platform_pm_ops,
+ },
+ .probe = pwm_lpss_probe_platform,
+ .remove = pwm_lpss_remove_platform,
+--- a/drivers/pwm/pwm-lpss.c
++++ b/drivers/pwm/pwm-lpss.c
+@@ -32,10 +32,13 @@
+ /* Size of each PWM register space if multiple */
+ #define PWM_SIZE 0x400
+
++#define MAX_PWMS 4
++
+ struct pwm_lpss_chip {
+ struct pwm_chip chip;
+ void __iomem *regs;
+ const struct pwm_lpss_boardinfo *info;
++ u32 saved_ctrl[MAX_PWMS];
+ };
+
+ static inline struct pwm_lpss_chip *to_lpwm(struct pwm_chip *chip)
+@@ -177,6 +180,9 @@ struct pwm_lpss_chip *pwm_lpss_probe(str
+ unsigned long c;
+ int ret;
+
++ if (WARN_ON(info->npwm > MAX_PWMS))
++ return ERR_PTR(-ENODEV);
++
+ lpwm = devm_kzalloc(dev, sizeof(*lpwm), GFP_KERNEL);
+ if (!lpwm)
+ return ERR_PTR(-ENOMEM);
+@@ -212,6 +218,30 @@ int pwm_lpss_remove(struct pwm_lpss_chip
+ }
+ EXPORT_SYMBOL_GPL(pwm_lpss_remove);
+
++int pwm_lpss_suspend(struct device *dev)
++{
++ struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
++ int i;
++
++ for (i = 0; i < lpwm->info->npwm; i++)
++ lpwm->saved_ctrl[i] = readl(lpwm->regs + i * PWM_SIZE + PWM);
++
++ return 0;
++}
++EXPORT_SYMBOL_GPL(pwm_lpss_suspend);
++
++int pwm_lpss_resume(struct device *dev)
++{
++ struct pwm_lpss_chip *lpwm = dev_get_drvdata(dev);
++ int i;
++
++ for (i = 0; i < lpwm->info->npwm; i++)
++ writel(lpwm->saved_ctrl[i], lpwm->regs + i * PWM_SIZE + PWM);
++
++ return 0;
++}
++EXPORT_SYMBOL_GPL(pwm_lpss_resume);
++
+ MODULE_DESCRIPTION("PWM driver for Intel LPSS");
+ MODULE_AUTHOR("Mika Westerberg <mika.westerberg@linux.intel.com>");
+ MODULE_LICENSE("GPL v2");
+--- a/drivers/pwm/pwm-lpss.h
++++ b/drivers/pwm/pwm-lpss.h
+@@ -28,5 +28,7 @@ struct pwm_lpss_boardinfo {
+ struct pwm_lpss_chip *pwm_lpss_probe(struct device *dev, struct resource *r,
+ const struct pwm_lpss_boardinfo *info);
+ int pwm_lpss_remove(struct pwm_lpss_chip *lpwm);
++int pwm_lpss_suspend(struct device *dev);
++int pwm_lpss_resume(struct device *dev);
+
+ #endif /* __PWM_LPSS_H */
--- /dev/null
+From 23edca864951250af845a11da86bb3ea63522ed2 Mon Sep 17 00:00:00 2001
+From: Dongsheng Yang <dongsheng.yang@easystack.cn>
+Date: Mon, 4 Jun 2018 06:24:37 -0400
+Subject: rbd: flush rbd_dev->watch_dwork after watch is unregistered
+
+From: Dongsheng Yang <dongsheng.yang@easystack.cn>
+
+commit 23edca864951250af845a11da86bb3ea63522ed2 upstream.
+
+There is a problem if we are going to unmap a rbd device and the
+watch_dwork is going to queue delayed work for watch:
+
+unmap Thread watch Thread timer
+do_rbd_remove
+ cancel_tasks_sync(rbd_dev)
+ queue_delayed_work for watch
+ destroy_workqueue(rbd_dev->task_wq)
+ drain_workqueue(wq)
+ destroy other resources in wq
+ call_timer_fn
+ __queue_work()
+
+Then the delayed work escape the cancel_tasks_sync() and
+destroy_workqueue() and we will get an user-after-free call trace:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ Modules linked in:
+ CPU: 7 PID: 0 Comm: swapper/7 Tainted: G OE 4.17.0-rc6+ #13
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__queue_work+0x6a/0x3b0
+ RSP: 0018:ffff9427df1c3e90 EFLAGS: 00010086
+ RAX: ffff9427deca8400 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: ffff9427deca8400 RSI: ffff9427df1c3e50 RDI: 0000000000000000
+ RBP: ffff942783e39e00 R08: ffff9427deca8400 R09: ffff9427df1c3f00
+ R10: 0000000000000004 R11: 0000000000000005 R12: ffff9427cfb85970
+ R13: 0000000000002000 R14: 000000000001eca0 R15: 0000000000000007
+ FS: 0000000000000000(0000) GS:ffff9427df1c0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 00000004c900a005 CR4: 00000000000206e0
+ Call Trace:
+ <IRQ>
+ ? __queue_work+0x3b0/0x3b0
+ call_timer_fn+0x2d/0x130
+ run_timer_softirq+0x16e/0x430
+ ? tick_sched_timer+0x37/0x70
+ __do_softirq+0xd2/0x280
+ irq_exit+0xd5/0xe0
+ smp_apic_timer_interrupt+0x6c/0x130
+ apic_timer_interrupt+0xf/0x20
+
+[ Move rbd_dev->watch_dwork cancellation so that rbd_reregister_watch()
+ either bails out early because the watch is UNREGISTERED at that point
+ or just gets cancelled. ]
+
+Cc: stable@vger.kernel.org
+Fixes: 99d1694310df ("rbd: retry watch re-registration periodically")
+Signed-off-by: Dongsheng Yang <dongsheng.yang@easystack.cn>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -3397,7 +3397,6 @@ static void cancel_tasks_sync(struct rbd
+ {
+ dout("%s rbd_dev %p\n", __func__, rbd_dev);
+
+- cancel_delayed_work_sync(&rbd_dev->watch_dwork);
+ cancel_work_sync(&rbd_dev->acquired_lock_work);
+ cancel_work_sync(&rbd_dev->released_lock_work);
+ cancel_delayed_work_sync(&rbd_dev->lock_dwork);
+@@ -3415,6 +3414,7 @@ static void rbd_unregister_watch(struct
+ rbd_dev->watch_state = RBD_WATCH_STATE_UNREGISTERED;
+ mutex_unlock(&rbd_dev->watch_mutex);
+
++ cancel_delayed_work_sync(&rbd_dev->watch_dwork);
+ ceph_osdc_flush_notifies(&rbd_dev->rbd_client->client->osdc);
+ }
+
--- /dev/null
+From 2724807f7f70a6a3e67b3f6bf921cc77ed39c8a1 Mon Sep 17 00:00:00 2001
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Wed, 18 Apr 2018 01:14:15 +0530
+Subject: remoteproc: Prevent incorrect rproc state on xfer mem ownership failure
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 2724807f7f70a6a3e67b3f6bf921cc77ed39c8a1 upstream.
+
+Any failure in the secure call for transferring mem ownership of mba
+region to Q6 would result in reporting that the remoteproc device
+is running. This is because the previous q6v5_clk_enable would have
+been a success. Prevent this by updating variable 'ret' accordingly.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/remoteproc/qcom_q6v5_pil.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -761,13 +761,11 @@ static int q6v5_start(struct rproc *rpro
+ }
+
+ /* Assign MBA image access in DDR to q6 */
+- xfermemop_ret = q6v5_xfer_mem_ownership(qproc, &qproc->mba_perm, true,
+- qproc->mba_phys,
+- qproc->mba_size);
+- if (xfermemop_ret) {
++ ret = q6v5_xfer_mem_ownership(qproc, &qproc->mba_perm, true,
++ qproc->mba_phys, qproc->mba_size);
++ if (ret) {
+ dev_err(qproc->dev,
+- "assigning Q6 access to mba memory failed: %d\n",
+- xfermemop_ret);
++ "assigning Q6 access to mba memory failed: %d\n", ret);
+ goto disable_active_clks;
+ }
+
--- /dev/null
+From 2a2c8ee2d72c4f1ba0f7fbb02dc74f971df0f934 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Sat, 16 Jun 2018 22:37:56 +0900
+Subject: Revert "i2c: algo-bit: init the bus to a known state"
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit 2a2c8ee2d72c4f1ba0f7fbb02dc74f971df0f934 upstream.
+
+This reverts commit 3e5f06bed72fe72166a6778f630241a893f67799. As per
+bugzilla #200045, this caused a regression. I don't really see a way to
+fix it without having the hardware. So, revert the patch and I will fix
+the issue I was seeing originally in the i2c-gpio driver itself. I
+couldn't find new users of this algorithm since, so there should be no
+one depending on the new behaviour.
+
+Reported-by: Sergey Larin <cerg2010cerg2010@mail.ru>
+Fixes: 3e5f06bed72f ("i2c: algo-bit: init the bus to a known state")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Tested-by: Sergey Larin <cerg2010cerg2010@mail.ru>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/algos/i2c-algo-bit.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/i2c/algos/i2c-algo-bit.c
++++ b/drivers/i2c/algos/i2c-algo-bit.c
+@@ -649,11 +649,6 @@ static int __i2c_bit_add_bus(struct i2c_
+ if (bit_adap->getscl == NULL)
+ adap->quirks = &i2c_bit_quirk_no_clk_stretch;
+
+- /* Bring bus to a known state. Looks like STOP if bus is not free yet */
+- setscl(bit_adap, 1);
+- udelay(bit_adap->udelay);
+- setsda(bit_adap, 1);
+-
+ ret = add_adapter(adap);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From e16c4790de39dc861b749674c2a9319507f6f64f Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 11 Jun 2018 12:22:12 -0700
+Subject: Revert "iommu/amd_iommu: Use CONFIG_DMA_DIRECT_OPS=y and dma_direct_{alloc,free}()"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit e16c4790de39dc861b749674c2a9319507f6f64f upstream.
+
+This reverts commit b468620f2a1dfdcfddfd6fa54367b8bcc1b51248.
+
+It turns out that this broke drm on AMD platforms. Quoting Gabriel C:
+ "I can confirm reverting b468620f2a1dfdcfddfd6fa54367b8bcc1b51248 fixes
+ that issue for me.
+
+ The GPU is working fine with SME enabled.
+
+ Now with working GPU :) I can also confirm performance is back to
+ normal without doing any other workarounds"
+
+Christan König analyzed it partially:
+ "As far as I analyzed it we now get an -ENOMEM from dma_alloc_attrs()
+ in drivers/gpu/drm/ttm/ttm_page_alloc_dma.c when IOMMU is enabled"
+
+and Christoph Hellwig responded:
+ "I think the prime issue is that dma_direct_alloc respects the dma
+ mask. Which we don't need if actually using the iommu. This would be
+ mostly harmless exept for the the SEV bit high in the address that
+ makes the checks fail.
