--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 2 Nov 2017 15:27:48 +0000
+Subject: afs: Connect up the CB.ProbeUuid
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ]
+
+The handler for the CB.ProbeUuid operation in the cache manager is
+implemented, but isn't listed in the switch-statement of operation
+selection, so won't be used. Fix this by adding it.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/cmservice.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -115,6 +115,9 @@ bool afs_cm_incoming_call(struct afs_cal
+ case CBProbe:
+ call->type = &afs_SRXCBProbe;
+ return true;
++ case CBProbeUuid:
++ call->type = &afs_SRXCBProbeUuid;
++ return true;
+ case CBTellMeAboutYourself:
+ call->type = &afs_SRXCBTellMeAboutYourself;
+ return true;
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 20 Feb 2017 12:30:11 +0000
+Subject: arm: KVM: Survive unknown traps from guests
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+
+[ Upstream commit f050fe7a9164945dd1c28be05bf00e8cfb082ccf ]
+
+Currently we BUG() if we see a HSR.EC value we don't recognise. As
+configurable disables/enables are added to the architecture (controlled
+by RES1/RES0 bits respectively), with associated synchronous exceptions,
+it may be possible for a guest to trigger exceptions with classes that
+we don't recognise.
+
+While we can't service these exceptions in a manner useful to the guest,
+we can avoid bringing down the host. Per ARM DDI 0406C.c, all currently
+unallocated HSR EC encodings are reserved, and per ARM DDI
+0487A.k_iss10775, page G6-4395, EC values within the range 0x00 - 0x2c
+are reserved for future use with synchronous exceptions, and EC values
+within the range 0x2d - 0x3f may be used for either synchronous or
+asynchronous exceptions.
+
+The patch makes KVM handle any unknown EC by injecting an UNDEFINED
+exception into the guest, with a corresponding (ratelimited) warning in
+the host dmesg. We could later improve on this with with a new (opt-in)
+exit to the host userspace.
+
+Cc: Dave Martin <dave.martin@arm.com>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/kvm_arm.h | 1 +
+ arch/arm/kvm/handle_exit.c | 19 ++++++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_arm.h
++++ b/arch/arm/include/asm/kvm_arm.h
+@@ -209,6 +209,7 @@
+ #define HSR_EC_IABT_HYP (0x21)
+ #define HSR_EC_DABT (0x24)
+ #define HSR_EC_DABT_HYP (0x25)
++#define HSR_EC_MAX (0x3f)
+
+ #define HSR_WFI_IS_WFE (1U << 0)
+
+--- a/arch/arm/kvm/handle_exit.c
++++ b/arch/arm/kvm/handle_exit.c
+@@ -100,7 +100,19 @@ static int kvm_handle_wfx(struct kvm_vcp
+ return 1;
+ }
+
++static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run)
++{
++ u32 hsr = kvm_vcpu_get_hsr(vcpu);
++
++ kvm_pr_unimpl("Unknown exception class: hsr: %#08x\n",
++ hsr);
++
++ kvm_inject_undefined(vcpu);
++ return 1;
++}
++
+ static exit_handle_fn arm_exit_handlers[] = {
++ [0 ... HSR_EC_MAX] = kvm_handle_unknown_ec,
+ [HSR_EC_WFI] = kvm_handle_wfx,
+ [HSR_EC_CP15_32] = kvm_handle_cp15_32,
+ [HSR_EC_CP15_64] = kvm_handle_cp15_64,
+@@ -122,13 +134,6 @@ static exit_handle_fn kvm_get_exit_handl
+ {
+ u8 hsr_ec = kvm_vcpu_trap_get_class(vcpu);
+
+- if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) ||
+- !arm_exit_handlers[hsr_ec]) {
+- kvm_err("Unknown exception class: hsr: %#08x\n",
+- (unsigned int)kvm_vcpu_get_hsr(vcpu));
+- BUG();
+- }
+-
+ return arm_exit_handlers[hsr_ec];
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 4 Mar 2017 07:02:10 -0800
+Subject: ARM: OMAP2+: Fix device node reference counts
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+
+[ Upstream commit 10e5778f54765c96fe0c8f104b7a030e5b35bc72 ]
+
+After commit 0549bde0fcb1 ("of: fix of_node leak caused in
+of_find_node_opts_by_path"), the following error may be
+reported when running omap images.