+
+ For now I'd say revert this commit for 4.17/4.18-rc and I'll look into
+ addressing these issues properly"
+
+Reported-and-bisected-by: Gabriel C <nix.or.die@gmail.com>
+Acked-by: Christoph Hellwig <hch@lst.de>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Michel Dänzer <michel.daenzer@amd.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@kernel.org # v4.17
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/Kconfig | 1
+ drivers/iommu/amd_iommu.c | 68 +++++++++++++++++++++++++++++++---------------
+ 2 files changed, 47 insertions(+), 22 deletions(-)
+
+--- a/drivers/iommu/Kconfig
++++ b/drivers/iommu/Kconfig
+@@ -107,7 +107,6 @@ config IOMMU_PGTABLES_L2
+ # AMD IOMMU support
+ config AMD_IOMMU
+ bool "AMD IOMMU support"
+- select DMA_DIRECT_OPS
+ select SWIOTLB
+ select PCI_MSI
+ select PCI_ATS
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -2593,32 +2593,51 @@ static void *alloc_coherent(struct devic
+ unsigned long attrs)
+ {
+ u64 dma_mask = dev->coherent_dma_mask;
+- struct protection_domain *domain = get_domain(dev);
+- bool is_direct = false;
+- void *virt_addr;
++ struct protection_domain *domain;
++ struct dma_ops_domain *dma_dom;
++ struct page *page;
++
++ domain = get_domain(dev);
++ if (PTR_ERR(domain) == -EINVAL) {
++ page = alloc_pages(flag, get_order(size));
++ *dma_addr = page_to_phys(page);
++ return page_address(page);
++ } else if (IS_ERR(domain))
++ return NULL;
++
++ dma_dom = to_dma_ops_domain(domain);
++ size = PAGE_ALIGN(size);
++ dma_mask = dev->coherent_dma_mask;
++ flag &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
++ flag |= __GFP_ZERO;
++
++ page = alloc_pages(flag | __GFP_NOWARN, get_order(size));
++ if (!page) {
++ if (!gfpflags_allow_blocking(flag))
++ return NULL;
+
+- if (IS_ERR(domain)) {
+- if (PTR_ERR(domain) != -EINVAL)
++ page = dma_alloc_from_contiguous(dev, size >> PAGE_SHIFT,
++ get_order(size), flag);
++ if (!page)
+ return NULL;
+- is_direct = true;
+ }
+
+- virt_addr = dma_direct_alloc(dev, size, dma_addr, flag, attrs);
+- if (!virt_addr || is_direct)
+- return virt_addr;
+-
+ if (!dma_mask)
+ dma_mask = *dev->dma_mask;
+
+- *dma_addr = __map_single(dev, to_dma_ops_domain(domain),
+- virt_to_phys(virt_addr), PAGE_ALIGN(size),
+- DMA_BIDIRECTIONAL, dma_mask);
++ *dma_addr = __map_single(dev, dma_dom, page_to_phys(page),
++ size, DMA_BIDIRECTIONAL, dma_mask);
++
+ if (*dma_addr == AMD_IOMMU_MAPPING_ERROR)
+ goto out_free;
+- return virt_addr;
++
++ return page_address(page);
+
+ out_free:
+- dma_direct_free(dev, size, virt_addr, *dma_addr, attrs);
++
++ if (!dma_release_from_contiguous(dev, page, size >> PAGE_SHIFT))
++ __free_pages(page, get_order(size));
++
+ return NULL;
+ }
+
+@@ -2629,17 +2648,24 @@ static void free_coherent(struct device
+ void *virt_addr, dma_addr_t dma_addr,
+ unsigned long attrs)
+ {
+- struct protection_domain *domain = get_domain(dev);
++ struct protection_domain *domain;
++ struct dma_ops_domain *dma_dom;
++ struct page *page;
+
++ page = virt_to_page(virt_addr);
+ size = PAGE_ALIGN(size);
+
+- if (!IS_ERR(domain)) {
+- struct dma_ops_domain *dma_dom = to_dma_ops_domain(domain);
++ domain = get_domain(dev);
++ if (IS_ERR(domain))
++ goto free_mem;
+
+- __unmap_single(dma_dom, dma_addr, size, DMA_BIDIRECTIONAL);
+- }
++ dma_dom = to_dma_ops_domain(domain);
++
++ __unmap_single(dma_dom, dma_addr, size, DMA_BIDIRECTIONAL);
+
+- dma_direct_free(dev, size, virt_addr, dma_addr, attrs);
++free_mem:
++ if (!dma_release_from_contiguous(dev, page, size >> PAGE_SHIFT))
++ __free_pages(page, get_order(size));
+ }
+
+ /*
--- /dev/null
+From 4a2e84c6ed85434ce7843e4844b4d3263f7e233b Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Mon, 4 Jun 2018 10:39:01 +0100
+Subject: rpmsg: smd: do not use mananged resources for endpoints and channels
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 4a2e84c6ed85434ce7843e4844b4d3263f7e233b upstream.
+
+All the managed resources would be freed by the time release function
+is invoked. Handling such memory in qcom_smd_edge_release() would do
+bad things.
+
+Found this issue while testing Audio usecase where the dsp is started up
+and shutdown in a loop.
+
+This patch fixes this issue by using simple kzalloc for allocating
+channel->name and channel which is then freed in qcom_smd_edge_release().
+
+Without this patch restarting a remoteproc would crash the system.
+Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rpmsg/qcom_smd.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -1100,12 +1100,12 @@ static struct qcom_smd_channel *qcom_smd
+ void *info;
+ int ret;
+
+- channel = devm_kzalloc(&edge->dev, sizeof(*channel), GFP_KERNEL);
++ channel = kzalloc(sizeof(*channel), GFP_KERNEL);
+ if (!channel)
+ return ERR_PTR(-ENOMEM);
+
+ channel->edge = edge;
+- channel->name = devm_kstrdup(&edge->dev, name, GFP_KERNEL);
++ channel->name = kstrdup(name, GFP_KERNEL);
+ if (!channel->name)
+ return ERR_PTR(-ENOMEM);
+
+@@ -1156,8 +1156,8 @@ static struct qcom_smd_channel *qcom_smd
+ return channel;
+
+ free_name_and_channel:
+- devm_kfree(&edge->dev, channel->name);
+- devm_kfree(&edge->dev, channel);
++ kfree(channel->name);
++ kfree(channel);
+
+ return ERR_PTR(ret);
+ }
+@@ -1378,13 +1378,13 @@ static int qcom_smd_parse_edge(struct de
+ */
+ static void qcom_smd_edge_release(struct device *dev)
+ {
+- struct qcom_smd_channel *channel;
++ struct qcom_smd_channel *channel, *tmp;
+ struct qcom_smd_edge *edge = to_smd_edge(dev);
+
+- list_for_each_entry(channel, &edge->channels, list) {
+- SET_RX_CHANNEL_INFO(channel, state, SMD_CHANNEL_CLOSED);
+- SET_RX_CHANNEL_INFO(channel, head, 0);
+- SET_RX_CHANNEL_INFO(channel, tail, 0);
++ list_for_each_entry_safe(channel, tmp, &edge->channels, list) {
++ list_del(&channel->list);
++ kfree(channel->name);
++ kfree(channel);
+ }
+
+ kfree(edge);
--- /dev/null
+From 09018d4bd7994c2c9f775029bc24589bc85f76fa Mon Sep 17 00:00:00 2001
+From: Michael Trimarchi <michael@amarulasolutions.com>
+Date: Wed, 30 May 2018 23:57:44 +0530
+Subject: rtc: sun6i: Fix bit_idx value for clk_register_gate
+
+From: Michael Trimarchi <michael@amarulasolutions.com>
+
+commit 09018d4bd7994c2c9f775029bc24589bc85f76fa upstream.
+
+clk-gate core will take bit_idx through clk_register_gate
+and then do clk_gate_ops by using BIT(bit_idx), but rtc-sun6i
+is passing bit_idx as BIT(bit_idx) it becomes BIT(BIT(bit_idx)
+which is wrong and eventually external gate clock is not enabling.
+
+This patch fixed by passing bit index and the original change
+introduced from below commit.
+"rtc: sun6i: Add support for the external oscillator gate"
+(sha1: 17ecd246414b3a0fe0cb248c86977a8bda465b7b)
+
+Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
+Fixes: 17ecd246414b ("rtc: sun6i: Add support for the external oscillator gate")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
+Acked-by: Maxime Ripard <maxime.ripard@bootlin.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-sun6i.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-sun6i.c
++++ b/drivers/rtc/rtc-sun6i.c
+@@ -74,7 +74,7 @@
+ #define SUN6I_ALARM_CONFIG_WAKEUP BIT(0)
+
+ #define SUN6I_LOSC_OUT_GATING 0x0060
+-#define SUN6I_LOSC_OUT_GATING_EN BIT(0)
++#define SUN6I_LOSC_OUT_GATING_EN_OFFSET 0
+
+ /*
+ * Get date values
+@@ -255,7 +255,7 @@ static void __init sun6i_rtc_clk_init(st
+ &clkout_name);
+ rtc->ext_losc = clk_register_gate(NULL, clkout_name, rtc->hw.init->name,
+ 0, rtc->base + SUN6I_LOSC_OUT_GATING,
+- SUN6I_LOSC_OUT_GATING_EN, 0,
++ SUN6I_LOSC_OUT_GATING_EN_OFFSET, 0,
+ &rtc->lock);
+ if (IS_ERR(rtc->ext_losc)) {
+ pr_crit("Couldn't register the LOSC external gate\n");
--- /dev/null
+From 0d98ba8d70b0070ac117452ea0b663e26bbf46bf Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@codeaurora.org>
+Date: Sat, 2 Jun 2018 00:28:53 -0400
+Subject: scsi: hpsa: disable device during shutdown
+
+From: Sinan Kaya <okaya@codeaurora.org>
+
+commit 0d98ba8d70b0070ac117452ea0b663e26bbf46bf upstream.
+
+'Commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during
+shutdown")' has been added to kernel to shutdown pending PCIe port service
+interrupts during reboot so that a newly started kexec kernel wouldn't
+observe pending interrupts.
+
+pcie_port_device_remove() is disabling the root port and switches by
+calling pci_disable_device() after all PCIe service drivers are shutdown.
+
+This has been found to cause crashes on HP DL360 Gen9 machines during
+reboot due to hpsa driver not clearing the bus master bit during the
+shutdown procedure by calling pci_disable_device().
+
+Disable device as part of the shutdown sequence.
+
+Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=199779
+Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown")
+Cc: stable@vger.kernel.org
+Reported-by: Ryan Finnie <ryan@finnie.org>
+Tested-by: Don Brace <don.brace@microsemi.com>
+Acked-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/hpsa.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -8869,7 +8869,7 @@ out:
+ kfree(options);
+ }
+
+-static void hpsa_shutdown(struct pci_dev *pdev)
++static void __hpsa_shutdown(struct pci_dev *pdev)
+ {
+ struct ctlr_info *h;
+
+@@ -8884,6 +8884,12 @@ static void hpsa_shutdown(struct pci_dev
+ hpsa_disable_interrupt_mode(h); /* pci_init 2 */
+ }
+
++static void hpsa_shutdown(struct pci_dev *pdev)
++{
++ __hpsa_shutdown(pdev);
++ pci_disable_device(pdev);
++}
++
+ static void hpsa_free_device_info(struct ctlr_info *h)
+ {
+ int i;
+@@ -8927,7 +8933,7 @@ static void hpsa_remove_one(struct pci_d
+ scsi_remove_host(h->scsi_host); /* init_one 8 */
+ /* includes hpsa_free_irqs - init_one 4 */
+ /* includes hpsa_disable_interrupt_mode - pci_init 2 */
+- hpsa_shutdown(pdev);
++ __hpsa_shutdown(pdev);
+
+ hpsa_free_device_info(h); /* scan */
+
--- /dev/null
+From 1d317b21231bb2b81a6e0f94f708b8619ec8775b Mon Sep 17 00:00:00 2001
+From: Quinn Tran <quinn.tran@cavium.com>
+Date: Tue, 1 May 2018 09:01:46 -0700
+Subject: scsi: qla2xxx: Delete session for nport id change
+
+From: Quinn Tran <quinn.tran@cavium.com>
+
+commit 1d317b21231bb2b81a6e0f94f708b8619ec8775b upstream.
+
+This patch fixes regression introduced by commit a4239945b8ad ("scsi:
+qla2xxx: Add switch command to simplify fabric discovery") by scheduling
+session deletion when Nport ID changes.
+
+[mkp: clarified commit]
+
+Fixes: a4239945b8ad ("scsi: qla2xxx: Add switch command to simplify fabric discovery")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_gs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_gs.c
++++ b/drivers/scsi/qla2xxx/qla_gs.c
+@@ -3915,7 +3915,6 @@ void qla24xx_async_gnnft_done(scsi_qla_h
+ if (memcmp(rp->port_name, fcport->port_name, WWN_SIZE))
+ continue;
+ fcport->scan_state = QLA_FCPORT_FOUND;
+- fcport->d_id.b24 = rp->id.b24;
+ found = true;
+ /*
+ * If device was not a fabric device before.
+@@ -3923,7 +3922,10 @@ void qla24xx_async_gnnft_done(scsi_qla_h
+ if ((fcport->flags & FCF_FABRIC_DEVICE) == 0) {
+ qla2x00_clear_loop_id(fcport);
+ fcport->flags |= FCF_FABRIC_DEVICE;
++ } else if (fcport->d_id.b24 != rp->id.b24) {
++ qlt_schedule_sess_for_deletion(fcport);
+ }
++ fcport->d_id.b24 = rp->id.b24;
+ break;
+ }
+
--- /dev/null
+From 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 Mon Sep 17 00:00:00 2001
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+Date: Sun, 3 Jun 2018 22:09:53 -0700
+Subject: scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
+
+From: Himanshu Madhani <himanshu.madhani@cavium.com>
+
+commit 413c2f33489b134e3cc65d9c3ff7861e8fdfe899 upstream.
+
+This patch prevents driver from setting lower default speed of 1 GB/sec,
+if the switch does not support Get Port Speed Capabilities (GPSC)
+command. Setting this default speed results into much lower write
+performance for large sequential WRITE. This patch modifies driver to
+check for gpsc_supported flags and prevents driver from issuing
+MBC_SET_PORT_PARAM (001Ah) to set default speed of 1 GB/sec. If driver
+does not send this mailbox command, firmware assumes maximum supported
+link speed and will operate at the max speed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reported-by: Eda Zhou <ezhou@redhat.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Tested-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -5037,7 +5037,8 @@ qla2x00_iidma_fcport(scsi_qla_host_t *vh
+ return;
+
+ if (fcport->fp_speed == PORT_SPEED_UNKNOWN ||
+- fcport->fp_speed > ha->link_data_rate)
++ fcport->fp_speed > ha->link_data_rate ||
++ !ha->flags.gpsc_supported)
+ return;
+
+ rval = qla2x00_set_idma_speed(vha, fcport->loop_id, fcport->fp_speed,
--- /dev/null
+From 3cedc8797b9c0f2222fd45a01f849c57c088828b Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <anil.gurumurthy@cavium.com>
+Date: Wed, 6 Jun 2018 08:41:42 -0700
+Subject: scsi: qla2xxx: Mask off Scope bits in retry delay
+
+From: Anil Gurumurthy <anil.gurumurthy@cavium.com>
+
+commit 3cedc8797b9c0f2222fd45a01f849c57c088828b upstream.
+
+Some newer target uses "Status Qualifier" response in a returned "Busy
+Status". This new response code of 0x4001, which is "Scope" bits,
+translates to "Affects all units accessible by target". Due to this new
+value returned in the Scope bits, driver was using that value as timeout
+value which resulted into driver waiting for 27min timeout.
+
+This patch masks off this Scope bits so that driver does not use this
+value as retry delay time.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Anil Gurumurthy <anil.gurumurthy@cavium.com>
+Signed-off-by: Giridhar Malavali <giridhar.malavali@cavium.com>
+Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Martin Wilck <mwilck@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -2494,8 +2494,12 @@ qla2x00_status_entry(scsi_qla_host_t *vh
+ ox_id = le16_to_cpu(sts24->ox_id);
+ par_sense_len = sizeof(sts24->data);
+ /* Valid values of the retry delay timer are 0x1-0xffef */
+- if (sts24->retry_delay > 0 && sts24->retry_delay < 0xfff1)
+- retry_delay = sts24->retry_delay;
++ if (sts24->retry_delay > 0 && sts24->retry_delay < 0xfff1) {
++ retry_delay = sts24->retry_delay & 0x3fff;
++ ql_dbg(ql_dbg_io, sp->vha, 0x3033,
++ "%s: scope=%#x retry_delay=%#x\n", __func__,
++ sts24->retry_delay >> 14, retry_delay);
++ }
+ } else {
+ if (scsi_status & SS_SENSE_LEN_VALID)
+ sense_len = le16_to_cpu(sts->req_sense_length);
--- /dev/null
+From 49d7bd36813ea8e6b4c97b640d24e7fbd44c84f0 Mon Sep 17 00:00:00 2001
+From: Mikhail Malygin <m.malygin@yadro.com>
+Date: Wed, 13 Jun 2018 13:05:57 +0000
+Subject: scsi: qla2xxx: Spinlock recursion in qla_target
+
+From: Mikhail Malygin <m.malygin@yadro.com>
+
+commit 49d7bd36813ea8e6b4c97b640d24e7fbd44c84f0 upstream.
+
+The patch reverts changes done in qlt_schedule_sess_for_deletion() to
+avoid spinlock recursion sess->vha->work_lock should be used instead
+of ha->tgt.sess_lock, that can be locked in callers: qlt_reset() or
+qlt_handle_login()
+
+[mkp: roll in build warning reported by sfr]
+
+Fixes: 1c6cacf4ea6c04 ("scsi: qla2xxx: Fixup locking for session deletion")
+Cc: <stable@vger.kernel.org> #v4.17
+Signed-off-by: Mikhail Malygin <m.malygin@yadro.com>
+Reported-by: Mikhail Malygin <m.malygin@yadro.com>
+Tested-by: Mikhail Malygin <m.malygin@yadro.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_target.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1230,7 +1230,6 @@ static void qla24xx_chk_fcp_state(struct
+ void qlt_schedule_sess_for_deletion(struct fc_port *sess)
+ {
+ struct qla_tgt *tgt = sess->tgt;
+- struct qla_hw_data *ha = sess->vha->hw;
+ unsigned long flags;
+
+ if (sess->disc_state == DSC_DELETE_PEND)
+@@ -1247,16 +1246,16 @@ void qlt_schedule_sess_for_deletion(stru
+ return;
+ }
+
+- spin_lock_irqsave(&ha->tgt.sess_lock, flags);
+ if (sess->deleted == QLA_SESS_DELETED)
+ sess->logout_on_delete = 0;
+
++ spin_lock_irqsave(&sess->vha->work_lock, flags);
+ if (sess->deleted == QLA_SESS_DELETION_IN_PROGRESS) {
+- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
++ spin_unlock_irqrestore(&sess->vha->work_lock, flags);
+ return;
+ }
+ sess->deleted = QLA_SESS_DELETION_IN_PROGRESS;
+- spin_unlock_irqrestore(&ha->tgt.sess_lock, flags);
++ spin_unlock_irqrestore(&sess->vha->work_lock, flags);
+
+ sess->disc_state = DSC_DELETE_PEND;
+
--- /dev/null
+From 52ab9768f723823a71dc659f0fad803a90f80236 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.com>
+Date: Mon, 18 Jun 2018 17:08:03 +0100
+Subject: scsi: scsi_debug: Fix memory leak on module unload
+
+From: Luis Henriques <lhenriques@suse.com>
+
+commit 52ab9768f723823a71dc659f0fad803a90f80236 upstream.
+
+Since commit 80c49563e250 ("scsi: scsi_debug: implement IMMED bit") there
+are long delays in F_SYNC_DELAY and F_SSU_DELAY. This can cause a memory
+leak in schedule_resp(), which can be invoked while unloading the
+scsi_debug module: free_all_queued() had already freed all sd_dp and
+schedule_resp will alloc a new one, which will never get freed. Here's the
+kmemleak report while running xfstests generic/350:
+
+unreferenced object 0xffff88007d752b00 (size 128):
+ comm "rmmod", pid 26940, jiffies 4295816945 (age 7.588s)
+ hex dump (first 32 bytes):
+ 00 2b 75 7d 00 88 ff ff 00 00 00 00 00 00 00 00 .+u}............
+ 00 00 00 00 00 00 00 00 8e 31 a2 34 5f 03 00 00 .........1.4_...
+ backtrace:
+ [<000000002abd83d0>] 0xffffffffa000705e
+ [<000000004c063fda>] scsi_dispatch_cmd+0xc7/0x1a0
+ [<000000000c119a00>] scsi_request_fn+0x251/0x550
+ [<000000009de0c736>] __blk_run_queue+0x3f/0x60
+ [<000000001c4453c8>] blk_execute_rq_nowait+0x98/0xd0
+ [<00000000d17ec79f>] blk_execute_rq+0x3a/0x50
+ [<00000000a7654b6e>] scsi_execute+0x113/0x250
+ [<00000000fd78f7cd>] sd_sync_cache+0x95/0x160
+ [<0000000024dacb14>] sd_shutdown+0x9b/0xd0
+ [<00000000e9101710>] sd_remove+0x5f/0xb0
+ [<00000000c43f0d63>] device_release_driver_internal+0x13c/0x1f0
+ [<00000000e8ad57b6>] bus_remove_device+0xe9/0x160
+ [<00000000713a7b8a>] device_del+0x120/0x320
+ [<00000000e5db670c>] __scsi_remove_device+0x115/0x150
+ [<00000000eccbef30>] scsi_forget_host+0x20/0x60
+ [<00000000cd5a0738>] scsi_remove_host+0x6d/0x120
+
+Cc: stable@vger.kernel.org # v4.17+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -5506,9 +5506,9 @@ static void __exit scsi_debug_exit(void)
+ int k = sdebug_add_host;
+
+ stop_all_queued();
+- free_all_queued();
+ for (; k; k--)
+ sdebug_remove_adapter();
++ free_all_queued();
+ driver_unregister(&sdebug_driverfs_driver);
+ bus_unregister(&pseudo_lld_bus);
+ root_device_unregister(pseudo_primary);
--- /dev/null
+From 512857a795cbbda5980efa4cdb3c0b6602330408 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:45 +0200
+Subject: scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 512857a795cbbda5980efa4cdb3c0b6602330408 upstream.