+
+OF: ERROR: Bad of_node_put() on /ocp@68000000
+CPU: 0 PID: 0 Comm: swapper Not tainted 4.10.0-rc7-next-20170210 #1
+Hardware name: Generic OMAP3-GP (Flattened Device Tree)
+[<c0310604>] (unwind_backtrace) from [<c030bbf4>] (show_stack+0x10/0x14)
+[<c030bbf4>] (show_stack) from [<c05add8c>] (dump_stack+0x98/0xac)
+[<c05add8c>] (dump_stack) from [<c05af1b0>] (kobject_release+0x48/0x7c)
+[<c05af1b0>] (kobject_release)
+ from [<c0ad1aa4>] (of_find_node_by_name+0x74/0x94)
+[<c0ad1aa4>] (of_find_node_by_name)
+ from [<c1215bd4>] (omap3xxx_hwmod_is_hs_ip_block_usable+0x24/0x2c)
+[<c1215bd4>] (omap3xxx_hwmod_is_hs_ip_block_usable) from
+[<c1215d5c>] (omap3xxx_hwmod_init+0x180/0x274)
+[<c1215d5c>] (omap3xxx_hwmod_init)
+ from [<c120faa8>] (omap3_init_early+0xa0/0x11c)
+[<c120faa8>] (omap3_init_early)
+ from [<c120fb2c>] (omap3430_init_early+0x8/0x30)
+[<c120fb2c>] (omap3430_init_early)
+ from [<c1204710>] (setup_arch+0xc04/0xc34)
+[<c1204710>] (setup_arch) from [<c1200948>] (start_kernel+0x68/0x38c)
+[<c1200948>] (start_kernel) from [<8020807c>] (0x8020807c)
+
+of_find_node_by_name() drops the reference to the passed device node.
+The commit referenced above exposes this problem.
+
+To fix the problem, use of_get_child_by_name() instead of
+of_find_node_by_name(); of_get_child_by_name() does not drop
+the reference count of passed device nodes. While semantically
+different, we only look for immediate children of the passed
+device node, so of_get_child_by_name() is a more appropriate
+function to use anyway.
+
+Release the reference to the device node obtained with
+of_get_child_by_name() after it is no longer needed to avoid
+another device node leak.
+
+While at it, clean up the code and change the return type of
+omap3xxx_hwmod_is_hs_ip_block_usable() to bool to match its use
+and the return type of of_device_is_available().
+
+Cc: Qi Hou <qi.hou@windriver.com>
+Cc: Peter Rosin <peda@axentia.se>
+Cc: Rob Herring <robh@kernel.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -3885,16 +3885,20 @@ static struct omap_hwmod_ocp_if *omap3xx
+ * Return: 0 if device named @dev_name is not likely to be accessible,
+ * or 1 if it is likely to be accessible.
+ */
+-static int __init omap3xxx_hwmod_is_hs_ip_block_usable(struct device_node *bus,
+- const char *dev_name)
++static bool __init omap3xxx_hwmod_is_hs_ip_block_usable(struct device_node *bus,
++ const char *dev_name)
+ {
++ struct device_node *node;
++ bool available;
++
+ if (!bus)
+- return (omap_type() == OMAP2_DEVICE_TYPE_GP) ? 1 : 0;
++ return omap_type() == OMAP2_DEVICE_TYPE_GP;
+
+- if (of_device_is_available(of_find_node_by_name(bus, dev_name)))
+- return 1;
++ node = of_get_child_by_name(bus, dev_name);
++ available = of_device_is_available(node);
++ of_node_put(node);
+
+- return 0;
++ return available;
+ }
+
+ int __init omap3xxx_hwmod_init(void)
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Sat, 11 Feb 2017 14:02:49 +0100
+Subject: ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+
+[ Upstream commit 7807e086a2d1f69cc1a57958cac04fea79fc2112 ]
+
+gpmc_probe_onenand_child returns success even on gpmc_onenand_init
+failure. Fix that.