+
+If a SCSI device is deleted during scsi_eh host reset, we cannot get a
+reference to the SCSI device anymore since scsi_device_get returns !=0 by
+design. Assuming the recovery of adapter and port(s) was successful,
+zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the
+half-gone SCSI device. Unfortunately, it causes the following confusing
+trace record which states that zfcp will do a LUN recovery as "ERP need" is
+ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want".
+
+Old example trace record formatted with zfcpdbf from s390-tools:
+
+Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
+LUN : 0x<FCP_LUN>
+WWPN : 0x<WWPN>
+D_ID : 0x<N_Port-ID>
+Adapter status : 0x5400050b
+Port status : 0x54000001
+LUN status : 0x40000000 ZFCP_STATUS_COMMON_RUNNING
+ but not ZFCP_STATUS_COMMON_UNBLOCKED as it
+ was closed on close part of adapter reopen
+ERP want : 0x01
+ERP need : 0x01 misleading
+
+However, zfcp_erp_setup_act() returns NULL as it cannot get the reference.
+Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery
+actually happens.
+
+We always do want the recovery trigger trace record even if no erp_action
+could be enqueued as in this case. For other cases where we did not enqueue
+an erp_action, 'need' has always been zero to indicate this. In order to
+indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP
+need" as 'not needed' but still keep the information which erp_action type,
+that zfcp_erp_required_act() had decided upon, is needed. 0xc_ is chosen to
+be visibly different from 0x0_ in "ERP want".
+
+New example trace record formatted with zfcpdbf from s390-tools:
+
+Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded
+LUN : 0x<FCP_LUN>
+WWPN : 0x<WWPN>
+D_ID : 0x<N_Port-ID>
+Adapter status : 0x5400050b
+Port status : 0x54000001
+LUN status : 0x40000000
+ERP want : 0x01
+ERP need : 0xc1 would need LUN ERP, but no action set up
+ ^
+
+Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug
+tracing for recovery actions.") we could detect this case because the
+"erp_action" field in the trace was NULL. The rework removed erp_action as
+argument and field from the trace.
+
+This patch here is for tracing. A fix to allow LUN recovery in the case at
+hand is a topic for a separate patch.
+
+See also commit fdbd1c5e27da ("[SCSI] zfcp: Allow running unit/LUN shutdown
+without acquiring reference") for a similar case and background info.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_erp.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -35,11 +35,23 @@ enum zfcp_erp_steps {
+ ZFCP_ERP_STEP_LUN_OPENING = 0x2000,
+ };
+
++/**
++ * enum zfcp_erp_act_type - Type of ERP action object.
++ * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery.
++ * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery.
++ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
++ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
++ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
++ * either of the other enum values.
++ * Used to indicate that an ERP action could not be
++ * set up despite a detected need for some recovery.
++ */
+ enum zfcp_erp_act_type {
+ ZFCP_ERP_ACTION_REOPEN_LUN = 1,
+ ZFCP_ERP_ACTION_REOPEN_PORT = 2,
+ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
+ ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4,
++ ZFCP_ERP_ACTION_NONE = 0xc0,
+ };
+
+ enum zfcp_erp_act_state {
+@@ -257,8 +269,10 @@ static int zfcp_erp_action_enqueue(int w
+ goto out;
+
+ act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev);
+- if (!act)
++ if (!act) {
++ need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */
+ goto out;
++ }
+ atomic_or(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status);
+ ++adapter->erp_total_count;
+ list_add_tail(&act->list, &adapter->erp_ready_head);
--- /dev/null
+From 8c3d20aada70042a39c6a6625be037c1472ca610 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:48 +0200
+Subject: scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 8c3d20aada70042a39c6a6625be037c1472ca610 upstream.
+
+That other commit introduced an inconsistency because it would trace on
+ERP_FAILED for all callers of port forced reopen triggers (not just
+terminate_rport_io), but it would not trace on ERP_FAILED for all callers of
+other ERP triggers such as adapter, port regular, LUN.
+
+Therefore, generalize that other commit. zfcp_erp_action_enqueue() already
+had two early outs which re-used the one zfcp_dbf_rec_trig() call. All ERP
+trigger functions finally run through zfcp_erp_action_enqueue(). So move
+the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into
+zfcp_erp_action_enqueue() and add another early out with new trace marker
+for pseudo ERP need in this case. This removes all early returns from all
+ERP trigger functions so we always end up at zfcp_dbf_rec_trig().
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1 ZFCP_DBF_REC_TRIG
+Tag : .......
+LUN : 0x...
+WWPN : 0x...
+D_ID : 0x...
+Adapter status : 0x...
+Port status : 0x...
+LUN status : 0x...
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_...
+ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_erp.c | 79 +++++++++++++++++++++++++++----------------
+ 1 file changed, 51 insertions(+), 28 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -143,6 +143,49 @@ static void zfcp_erp_action_dismiss_adap
+ }
+ }
+
++static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter,
++ struct zfcp_port *port,
++ struct scsi_device *sdev)
++{
++ int need = want;
++ struct zfcp_scsi_dev *zsdev;
++
++ switch (want) {
++ case ZFCP_ERP_ACTION_REOPEN_LUN:
++ zsdev = sdev_to_zfcp(sdev);
++ if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
++ need = 0;
++ break;
++ case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
++ if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
++ need = 0;
++ break;
++ case ZFCP_ERP_ACTION_REOPEN_PORT:
++ if (atomic_read(&port->status) &
++ ZFCP_STATUS_COMMON_ERP_FAILED) {
++ need = 0;
++ /* ensure propagation of failed status to new devices */
++ zfcp_erp_set_port_status(
++ port, ZFCP_STATUS_COMMON_ERP_FAILED);
++ }
++ break;
++ case ZFCP_ERP_ACTION_REOPEN_ADAPTER:
++ if (atomic_read(&adapter->status) &
++ ZFCP_STATUS_COMMON_ERP_FAILED) {
++ need = 0;
++ /* ensure propagation of failed status to new devices */
++ zfcp_erp_set_adapter_status(
++ adapter, ZFCP_STATUS_COMMON_ERP_FAILED);
++ }
++ break;
++ default:
++ need = 0;
++ break;
++ }
++
++ return need;
++}
++
+ static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter,
+ struct zfcp_port *port,
+ struct scsi_device *sdev)
+@@ -266,6 +309,12 @@ static int zfcp_erp_action_enqueue(int w
+ int retval = 1, need;
+ struct zfcp_erp_action *act;
+
++ need = zfcp_erp_handle_failed(want, adapter, port, sdev);
++ if (!need) {
++ need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */
++ goto out;
++ }
++
+ if (!adapter->erp_thread)
+ return -EIO;
+
+@@ -314,12 +363,6 @@ static int _zfcp_erp_adapter_reopen(stru
+ zfcp_erp_adapter_block(adapter, clear_mask);
+ zfcp_scsi_schedule_rports_block(adapter);
+
+- /* ensure propagation of failed status to new devices */
+- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+- zfcp_erp_set_adapter_status(adapter,
+- ZFCP_STATUS_COMMON_ERP_FAILED);
+- return -EIO;
+- }
+ return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER,
+ adapter, NULL, NULL, id, 0);
+ }
+@@ -338,12 +381,8 @@ void zfcp_erp_adapter_reopen(struct zfcp
+ zfcp_scsi_schedule_rports_block(adapter);
+
+ write_lock_irqsave(&adapter->erp_lock, flags);
+- if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+- zfcp_erp_set_adapter_status(adapter,
+- ZFCP_STATUS_COMMON_ERP_FAILED);
+- else
+- zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
+- NULL, NULL, id, 0);
++ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter,
++ NULL, NULL, id, 0);
+ write_unlock_irqrestore(&adapter->erp_lock, flags);
+ }
+
+@@ -384,13 +423,6 @@ static void _zfcp_erp_port_forced_reopen
+ zfcp_erp_port_block(port, clear);
+ zfcp_scsi_schedule_rport_block(port);
+
+- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+- zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
+- ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+- ZFCP_ERP_ACTION_FAILED);
+- return;
+- }
+-
+ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+ port->adapter, port, NULL, id, 0);
+ }
+@@ -416,12 +448,6 @@ static int _zfcp_erp_port_reopen(struct
+ zfcp_erp_port_block(port, clear);
+ zfcp_scsi_schedule_rport_block(port);
+
+- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
+- /* ensure propagation of failed status to new devices */
+- zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED);
+- return -EIO;
+- }
+-
+ return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT,
+ port->adapter, port, NULL, id, 0);
+ }
+@@ -461,9 +487,6 @@ static void _zfcp_erp_lun_reopen(struct
+
+ zfcp_erp_lun_block(sdev, clear);
+
+- if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
+- return;
+-
+ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter,
+ zfcp_sdev->port, sdev, id, act_status);
+ }
--- /dev/null
+From 6a76550841d412330bd86aed3238d1888ba70f0e Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:49 +0200
+Subject: scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 6a76550841d412330bd86aed3238d1888ba70f0e upstream.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1 ZFCP_DBF_REC_TRIG
+Tag : .......
+LUN : 0x...
+WWPN : 0x...
+D_ID : 0x...
+Adapter status : 0x...
+Port status : 0x...
+LUN status : 0x...
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_...
+ERP need : 0xc0 ZFCP_ERP_ACTION_NONE
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_erp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -315,8 +315,11 @@ static int zfcp_erp_action_enqueue(int w
+ goto out;
+ }
+
+- if (!adapter->erp_thread)
+- return -EIO;
++ if (!adapter->erp_thread) {
++ need = ZFCP_ERP_ACTION_NONE; /* marker for trace */
++ retval = -EIO;
++ goto out;
++ }
+
+ need = zfcp_erp_required_act(want, adapter, port, sdev);
+ if (!need)
--- /dev/null
+From 96d9270499471545048ed8a6d7f425a49762283d Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:46 +0200
+Subject: scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 96d9270499471545048ed8a6d7f425a49762283d upstream.
+
+get_device() and its internally used kobject_get() only return NULL if they
+get passed NULL as argument. zfcp_get_port_by_wwpn() loops over
+adapter->port_list so the iteration variable port is always non-NULL.
+Struct device is embedded in struct zfcp_port so &port->dev is always
+non-NULL. This is the argument to get_device(). However, if we get an
+fc_rport in terminate_rport_io() for which we cannot find a match within
+zfcp_get_port_by_wwpn(), the latter can return NULL. v2.6.30 commit
+70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") introduced an
+early return without adding a trace record for this case. Even if we don't
+need recovery in this case, for debugging we should still see that our
+callback was invoked originally by scsi_transport_fc.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : sctrpin SCSI terminate rport I/O, no zfcp port
+LUN : 0xffffffffffffffff none (invalid)
+WWPN : 0x<wwpn> WWPN
+D_ID : 0x<n_port_id> N_Port-ID
+Adapter status : 0x...
+Port status : 0xffffffff unknown (-1)
+LUN status : 0x00000000 none (invalid)
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
+ERP need : 0xc0 ZFCP_ERP_ACTION_NONE
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_erp.c | 20 ++++++++++++++++++++
+ drivers/s390/scsi/zfcp_ext.h | 3 +++
+ drivers/s390/scsi/zfcp_scsi.c | 5 +++++
+ 3 files changed, 28 insertions(+)
+
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -283,6 +283,26 @@ static int zfcp_erp_action_enqueue(int w
+ return retval;
+ }
+
++void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter,
++ u64 port_name, u32 port_id)
++{
++ unsigned long flags;
++ static /* don't waste stack */ struct zfcp_port tmpport;
++
++ write_lock_irqsave(&adapter->erp_lock, flags);
++ /* Stand-in zfcp port with fields just good enough for
++ * zfcp_dbf_rec_trig() and zfcp_dbf_set_common().
++ * Under lock because tmpport is static.
++ */
++ atomic_set(&tmpport.status, -1); /* unknown */
++ tmpport.wwpn = port_name;
++ tmpport.d_id = port_id;
++ zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL,
++ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
++ ZFCP_ERP_ACTION_NONE);
++ write_unlock_irqrestore(&adapter->erp_lock, flags);
++}
++
+ static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter,
+ int clear_mask, char *id)
+ {
+--- a/drivers/s390/scsi/zfcp_ext.h
++++ b/drivers/s390/scsi/zfcp_ext.h
+@@ -58,6 +58,9 @@ extern void zfcp_dbf_scsi_eh(char *tag,
+ /* zfcp_erp.c */
+ extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
+ extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32);
++extern void zfcp_erp_port_forced_no_port_dbf(char *id,
++ struct zfcp_adapter *adapter,
++ u64 port_name, u32 port_id);
+ extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *);
+ extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *);
+ extern void zfcp_erp_set_port_status(struct zfcp_port *, u32);
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -605,6 +605,11 @@ static void zfcp_scsi_terminate_rport_io
+ if (port) {
+ zfcp_erp_port_forced_reopen(port, 0, "sctrpi1");
+ put_device(&port->dev);
++ } else {
++ zfcp_erp_port_forced_no_port_dbf(
++ "sctrpin", adapter,
++ rport->port_name /* zfcp_scsi_rport_register */,
++ rport->port_id /* zfcp_scsi_rport_register */);
+ }
+ }
+
--- /dev/null
+From d70aab55924b44f213fec2b900b095430b33eec6 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:47 +0200
+Subject: scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit d70aab55924b44f213fec2b900b095430b33eec6 upstream.
+
+For problem determination we always want to see when we were invoked on the
+terminate_rport_io callback whether we perform something or not.
+
+Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec:
+
+loose remote port
+
+t workqueue
+[s] zfcp_q_<dev> IRQ zfcperp<dev>
+
+=== ================== =================== ============================
+
+ 0 recv RSCN
+ q p.test_link_work
+ block rport
+ start fast_io_fail_tmo
+ send ADISC ELS
+ 4 recv ADISC fail
+ block zfcp_port
+ port forced reopen
+ send open port
+ 12 recv open port fail
+ q p.gid_pn_work
+ zfcp_erp_wakeup
+ (zfcp_erp_wait would return)
+ GID_PN fail
+
+Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail,
+e.g. with the typical 5 sec setting.
+
+ port.status |= ERP_FAILED
+
+If fast_io_fail_tmo triggers after this point, we missed a SCSI trace.
+
+ workqueue
+ fc_dl_<host>
+ ==================
+ 27 fc_timeout_fail_rport_io
+ fc_terminate_rport_io
+ zfcp_scsi_terminate_rport_io
+ zfcp_erp_port_forced_reopen
+ _zfcp_erp_port_forced_reopen
+ if (port.status & ERP_FAILED)
+ return;
+
+Therefore, write a trace before above early return.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : REC
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1 ZFCP_DBF_REC_TRIG
+Tag : sctrpi1 SCSI terminate rport I/O
+LUN : 0xffffffffffffffff none (invalid)
+WWPN : 0x<wwpn>
+D_ID : 0x<n_port_id>
+Adapter status : 0x...
+Port status : 0x...
+LUN status : 0x00000000 none (invalid)
+Ready count : 0x...
+Running count : 0x...
+ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED
+ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_erp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_erp.c
++++ b/drivers/s390/scsi/zfcp_erp.c
+@@ -42,9 +42,13 @@ enum zfcp_erp_steps {
+ * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery.
+ * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery.
+ * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with
+- * either of the other enum values.
++ * either of the first four enum values.
+ * Used to indicate that an ERP action could not be
+ * set up despite a detected need for some recovery.
++ * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with
++ * either of the first four enum values.
++ * Used to indicate that ERP not needed because
++ * the object has ZFCP_STATUS_COMMON_ERP_FAILED.
+ */
+ enum zfcp_erp_act_type {
+ ZFCP_ERP_ACTION_REOPEN_LUN = 1,
+@@ -52,6 +56,7 @@ enum zfcp_erp_act_type {
+ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3,
+ ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4,
+ ZFCP_ERP_ACTION_NONE = 0xc0,
++ ZFCP_ERP_ACTION_FAILED = 0xe0,
+ };
+
+ enum zfcp_erp_act_state {
+@@ -379,8 +384,12 @@ static void _zfcp_erp_port_forced_reopen
+ zfcp_erp_port_block(port, clear);
+ zfcp_scsi_schedule_rport_block(port);
+
+- if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED)
++ if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) {
++ zfcp_dbf_rec_trig(id, port->adapter, port, NULL,
++ ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
++ ZFCP_ERP_ACTION_FAILED);
+ return;
++ }
+
+ zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED,
+ port->adapter, port, NULL, id, 0);
--- /dev/null
+From df30781699f53e4fd4c494c6f7dd16e3d5c21d30 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:43 +0200
+Subject: scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit df30781699f53e4fd4c494c6f7dd16e3d5c21d30 upstream.
+
+For problem determination we need to see whether and why we were successful
+or not. This allows deduction of scsi_eh escalation.
+
+Example trace record formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : SCSI
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : schrh_r SCSI host reset handler result
+Request ID : 0x0000000000000000 none (invalid)
+SCSI ID : 0xffffffff none (invalid)
+SCSI LUN : 0xffffffff none (invalid)
+SCSI LUN high : 0xffffffff none (invalid)
+SCSI result : 0x00002002 field re-used for midlayer value: SUCCESS
+ or in other cases: 0x2009 == FAST_IO_FAIL
+SCSI retries : 0xff none (invalid)
+SCSI allowed : 0xff none (invalid)
+SCSI scribble : 0xffffffffffffffff none (invalid)
+SCSI opcode : ffffffff ffffffff ffffffff ffffffff none (invalid)
+FCP rsp inf cod: 0xff none (invalid)
+FCP rsp IU : 00000000 00000000 00000000 00000000 none (invalid)
+ 00000000 00000000
+
+v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from
+fc_block_scsi_eh to scsi eh") introduced the first return with something
+other than the previously hardcoded single SUCCESS return path.
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_dbf.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ drivers/s390/scsi/zfcp_ext.h | 2 ++
+ drivers/s390/scsi/zfcp_scsi.c | 11 ++++++-----
+ 3 files changed, 48 insertions(+), 5 deletions(-)
+
+--- a/drivers/s390/scsi/zfcp_dbf.c
++++ b/drivers/s390/scsi/zfcp_dbf.c
+@@ -664,6 +664,46 @@ void zfcp_dbf_scsi(char *tag, int level,
+ spin_unlock_irqrestore(&dbf->scsi_lock, flags);
+ }
+
++/**
++ * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks.
++ * @tag: Identifier for event.
++ * @adapter: Pointer to zfcp adapter as context for this event.
++ * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF).
++ * @ret: Return value of calling function.
++ *
++ * This SCSI trace variant does not depend on any of:
++ * scsi_cmnd, zfcp_fsf_req, scsi_device.
++ */
++void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
++ unsigned int scsi_id, int ret)
++{
++ struct zfcp_dbf *dbf = adapter->dbf;
++ struct zfcp_dbf_scsi *rec = &dbf->scsi_buf;
++ unsigned long flags;
++ static int const level = 1;
++
++ if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level)))
++ return;
++
++ spin_lock_irqsave(&dbf->scsi_lock, flags);
++ memset(rec, 0, sizeof(*rec));
++
++ memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN);
++ rec->id = ZFCP_DBF_SCSI_CMND;
++ rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */
++ rec->scsi_retries = ~0;
++ rec->scsi_allowed = ~0;
++ rec->fcp_rsp_info = ~0;
++ rec->scsi_id = scsi_id;
++ rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN;
++ rec->scsi_lun_64_hi = (u32)(ZFCP_DBF_INVALID_LUN >> 32);
++ rec->host_scribble = ~0;
++ memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE);
++
++ debug_event(dbf->scsi, level, rec, sizeof(*rec));
++ spin_unlock_irqrestore(&dbf->scsi_lock, flags);
++}
++
+ static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size)
+ {
+ struct debug_info *d;
+--- a/drivers/s390/scsi/zfcp_ext.h
++++ b/drivers/s390/scsi/zfcp_ext.h
+@@ -52,6 +52,8 @@ extern void zfcp_dbf_san_res(char *, str
+ extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *);
+ extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *,
+ struct zfcp_fsf_req *);
++extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter,
++ unsigned int scsi_id, int ret);
+
+ /* zfcp_erp.c */
+ extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32);
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -323,15 +323,16 @@ static int zfcp_scsi_eh_host_reset_handl
+ {
+ struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
+ struct zfcp_adapter *adapter = zfcp_sdev->port->adapter;
+- int ret;
++ int ret = SUCCESS, fc_ret;
+
+ zfcp_erp_adapter_reopen(adapter, 0, "schrh_1");
+ zfcp_erp_wait(adapter);
+- ret = fc_block_scsi_eh(scpnt);
+- if (ret)
+- return ret;
++ fc_ret = fc_block_scsi_eh(scpnt);
++ if (fc_ret)
++ ret = fc_ret;
+
+- return SUCCESS;
++ zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret);
++ return ret;
+ }
+
+ struct scsi_transport_template *zfcp_scsi_transport_template;
--- /dev/null
+From 81979ae63e872ef650a7197f6ce6590059d37172 Mon Sep 17 00:00:00 2001
+From: Steffen Maier <maier@linux.ibm.com>
+Date: Thu, 17 May 2018 19:14:44 +0200
+Subject: scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
+
+From: Steffen Maier <maier@linux.ibm.com>
+
+commit 81979ae63e872ef650a7197f6ce6590059d37172 upstream.
+
+We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to
+zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of
+our eh callback and an actual send/recv of an abort / TMF request. In order
+to see the temporal sequence including any abort / TMF send retries, add a
+trace before the above two blocking functions. This supports problem
+determination with scsi_eh and parallel zfcp ERP.
+
+No need to explicitly trace the beginning of our eh callback, since we
+typically can send an abort / TMF and see its HBA response (in the worst
+case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to
+an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we
+now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes
+almost the beginning of the callback.
+
+No need to explicitly trace the wakeup after the above two blocking
+functions because the next retry loop causes another trace in any case and
+that is sufficient.
+
+Example trace records formatted with zfcpdbf from s390-tools:
+
+Timestamp : ...
+Area : SCSI
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : abrt_wt abort, before zfcp_erp_wait()
+Request ID : 0x0000000000000000 none (invalid)
+SCSI ID : 0x<scsi_id>
+SCSI LUN : 0x<scsi_lun>
+SCSI LUN high : 0x<scsi_lun_high>
+SCSI result : 0x<scsi_result_of_cmd_to_be_aborted>
+SCSI retries : 0x<retries_of_cmd_to_be_aborted>
+SCSI allowed : 0x<allowed_retries_of_cmd_to_be_aborted>
+SCSI scribble : 0x<req_id_of_cmd_to_be_aborted>
+SCSI opcode : <CDB_of_cmd_to_be_aborted>
+FCP rsp inf cod: 0x.. none (invalid)
+FCP rsp IU : ... none (invalid)
+
+Timestamp : ...