+
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/gpmc-onenand.c | 10 ++++++----
+ drivers/memory/omap-gpmc.c | 4 +---
+ include/linux/omap-gpmc.h | 5 +++--
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/arch/arm/mach-omap2/gpmc-onenand.c
++++ b/arch/arm/mach-omap2/gpmc-onenand.c
+@@ -367,7 +367,7 @@ static int gpmc_onenand_setup(void __iom
+ return ret;
+ }
+
+-void gpmc_onenand_init(struct omap_onenand_platform_data *_onenand_data)
++int gpmc_onenand_init(struct omap_onenand_platform_data *_onenand_data)
+ {
+ int err;
+ struct device *dev = &gpmc_onenand_device.dev;
+@@ -393,15 +393,17 @@ void gpmc_onenand_init(struct omap_onena
+ if (err < 0) {
+ dev_err(dev, "Cannot request GPMC CS %d, error %d\n",
+ gpmc_onenand_data->cs, err);
+- return;
++ return err;
+ }
+
+ gpmc_onenand_resource.end = gpmc_onenand_resource.start +
+ ONENAND_IO_SIZE - 1;
+
+- if (platform_device_register(&gpmc_onenand_device) < 0) {
++ err = platform_device_register(&gpmc_onenand_device);
++ if (err) {
+ dev_err(dev, "Unable to register OneNAND device\n");
+ gpmc_cs_free(gpmc_onenand_data->cs);
+- return;
+ }
++
++ return err;
+ }
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -1890,9 +1890,7 @@ static int gpmc_probe_onenand_child(stru
+ if (!of_property_read_u32(child, "dma-channel", &val))
+ gpmc_onenand_data->dma_channel = val;
+
+- gpmc_onenand_init(gpmc_onenand_data);
+-
+- return 0;
++ return gpmc_onenand_init(gpmc_onenand_data);
+ }
+ #else
+ static int gpmc_probe_onenand_child(struct platform_device *pdev,
+--- a/include/linux/omap-gpmc.h
++++ b/include/linux/omap-gpmc.h
+@@ -191,10 +191,11 @@ static inline int gpmc_nand_init(struct
+ #endif
+
+ #if IS_ENABLED(CONFIG_MTD_ONENAND_OMAP2)
+-extern void gpmc_onenand_init(struct omap_onenand_platform_data *d);
++extern int gpmc_onenand_init(struct omap_onenand_platform_data *d);
+ #else
+ #define board_onenand_data NULL
+-static inline void gpmc_onenand_init(struct omap_onenand_platform_data *d)
++static inline int gpmc_onenand_init(struct omap_onenand_platform_data *d)
+ {
++ return 0;
+ }
+ #endif
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 4 Mar 2017 07:02:11 -0800
+Subject: ARM: OMAP2+: Release device node after it is no longer needed.
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+
+[ Upstream commit b92675d998a9fa37fe9e0e35053a95b4a23c158b ]
+
+The device node returned by of_find_node_by_name() needs to be released
+after it is no longer needed to avoid a device node leak.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -3967,15 +3967,20 @@ int __init omap3xxx_hwmod_init(void)
+
+ if (h_sham && omap3xxx_hwmod_is_hs_ip_block_usable(bus, "sham")) {
+ r = omap_hwmod_register_links(h_sham);
+- if (r < 0)
++ if (r < 0) {
++ of_node_put(bus);
+ return r;
++ }
+ }
+
+ if (h_aes && omap3xxx_hwmod_is_hs_ip_block_usable(bus, "aes")) {
+ r = omap_hwmod_register_links(h_aes);
+- if (r < 0)
++ if (r < 0) {
++ of_node_put(bus);
+ return r;
++ }
+ }
++ of_node_put(bus);
+
+ /*
+ * Register hwmod links specific to certain ES levels of a
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 20 Feb 2017 12:30:12 +0000
+Subject: arm64: KVM: Survive unknown traps from guests
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+
+[ Upstream commit ba4dd156eabdca93501d92a980ba27fa5f4bbd27 ]
+
+Currently we BUG() if we see an ESR_EL2.EC value we don't recognise. As
+configurable disables/enables are added to the architecture (controlled
+by RES1/RES0 bits respectively), with associated synchronous exceptions,
+it may be possible for a guest to trigger exceptions with classes that
+we don't recognise.
+
+While we can't service these exceptions in a manner useful to the guest,
+we can avoid bringing down the host. Per ARM DDI 0487A.k_iss10775, page
+D7-1937, EC values within the range 0x00 - 0x2c are reserved for future
+use with synchronous exceptions, and EC values within the range 0x2d -
+0x3f may be used for either synchronous or asynchronous exceptions.