+Area : SCSI
+Subarea : 00
+Level : 1
+Exception : -
+CPU ID : ..
+Caller : 0x...
+Record ID : 1
+Tag : lr_wait LUN reset, before zfcp_erp_wait()
+Request ID : 0x0000000000000000 none (invalid)
+SCSI ID : 0x<scsi_id>
+SCSI LUN : 0x<scsi_lun>
+SCSI LUN high : 0x<scsi_lun_high>
+SCSI result : 0x... unrelated
+SCSI retries : 0x.. unrelated
+SCSI allowed : 0x.. unrelated
+SCSI scribble : 0x... unrelated
+SCSI opcode : ... unrelated
+FCP rsp inf cod: 0x.. none (invalid)
+FCP rsp IU : ... none (invalid)
+
+Signed-off-by: Steffen Maier <maier@linux.ibm.com>
+Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
+Fixes: af4de36d911a ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED")
+Cc: <stable@vger.kernel.org> #2.6.38+
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/scsi/zfcp_scsi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/s390/scsi/zfcp_scsi.c
++++ b/drivers/s390/scsi/zfcp_scsi.c
+@@ -181,6 +181,7 @@ static int zfcp_scsi_eh_abort_handler(st
+ if (abrt_req)
+ break;
+
++ zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL);
+ zfcp_erp_wait(adapter);
+ ret = fc_block_scsi_eh(scpnt);
+ if (ret) {
+@@ -277,6 +278,7 @@ static int zfcp_task_mgmt_function(struc
+ if (fsf_req)
+ break;
+
++ zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL);
+ zfcp_erp_wait(adapter);
+ ret = fc_block_scsi_eh(scpnt);
+ if (ret) {
btrfs-fix-return-value-on-rename-exchange-failure.patch
iio-adc-ad7791-remove-sample-freq-sysfs-attributes.patch
iio-sca3000-fix-an-error-handling-path-in-sca3000_probe.patch
+mm-fix-__gup_device_huge-vs-unmap.patch
+scsi-scsi_debug-fix-memory-leak-on-module-unload.patch
+scsi-hpsa-disable-device-during-shutdown.patch
+scsi-qla2xxx-delete-session-for-nport-id-change.patch
+scsi-qla2xxx-fix-setting-lower-transfer-speed-if-gpsc-fails.patch
+scsi-qla2xxx-mask-off-scope-bits-in-retry-delay.patch
+scsi-qla2xxx-spinlock-recursion-in-qla_target.patch
+scsi-zfcp-fix-missing-scsi-trace-for-result-of-eh_host_reset_handler.patch
+scsi-zfcp-fix-missing-scsi-trace-for-retry-of-abort-scsi_eh-tmf.patch
+scsi-zfcp-fix-misleading-rec-trigger-trace-where-erp_action-setup-failed.patch
+scsi-zfcp-fix-missing-rec-trigger-trace-on-terminate_rport_io-early-return.patch
+scsi-zfcp-fix-missing-rec-trigger-trace-on-terminate_rport_io-for-erp_failed.patch
+scsi-zfcp-fix-missing-rec-trigger-trace-for-all-objects-in-erp_failed.patch
+scsi-zfcp-fix-missing-rec-trigger-trace-on-enqueue-without-erp-thread.patch
+linvdimm-pmem-preserve-read-only-setting-for-pmem-devices.patch
+libnvdimm-pmem-unconditionally-deep-flush-on-sync.patch
+clk-meson-meson8b-mark-fclk_div2-gate-clocks-as-clk_is_critical.patch
+clk-at91-pll-recalc_rate-now-using-cached-mul-and-div-values.patch
+rtc-sun6i-fix-bit_idx-value-for-clk_register_gate.patch
+md-fix-two-problems-with-setting-the-re-add-device-state.patch
+rpmsg-smd-do-not-use-mananged-resources-for-endpoints-and-channels.patch
+ubi-fastmap-cancel-work-upon-detach.patch
+ubi-fastmap-correctly-handle-interrupted-erasures-in-eba.patch
+ubifs-fix-potential-integer-overflow-in-allocation.patch
+backlight-as3711_bl-fix-device-tree-node-lookup.patch
+backlight-max8925_bl-fix-device-tree-node-lookup.patch
+backlight-tps65217_bl-fix-device-tree-node-lookup.patch
+revert-iommu-amd_iommu-use-config_dma_direct_ops-y-and-dma_direct_-alloc-free.patch
+f2fs-don-t-use-gfp_zero-for-page-caches.patch
+um-fix-initialization-of-vector-queues.patch
+um-fix-raw-interface-options.patch
+mfd-twl-core-fix-clock-initialization.patch
+mfd-intel-lpss-program-remap-register-in-pio-mode.patch
+mfd-intel-lpss-fix-intel-cannon-lake-lpss-i2c-input-clock.patch
+remoteproc-prevent-incorrect-rproc-state-on-xfer-mem-ownership-failure.patch
+arm-dts-mt7623-fix-invalid-memory-node-being-generated.patch
+perf-tools-fix-symbol-and-object-code-resolution-for-vdso32-and-vdsox32.patch
+perf-intel-pt-fix-sync_switch-intel_pt_ss_not_tracing.patch
+perf-intel-pt-fix-decoding-to-accept-cbr-between-fup-and-corresponding-tip.patch
+perf-intel-pt-fix-mtc-timing-after-overflow.patch
+perf-intel-pt-fix-unexpected-indirect-branch-error.patch
+perf-intel-pt-fix-packet-decoding-of-cyc-packets.patch
+media-vsp1-release-buffers-for-each-video-node.patch
+media-uvcvideo-support-realtek-s-uvc-1.5-device.patch
+media-cx231xx-ignore-an-i2c-mux-adapter.patch
+media-v4l2-compat-ioctl32-prevent-go-past-max-size.patch
+media-cx231xx-add-support-for-avermedia-dvd-ezmaker-7.patch
+media-rc-mce_kbd-decoder-fix-stuck-keys.patch
+media-dvb_frontend-fix-locking-issues-at-dvb_frontend_get_event.patch
+nfsd-restrict-rd_maxcount-to-svc_max_payload-in-nfsd_encode_readdir.patch
+nfsv4-fix-possible-1-byte-stack-overflow-in-nfs_idmap_read_and_verify_message.patch
+nfsv4-revert-commit-5f83d86cf531d-nfsv4.x-fix-wraparound-issues.patch
+nfsv4-fix-a-typo-in-nfs41_sequence_process.patch
+video-uvesafb-fix-integer-overflow-in-allocation.patch
+acpi-lpss-add-missing-prv_offset-setting-for-byt-cht-pwm-devices.patch
+input-silead-add-mssl0002-acpi-hid.patch
+input-elan_i2c-add-elan0618-lenovo-v330-15ikb-acpi-id.patch
+pwm-lpss-platform-save-restore-the-ctrl-register-over-a-suspend-resume.patch
+rbd-flush-rbd_dev-watch_dwork-after-watch-is-unregistered.patch
+mm-ksm.c-ignore-stable_flag-of-rmap_item-address-in-rmap_walk_ksm.patch
+mm-fix-devmem_is_allowed-for-sub-page-system-ram-intersections.patch
+x86-mm-don-t-free-p4d-table-when-it-is-folded-at-runtime.patch
+tracing-check-for-no-filter-when-processing-event-filters.patch
+xen-remove-unnecessary-bug_on-from-__unbind_from_irq.patch
+net-ethernet-fix-suspend-resume-in-davinci_emac.patch
+udf-detect-incorrect-directory-size.patch
+input-xpad-fix-gpd-win-2-controller-name.patch
+input-psmouse-fix-button-reporting-for-basic-protocols.patch
+input-elan_i2c_smbus-fix-more-potential-stack-buffer-overflows.patch
+input-elantech-enable-middle-button-of-touchpads-on-thinkpad-p52.patch
+input-elantech-fix-v4-report-decoding-for-module-with-middle-key.patch
+alsa-timer-fix-ubsan-warning-at-sndrv_timer_ioctl_next_device-ioctl.patch
+alsa-hda-force-to-link-down-at-runtime-suspend-on-ati-amd-hdmi.patch
+alsa-hda-realtek-fix-pop-noise-on-lenovo-p50-co.patch
+alsa-hda-realtek-add-a-quirk-for-fsc-esprimo-u9210.patch
+alsa-hda-realtek-fix-the-problem-of-two-front-mics-on-more-machines.patch
+revert-i2c-algo-bit-init-the-bus-to-a-known-state.patch
+i2c-gpio-initialize-scl-to-high-again.patch
+slub-fix-failure-when-we-delete-and-create-a-slab-cache.patch
+kasan-depend-on-config_slub_debug.patch
--- /dev/null
+From d50d82faa0c964e31f7a946ba8aba7c715ca7ab0 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Wed, 27 Jun 2018 23:26:09 -0700
+Subject: slub: fix failure when we delete and create a slab cache
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d50d82faa0c964e31f7a946ba8aba7c715ca7ab0 upstream.
+
+In kernel 4.17 I removed some code from dm-bufio that did slab cache
+merging (commit 21bb13276768: "dm bufio: remove code that merges slab
+caches") - both slab and slub support merging caches with identical
+attributes, so dm-bufio now just calls kmem_cache_create and relies on
+implicit merging.
+
+This uncovered a bug in the slub subsystem - if we delete a cache and
+immediatelly create another cache with the same attributes, it fails
+because of duplicate filename in /sys/kernel/slab/. The slub subsystem
+offloads freeing the cache to a workqueue - and if we create the new
+cache before the workqueue runs, it complains because of duplicate
+filename in sysfs.
+
+This patch fixes the bug by moving the call of kobject_del from
+sysfs_slab_remove_workfn to shutdown_cache. kobject_del must be called
+while we hold slab_mutex - so that the sysfs entry is deleted before a
+cache with the same attributes could be created.
+
+Running device-mapper-test-suite with:
+
+ dmtest run --suite thin-provisioning -n /commit_failure_causes_fallback/
+
+triggered:
+
+ Buffer I/O error on dev dm-0, logical block 1572848, async page read
+ device-mapper: thin: 253:1: metadata operation 'dm_pool_alloc_data_block' failed: error = -5
+ device-mapper: thin: 253:1: aborting current metadata transaction
+ sysfs: cannot create duplicate filename '/kernel/slab/:a-0000144'
+ CPU: 2 PID: 1037 Comm: kworker/u48:1 Not tainted 4.17.0.snitm+ #25
+ Hardware name: Supermicro SYS-1029P-WTR/X11DDW-L, BIOS 2.0a 12/06/2017
+ Workqueue: dm-thin do_worker [dm_thin_pool]
+ Call Trace:
+ dump_stack+0x5a/0x73
+ sysfs_warn_dup+0x58/0x70
+ sysfs_create_dir_ns+0x77/0x80
+ kobject_add_internal+0xba/0x2e0
+ kobject_init_and_add+0x70/0xb0
+ sysfs_slab_add+0xb1/0x250
+ __kmem_cache_create+0x116/0x150
+ create_cache+0xd9/0x1f0
+ kmem_cache_create_usercopy+0x1c1/0x250
+ kmem_cache_create+0x18/0x20
+ dm_bufio_client_create+0x1ae/0x410 [dm_bufio]
+ dm_block_manager_create+0x5e/0x90 [dm_persistent_data]
+ __create_persistent_data_objects+0x38/0x940 [dm_thin_pool]
+ dm_pool_abort_metadata+0x64/0x90 [dm_thin_pool]
+ metadata_operation_failed+0x59/0x100 [dm_thin_pool]
+ alloc_data_block.isra.53+0x86/0x180 [dm_thin_pool]
+ process_cell+0x2a3/0x550 [dm_thin_pool]
+ do_worker+0x28d/0x8f0 [dm_thin_pool]
+ process_one_work+0x171/0x370
+ worker_thread+0x49/0x3f0
+ kthread+0xf8/0x130
+ ret_from_fork+0x35/0x40
+ kobject_add_internal failed for :a-0000144 with -EEXIST, don't try to register things with the same name in the same directory.
+ kmem_cache_create(dm_bufio_buffer-16) failed with error -17
+
+Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1806151817130.6333@file01.intranet.prod.int.rdu2.redhat.com
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Reported-by: Mike Snitzer <snitzer@redhat.com>
+Tested-by: Mike Snitzer <snitzer@redhat.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/slub_def.h | 4 ++++
+ mm/slab_common.c | 4 ++++
+ mm/slub.c | 7 ++++++-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/include/linux/slub_def.h
++++ b/include/linux/slub_def.h
+@@ -156,8 +156,12 @@ struct kmem_cache {
+
+ #ifdef CONFIG_SYSFS
+ #define SLAB_SUPPORTS_SYSFS
++void sysfs_slab_unlink(struct kmem_cache *);
+ void sysfs_slab_release(struct kmem_cache *);
+ #else
++static inline void sysfs_slab_unlink(struct kmem_cache *s)
++{
++}
+ static inline void sysfs_slab_release(struct kmem_cache *s)
+ {
+ }
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -566,10 +566,14 @@ static int shutdown_cache(struct kmem_ca
+ list_del(&s->list);
+
+ if (s->flags & SLAB_TYPESAFE_BY_RCU) {
++#ifdef SLAB_SUPPORTS_SYSFS
++ sysfs_slab_unlink(s);
++#endif
+ list_add_tail(&s->list, &slab_caches_to_rcu_destroy);
+ schedule_work(&slab_caches_to_rcu_destroy_work);
+ } else {
+ #ifdef SLAB_SUPPORTS_SYSFS
++ sysfs_slab_unlink(s);
+ sysfs_slab_release(s);
+ #else
+ slab_kmem_cache_release(s);
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5714,7 +5714,6 @@ static void sysfs_slab_remove_workfn(str
+ kset_unregister(s->memcg_kset);
+ #endif
+ kobject_uevent(&s->kobj, KOBJ_REMOVE);
+- kobject_del(&s->kobj);
+ out:
+ kobject_put(&s->kobj);
+ }
+@@ -5799,6 +5798,12 @@ static void sysfs_slab_remove(struct kme
+ schedule_work(&s->kobj_remove_work);
+ }
+
++void sysfs_slab_unlink(struct kmem_cache *s)
++{
++ if (slab_state >= FULL)
++ kobject_del(&s->kobj);
++}
++
+ void sysfs_slab_release(struct kmem_cache *s)
+ {
+ if (slab_state >= FULL)
--- /dev/null
+From 70303420b5721c38998cf987e6b7d30cc62d4ff1 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 21 Jun 2018 13:20:53 -0400
+Subject: tracing: Check for no filter when processing event filters
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 70303420b5721c38998cf987e6b7d30cc62d4ff1 upstream.
+
+The syzkaller detected a out-of-bounds issue with the events filter code,
+specifically here:
+
+ prog[N].pred = NULL; /* #13 */
+ prog[N].target = 1; /* TRUE */
+ prog[N+1].pred = NULL;
+ prog[N+1].target = 0; /* FALSE */
+-> prog[N-1].target = N;
+ prog[N-1].when_to_branch = false;
+
+As that's the first reference to a "N-1" index, it appears that the code got
+here with N = 0, which means the filter parser found no filter to parse
+(which shouldn't ever happen, but apparently it did).
+
+Add a new error to the parsing code that will check to make sure that N is
+not zero before going into this part of the code. If N = 0, then -EINVAL is
+returned, and a error message is added to the filter.
+
+Cc: stable@vger.kernel.org
+Fixes: 80765597bc587 ("tracing: Rewrite filter logic to be simpler and faster")
+Reported-by: air icy <icytxw@gmail.com>
+bugzilla url: https://bugzilla.kernel.org/show_bug.cgi?id=200019
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_filter.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -78,7 +78,8 @@ static const char * ops[] = { OPS };
+ C(TOO_MANY_PREDS, "Too many terms in predicate expression"), \
+ C(INVALID_FILTER, "Meaningless filter expression"), \
+ C(IP_FIELD_ONLY, "Only 'ip' field is supported for function trace"), \
+- C(INVALID_VALUE, "Invalid value (did you forget quotes)?"),
++ C(INVALID_VALUE, "Invalid value (did you forget quotes)?"), \
++ C(NO_FILTER, "No filter found"),
+
+ #undef C
+ #define C(a, b) FILT_ERR_##a
+@@ -550,6 +551,13 @@ predicate_parse(const char *str, int nr_
+ goto out_free;
+ }
+
++ if (!N) {
++ /* No program? */
++ ret = -EINVAL;
++ parse_error(pe, FILT_ERR_NO_FILTER, ptr - str);
++ goto out_free;
++ }
++
+ prog[N].pred = NULL; /* #13 */
+ prog[N].target = 1; /* TRUE */
+ prog[N+1].pred = NULL;
--- /dev/null
+From 6e7d80161066c99d12580d1b985cb1408bb58cf1 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Wed, 16 May 2018 22:17:03 +0200
+Subject: ubi: fastmap: Cancel work upon detach
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 6e7d80161066c99d12580d1b985cb1408bb58cf1 upstream.
+
+Ben Hutchings pointed out that 29b7a6fa1ec0 ("ubi: fastmap: Don't flush
+fastmap work on detach") does not really fix the problem, it just
+reduces the risk to hit the race window where fastmap work races against
+free()'ing ubi->volumes[].
+
+The correct approach is making sure that no more fastmap work is in
+progress before we free ubi data structures.
+So we cancel fastmap work right after the ubi background thread is
+stopped.
+By setting ubi->thread_enabled to zero we make sure that no further work
+tries to wake the thread.
+
+Fixes: 29b7a6fa1ec0 ("ubi: fastmap: Don't flush fastmap work on detach")
+Fixes: 74cdaf24004a ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system")
+Cc: stable@vger.kernel.org
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Cc: Martin Townsend <mtownsend1973@gmail.com>
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/build.c | 3 +++
+ drivers/mtd/ubi/wl.c | 4 +---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -1091,6 +1091,9 @@ int ubi_detach_mtd_dev(int ubi_num, int
+ if (ubi->bgt_thread)
+ kthread_stop(ubi->bgt_thread);
+
++#ifdef CONFIG_MTD_UBI_FASTMAP
++ cancel_work_sync(&ubi->fm_work);
++#endif
+ ubi_debugfs_exit_dev(ubi);
+ uif_close(ubi);
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1505,6 +1505,7 @@ int ubi_thread(void *u)
+ }
+
+ dbg_wl("background thread \"%s\" is killed", ubi->bgt_name);
++ ubi->thread_enabled = 0;
+ return 0;
+ }
+
+@@ -1514,9 +1515,6 @@ int ubi_thread(void *u)
+ */
+ static void shutdown_work(struct ubi_device *ubi)
+ {
+-#ifdef CONFIG_MTD_UBI_FASTMAP
+- flush_work(&ubi->fm_work);
+-#endif
+ while (!list_empty(&ubi->works)) {
+ struct ubi_work *wrk;
+
--- /dev/null
+From 781932375ffc6411713ee0926ccae8596ed0261c Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Mon, 28 May 2018 22:04:32 +0200
+Subject: ubi: fastmap: Correctly handle interrupted erasures in EBA
+
+From: Richard Weinberger <richard@nod.at>
+
+commit 781932375ffc6411713ee0926ccae8596ed0261c upstream.
+
+Fastmap cannot track the LEB unmap operation, therefore it can
+happen that after an interrupted erasure the mapping still looks
+good from Fastmap's point of view, while reading from the PEB will
+cause an ECC error and confuses the upper layer.
+
+Instead of teaching users of UBI how to deal with that, we read back
+the VID header and check for errors. If the PEB is empty or shows ECC
+errors we fixup the mapping and schedule the PEB for erasure.
+
+Fixes: dbb7d2a88d2a ("UBI: Add fastmap core")
+Cc: <stable@vger.kernel.org>
+Reported-by: martin bayern <Martinbayern@outlook.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/eba.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 89 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/ubi/eba.c
++++ b/drivers/mtd/ubi/eba.c
+@@ -490,6 +490,82 @@ out_unlock:
+ return err;
+ }
+
++#ifdef CONFIG_MTD_UBI_FASTMAP
++/**
++ * check_mapping - check and fixup a mapping
++ * @ubi: UBI device description object
++ * @vol: volume description object
++ * @lnum: logical eraseblock number
++ * @pnum: physical eraseblock number
++ *
++ * Checks whether a given mapping is valid. Fastmap cannot track LEB unmap
++ * operations, if such an operation is interrupted the mapping still looks
++ * good, but upon first read an ECC is reported to the upper layer.
++ * Normaly during the full-scan at attach time this is fixed, for Fastmap
++ * we have to deal with it while reading.
++ * If the PEB behind a LEB shows this symthom we change the mapping to
++ * %UBI_LEB_UNMAPPED and schedule the PEB for erasure.
++ *
++ * Returns 0 on success, negative error code in case of failure.
++ */
++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
++ int *pnum)
++{
++ int err;
++ struct ubi_vid_io_buf *vidb;
++
++ if (!ubi->fast_attach)
++ return 0;
++
++ vidb = ubi_alloc_vid_buf(ubi, GFP_NOFS);
++ if (!vidb)
++ return -ENOMEM;
++
++ err = ubi_io_read_vid_hdr(ubi, *pnum, vidb, 0);
++ if (err > 0 && err != UBI_IO_BITFLIPS) {
++ int torture = 0;
++
++ switch (err) {
++ case UBI_IO_FF:
++ case UBI_IO_FF_BITFLIPS:
++ case UBI_IO_BAD_HDR:
++ case UBI_IO_BAD_HDR_EBADMSG:
++ break;
++ default:
++ ubi_assert(0);
++ }
++
++ if (err == UBI_IO_BAD_HDR_EBADMSG || err == UBI_IO_FF_BITFLIPS)
++ torture = 1;
++
++ down_read(&ubi->fm_eba_sem);
++ vol->eba_tbl->entries[lnum].pnum = UBI_LEB_UNMAPPED;
++ up_read(&ubi->fm_eba_sem);
++ ubi_wl_put_peb(ubi, vol->vol_id, lnum, *pnum, torture);
++
++ *pnum = UBI_LEB_UNMAPPED;
++ } else if (err < 0) {
++ ubi_err(ubi, "unable to read VID header back from PEB %i: %i",
++ *pnum, err);
++
++ goto out_free;
++ }
++
++ err = 0;
++
++out_free:
++ ubi_free_vid_buf(vidb);
++
++ return err;
++}
++#else
++static int check_mapping(struct ubi_device *ubi, struct ubi_volume *vol, int lnum,
++ int *pnum)
++{
++ return 0;
++}
++#endif
++
+ /**
+ * ubi_eba_read_leb - read data.