+
+The patch makes KVM handle any unknown EC by injecting an UNDEFINED
+exception into the guest, with a corresponding (ratelimited) warning in
+the host dmesg. We could later improve on this with with a new (opt-in)
+exit to the host userspace.
+
+Cc: Dave Martin <dave.martin@arm.com>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/handle_exit.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/kvm/handle_exit.c
++++ b/arch/arm64/kvm/handle_exit.c
+@@ -121,7 +121,19 @@ static int kvm_handle_guest_debug(struct
+ return ret;
+ }
+
++static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run)
++{
++ u32 hsr = kvm_vcpu_get_hsr(vcpu);
++
++ kvm_pr_unimpl("Unknown exception class: hsr: %#08x -- %s\n",
++ hsr, esr_get_class_string(hsr));
++
++ kvm_inject_undefined(vcpu);
++ return 1;
++}
++
+ static exit_handle_fn arm_exit_handlers[] = {
++ [0 ... ESR_ELx_EC_MAX] = kvm_handle_unknown_ec,
+ [ESR_ELx_EC_WFx] = kvm_handle_wfx,
+ [ESR_ELx_EC_CP15_32] = kvm_handle_cp15_32,
+ [ESR_ELx_EC_CP15_64] = kvm_handle_cp15_64,
+@@ -147,13 +159,6 @@ static exit_handle_fn kvm_get_exit_handl
+ u32 hsr = kvm_vcpu_get_hsr(vcpu);
+ u8 hsr_ec = hsr >> ESR_ELx_EC_SHIFT;
+
+- if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) ||
+- !arm_exit_handlers[hsr_ec]) {
+- kvm_err("Unknown exception class: hsr: %#08x -- %s\n",
+- hsr, esr_get_class_string(hsr));
+- BUG();
+- }
+-
+ return arm_exit_handlers[hsr_ec];
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 14 Nov 2017 13:42:38 +0530
+Subject: atm: horizon: Fix irq release error
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ]
+
+atm_dev_register() can fail here and passed parameters to free irq
+which is not initialised. Initialization of 'dev->irq' happened after
+the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in
+free_irq().
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/horizon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/atm/horizon.c
++++ b/drivers/atm/horizon.c
+@@ -2804,7 +2804,7 @@ out:
+ return err;
+
+ out_free_irq:
+- free_irq(dev->irq, dev);
++ free_irq(irq, dev);
+ out_free:
+ kfree(dev);
+ out_release:
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Paul Moore <paul@paul-moore.com>
+Date: Fri, 1 Sep 2017 09:44:34 -0400
+Subject: audit: ensure that 'audit=1' actually enables audit for PID 1
+
+From: Paul Moore <paul@paul-moore.com>
+
+
+[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]
+
+Prior to this patch we enabled audit in audit_init(), which is too
+late for PID 1 as the standard initcalls are run after the PID 1 task
+is forked. This means that we never allocate an audit_context (see
+audit_alloc()) for PID 1 and therefore miss a lot of audit events
+generated by PID 1.
+
+This patch enables audit as early as possible to help ensure that when
+PID 1 is forked it can allocate an audit_context if required.
+
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -80,13 +80,13 @@ static int audit_initialized;
+ #define AUDIT_OFF 0
+ #define AUDIT_ON 1
+ #define AUDIT_LOCKED 2
+-u32 audit_enabled;
+-u32 audit_ever_enabled;
++u32 audit_enabled = AUDIT_OFF;
++u32 audit_ever_enabled = !!AUDIT_OFF;
+
+ EXPORT_SYMBOL_GPL(audit_enabled);
+
+ /* Default state when kernel boots without any parameters. */
+-static u32 audit_default;
++static u32 audit_default = AUDIT_OFF;
+
+ /* If auditing cannot proceed, audit_failure selects what happens. */
+ static u32 audit_failure = AUDIT_FAIL_PRINTK;
+@@ -1179,8 +1179,6 @@ static int __init audit_init(void)
+ skb_queue_head_init(&audit_skb_queue);
+ skb_queue_head_init(&audit_skb_hold_queue);
+ audit_initialized = AUDIT_INITIALIZED;
+- audit_enabled = audit_default;
+- audit_ever_enabled |= !!audit_default;
+
+ audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
+
+@@ -1197,6 +1195,8 @@ static int __init audit_enable(char *str
+ audit_default = !!simple_strtol(str, NULL, 0);
+ if (!audit_default)
+ audit_initialized = AUDIT_DISABLED;
++ audit_enabled = audit_default;
++ audit_ever_enabled = !!audit_enabled;
+
+ pr_info("%s\n", audit_default ?