+ * @ubi: UBI device description object
+@@ -522,7 +598,13 @@ int ubi_eba_read_leb(struct ubi_device *
+ return err;
+
+ pnum = vol->eba_tbl->entries[lnum].pnum;
+- if (pnum < 0) {
++ if (pnum >= 0) {
++ err = check_mapping(ubi, vol, lnum, &pnum);
++ if (err < 0)
++ goto out_unlock;
++ }
++
++ if (pnum == UBI_LEB_UNMAPPED) {
+ /*
+ * The logical eraseblock is not mapped, fill the whole buffer
+ * with 0xFF bytes. The exception is static volumes for which
+@@ -931,6 +1013,12 @@ int ubi_eba_write_leb(struct ubi_device
+
+ pnum = vol->eba_tbl->entries[lnum].pnum;
+ if (pnum >= 0) {
++ err = check_mapping(ubi, vol, lnum, &pnum);
++ if (err < 0)
++ goto out;
++ }
++
++ if (pnum >= 0) {
+ dbg_eba("write %d bytes at offset %d of LEB %d:%d, PEB %d",
+ len, offset, vol_id, lnum, pnum);
+
--- /dev/null
+From 353748a359f1821ee934afc579cf04572406b420 Mon Sep 17 00:00:00 2001
+From: Silvio Cesare <silvio.cesare@gmail.com>
+Date: Fri, 4 May 2018 13:44:02 +1000
+Subject: UBIFS: Fix potential integer overflow in allocation
+
+From: Silvio Cesare <silvio.cesare@gmail.com>
+
+commit 353748a359f1821ee934afc579cf04572406b420 upstream.
+
+There is potential for the size and len fields in ubifs_data_node to be
+too large causing either a negative value for the length fields or an
+integer overflow leading to an incorrect memory allocation. Likewise,
+when the len field is small, an integer underflow may occur.
+
+Signed-off-by: Silvio Cesare <silvio.cesare@gmail.com>
+Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/journal.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ubifs/journal.c
++++ b/fs/ubifs/journal.c
+@@ -1283,10 +1283,11 @@ static int truncate_data_node(const stru
+ int *new_len)
+ {
+ void *buf;
+- int err, dlen, compr_type, out_len, old_dlen;
++ int err, compr_type;
++ u32 dlen, out_len, old_dlen;
+
+ out_len = le32_to_cpu(dn->size);
+- buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
++ buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
+ if (!buf)
+ return -ENOMEM;
+
--- /dev/null
+From fa65653e575fbd958bdf5fb9c4a71a324e39510d Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 13 Jun 2018 12:09:22 +0200
+Subject: udf: Detect incorrect directory size
+
+From: Jan Kara <jack@suse.cz>
+
+commit fa65653e575fbd958bdf5fb9c4a71a324e39510d upstream.
+
+Detect when a directory entry is (possibly partially) beyond directory
+size and return EIO in that case since it means the filesystem is
+corrupted. Otherwise directory operations can further corrupt the
+directory and possibly also oops the kernel.
+
+CC: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+CC: stable@vger.kernel.org
+Reported-and-tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/directory.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/udf/directory.c
++++ b/fs/udf/directory.c
+@@ -152,6 +152,9 @@ struct fileIdentDesc *udf_fileident_read
+ sizeof(struct fileIdentDesc));
+ }
+ }
++ /* Got last entry outside of dir size - fs is corrupted! */
++ if (*nf_pos > dir->i_size)
++ return NULL;
+ return fi;
+ }
+
--- /dev/null
+From 4579a1ba692af81da7ea6ce197f8169ddc0c327f Mon Sep 17 00:00:00 2001
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Date: Tue, 5 Jun 2018 09:27:30 +0100
+Subject: um: Fix initialization of vector queues
+
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+
+commit 4579a1ba692af81da7ea6ce197f8169ddc0c327f upstream.
+
+UML vector drivers could derefence uninitialized memory
+when cleaning up after a queue allocation failure.
+
+Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver")
+Cc: <stable@vger.kernel.org>
+Reported-by: Dan Capenter <dan.carpenter@oracle.com>
+Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/drivers/vector_kern.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/arch/um/drivers/vector_kern.c
++++ b/arch/um/drivers/vector_kern.c
+@@ -504,15 +504,19 @@ static struct vector_queue *create_queue
+
+ result = kmalloc(sizeof(struct vector_queue), GFP_KERNEL);
+ if (result == NULL)
+- goto out_fail;
++ return NULL;
+ result->max_depth = max_size;
+ result->dev = vp->dev;
+ result->mmsg_vector = kmalloc(
+ (sizeof(struct mmsghdr) * max_size), GFP_KERNEL);
++ if (result->mmsg_vector == NULL)
++ goto out_mmsg_fail;
+ result->skbuff_vector = kmalloc(
+ (sizeof(void *) * max_size), GFP_KERNEL);
+- if (result->mmsg_vector == NULL || result->skbuff_vector == NULL)
+- goto out_fail;
++ if (result->skbuff_vector == NULL)
++ goto out_skb_fail;
++
++ /* further failures can be handled safely by destroy_queue*/
+
+ mmsg_vector = result->mmsg_vector;
+ for (i = 0; i < max_size; i++) {
+@@ -563,6 +567,11 @@ static struct vector_queue *create_queue
+ result->head = 0;
+ result->tail = 0;
+ return result;
++out_skb_fail:
++ kfree(result->mmsg_vector);
++out_mmsg_fail:
++ kfree(result);
++ return NULL;
+ out_fail:
+ destroy_queue(result);
+ return NULL;
--- /dev/null
+From 5ec9121195a4f1cecd0fa592636c5f81eb03dc8c Mon Sep 17 00:00:00 2001
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Date: Thu, 7 Jun 2018 12:43:15 +0100
+Subject: um: Fix raw interface options
+
+From: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+
+commit 5ec9121195a4f1cecd0fa592636c5f81eb03dc8c upstream.
+
+Raw interface initialization needs QDISC_BYPASS. Otherwise
+it sees its own packets when transmitting.
+
+Fixes: 49da7e64f33e ("High Performance UML Vector Network Driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/um/drivers/vector_kern.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/um/drivers/vector_kern.c
++++ b/arch/um/drivers/vector_kern.c
+@@ -188,7 +188,7 @@ static int get_transport_options(struct
+ if (strncmp(transport, TRANS_TAP, TRANS_TAP_LEN) == 0)
+ return (vec_rx | VECTOR_BPF);
+ if (strncmp(transport, TRANS_RAW, TRANS_RAW_LEN) == 0)
+- return (vec_rx | vec_tx);
++ return (vec_rx | vec_tx | VECTOR_QDISC_BYPASS);
+ return (vec_rx | vec_tx);
+ }
+
+@@ -1241,9 +1241,8 @@ static int vector_net_open(struct net_de
+
+ if ((vp->options & VECTOR_QDISC_BYPASS) != 0) {
+ if (!uml_raw_enable_qdisc_bypass(vp->fds->rx_fd))
+- vp->options = vp->options | VECTOR_BPF;
++ vp->options |= VECTOR_BPF;
+ }
+-
+ if ((vp->options & VECTOR_BPF) != 0)
+ vp->bpf = uml_vector_default_bpf(vp->fds->rx_fd, dev->dev_addr);
+
--- /dev/null
+From 9f645bcc566a1e9f921bdae7528a01ced5bc3713 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 11 May 2018 18:24:12 +1000
+Subject: video: uvesafb: Fix integer overflow in allocation
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9f645bcc566a1e9f921bdae7528a01ced5bc3713 upstream.
+
+cmap->len can get close to INT_MAX/2, allowing for an integer overflow in
+allocation. This uses kmalloc_array() instead to catch the condition.
+
+Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
+Fixes: 8bdb3a2d7df48 ("uvesafb: the driver core")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/uvesafb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/uvesafb.c
++++ b/drivers/video/fbdev/uvesafb.c
+@@ -1044,7 +1044,8 @@ static int uvesafb_setcmap(struct fb_cma
+ info->cmap.len || cmap->start < info->cmap.start)
+ return -EINVAL;
+
+- entries = kmalloc(sizeof(*entries) * cmap->len, GFP_KERNEL);
++ entries = kmalloc_array(cmap->len, sizeof(*entries),
++ GFP_KERNEL);
+ if (!entries)
+ return -ENOMEM;
+
--- /dev/null
+From 0e311d237d7f3022b7dafb639b42541bfb42fe94 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Date: Mon, 25 Jun 2018 13:24:27 +0300
+Subject: x86/mm: Don't free P4D table when it is folded at runtime
+
+From: Andrey Ryabinin <aryabinin@virtuozzo.com>
+
+commit 0e311d237d7f3022b7dafb639b42541bfb42fe94 upstream.
+
+When the P4D page table layer is folded at runtime, the p4d_free()
+should do nothing, the same as in <asm-generic/pgtable-nop4d.h>.
+
+It seems this bug should cause double-free in efi_call_phys_epilog(),
+but I don't know how to trigger that code path, so I can't confirm that
+by testing.
+
+Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org # 4.17
+Fixes: 98219dda2ab5 ("x86/mm: Fold p4d page table layer at runtime")
+Link: http://lkml.kernel.org/r/20180625102427.15015-1-aryabinin@virtuozzo.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/pgalloc.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/include/asm/pgalloc.h
++++ b/arch/x86/include/asm/pgalloc.h
+@@ -184,6 +184,9 @@ static inline p4d_t *p4d_alloc_one(struc
+
+ static inline void p4d_free(struct mm_struct *mm, p4d_t *p4d)
+ {
++ if (!pgtable_l5_enabled())
++ return;
++
+ BUG_ON((unsigned long)p4d & (PAGE_SIZE-1));
+ free_page((unsigned long)p4d);
+ }
--- /dev/null
+From eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff Mon Sep 17 00:00:00 2001
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Date: Thu, 21 Jun 2018 13:29:44 -0400
+Subject: xen: Remove unnecessary BUG_ON from __unbind_from_irq()
+
+From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+
+commit eef04c7b3786ff0c9cb1019278b6c6c2ea0ad4ff upstream.
+
+Commit 910f8befdf5b ("xen/pirq: fix error path cleanup when binding
+MSIs") fixed a couple of errors in error cleanup path of
+xen_bind_pirq_msi_to_irq(). This cleanup allowed a call to
+__unbind_from_irq() with an unbound irq, which would result in
+triggering the BUG_ON there.
+
+Since there is really no reason for the BUG_ON (xen_free_irq() can
+operate on unbound irqs) we can remove it.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/events/events_base.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -628,8 +628,6 @@ static void __unbind_from_irq(unsigned i
+ xen_irq_info_cleanup(info);
+ }
+
+- BUG_ON(info_for_irq(irq)->type == IRQT_UNBOUND);
+-
+ xen_free_irq(irq);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