+ "enabled (after initialization)" : "disabled (until reboot)");
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 8 Mar 2017 14:56:05 +0100
+Subject: axonram: Fix gendisk handling
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit 672a2c87c83649fb0167202342ce85af9a3b4f1c ]
+
+It is invalid to call del_gendisk() when disk->queue is NULL. Fix error
+handling in axon_ram_probe() to avoid doing that.
+
+Also del_gendisk() does not drop a reference to gendisk allocated by
+alloc_disk(). That has to be done by put_disk(). Add that call where
+needed.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/axonram.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/axonram.c
++++ b/arch/powerpc/sysdev/axonram.c
+@@ -276,7 +276,9 @@ failed:
+ if (bank->disk->major > 0)
+ unregister_blkdev(bank->disk->major,
+ bank->disk->disk_name);
+- del_gendisk(bank->disk);
++ if (bank->disk->flags & GENHD_FL_UP)
++ del_gendisk(bank->disk);
++ put_disk(bank->disk);
+ }
+ device->dev.platform_data = NULL;
+ if (bank->io_addr != 0)
+@@ -301,6 +303,7 @@ axon_ram_remove(struct platform_device *
+ device_remove_file(&device->dev, &dev_attr_ecc);
+ free_irq(bank->irq_id, device);
+ del_gendisk(bank->disk);
++ put_disk(bank->disk);
+ iounmap((void __iomem *) bank->io_addr);
+ kfree(bank);
+
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 16 Nov 2017 08:08:44 +0800
+Subject: block: wake up all tasks blocked in get_request()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit 34d9715ac1edd50285168dd8d80c972739a4f6a4 ]
+
+Once blk_set_queue_dying() is done in blk_cleanup_queue(), we call
+blk_freeze_queue() and wait for q->q_usage_counter becoming zero. But
+if there are tasks blocked in get_request(), q->q_usage_counter can
+never become zero. So we have to wake up all these tasks in
+blk_set_queue_dying() first.
+
+Fixes: 3ef28e83ab157997 ("block: generic request_queue reference counting")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -526,8 +526,8 @@ void blk_set_queue_dying(struct request_
+
+ blk_queue_for_each_rl(rl, q) {
+ if (rl->rq_pool) {
+- wake_up(&rl->wait[BLK_RW_SYNC]);
+- wake_up(&rl->wait[BLK_RW_ASYNC]);
++ wake_up_all(&rl->wait[BLK_RW_SYNC]);
++ wake_up_all(&rl->wait[BLK_RW_ASYNC]);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:32 +0100
+Subject: bnx2x: do not rollback VF MAC/VLAN filters we did not configure
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 78d5505432436516456c12abbe705ec8dee7ee2b ]
+
+On failure to configure a VF MAC/VLAN filter we should not attempt to
+rollback filters that we failed to configure with -EEXIST.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 8 +++++++-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+@@ -434,7 +434,9 @@ static int bnx2x_vf_mac_vlan_config(stru
+
+ /* Add/Remove the filter */
+ rc = bnx2x_config_vlan_mac(bp, &ramrod);
+- if (rc && rc != -EEXIST) {
++ if (rc == -EEXIST)
++ return 0;
++ if (rc) {
+ BNX2X_ERR("Failed to %s %s\n",
+ filter->add ? "add" : "delete",
+ (filter->type == BNX2X_VF_FILTER_VLAN_MAC) ?
+@@ -444,6 +446,8 @@ static int bnx2x_vf_mac_vlan_config(stru
+ return rc;
+ }
+
++ filter->applied = true;
++
+ return 0;
+ }
+
+@@ -471,6 +475,8 @@ int bnx2x_vf_mac_vlan_config_list(struct
+ BNX2X_ERR("Managed only %d/%d filters - rolling back\n",
+ i, filters->count + 1);
+ while (--i >= 0) {
++ if (!filters->filters[i].applied)
++ continue;
+ filters->filters[i].add = !filters->filters[i].add;
+ bnx2x_vf_mac_vlan_config(bp, vf, qid,
+ &filters->filters[i],
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
+@@ -114,6 +114,7 @@ struct bnx2x_vf_mac_vlan_filter {
+ (BNX2X_VF_FILTER_MAC | BNX2X_VF_FILTER_VLAN) /*shortcut*/
+
+ bool add;
++ bool applied;
+ u8 *mac;
+ u16 vid;
+ };
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:30 +0100
+Subject: bnx2x: fix possible overrun of VFPF multicast addresses array
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 22118d861cec5da6ed525aaf12a3de9bfeffc58f ]
+
+It is too late to check for the limit of the number of VF multicast
+addresses after they have already been copied to the req->multicast[]
+array, possibly overflowing it.
+
+Do the check before copying.
+
+Also fix the error path to not skip unlocking vf2pf_mutex.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+@@ -868,7 +868,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ struct bnx2x *bp = netdev_priv(dev);
+ struct vfpf_set_q_filters_tlv *req = &bp->vf2pf_mbox->req.set_q_filters;
+ struct pfvf_general_resp_tlv *resp = &bp->vf2pf_mbox->resp.general_resp;
+- int rc, i = 0;
++ int rc = 0, i = 0;
+ struct netdev_hw_addr *ha;
+
+ if (bp->state != BNX2X_STATE_OPEN) {
+@@ -883,6 +883,15 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ /* Get Rx mode requested */
+ DP(NETIF_MSG_IFUP, "dev->flags = %x\n", dev->flags);
+
++ /* We support PFVF_MAX_MULTICAST_PER_VF mcast addresses tops */
++ if (netdev_mc_count(dev) > PFVF_MAX_MULTICAST_PER_VF) {
++ DP(NETIF_MSG_IFUP,
++ "VF supports not more than %d multicast MAC addresses\n",
++ PFVF_MAX_MULTICAST_PER_VF);
++ rc = -EINVAL;
++ goto out;
++ }
++
+ netdev_for_each_mc_addr(ha, dev) {
+ DP(NETIF_MSG_IFUP, "Adding mcast MAC: %pM\n",
+ bnx2x_mc_addr(ha));
+@@ -890,16 +899,6 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ i++;
+ }
+
+- /* We support four PFVF_MAX_MULTICAST_PER_VF mcast
+- * addresses tops
+- */
+- if (i >= PFVF_MAX_MULTICAST_PER_VF) {
+- DP(NETIF_MSG_IFUP,
+- "VF supports not more than %d multicast MAC addresses\n",
+- PFVF_MAX_MULTICAST_PER_VF);
+- return -EINVAL;
+- }
+-
+ req->n_multicast = i;
+ req->flags |= VFPF_SET_Q_FILTERS_MULTICAST_CHANGED;
+ req->vf_qid = 0;
+@@ -924,7 +923,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ out:
+ bnx2x_vfpf_finalize(bp, &req->first_tlv);
+
+- return 0;
++ return rc;
+ }
+
+ /* request pf to add a vlan for the vf */
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:28 +0100
+Subject: bnx2x: prevent crash when accessing PTP with interface down
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 466e8bf10ac104d96e1ea813e8126e11cb72ea20 ]
+
+It is possible to crash the kernel by accessing a PTP device while its
+associated bnx2x interface is down. Before the interface is brought up,
+the timecounter is not initialized, so accessing it results in NULL
+dereference.
+
+Fix it by checking if the interface is up.
+
+Use -ENETDOWN as the error code when the interface is down.
+ -EFAULT in bnx2x_ptp_adjfreq() did not seem right.
+
+Tested using phc_ctl get/set/adj/freq commands.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -13646,7 +13646,7 @@ static int bnx2x_ptp_adjfreq(struct ptp_
+ if (!netif_running(bp->dev)) {
+ DP(BNX2X_MSG_PTP,
+ "PTP adjfreq called while the interface is down\n");
+- return -EFAULT;
++ return -ENETDOWN;
+ }
+
+ if (ppb < 0) {
+@@ -13705,6 +13705,12 @@ static int bnx2x_ptp_adjtime(struct ptp_
+ {
+ struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
+
++ if (!netif_running(bp->dev)) {
++ DP(BNX2X_MSG_PTP,
++ "PTP adjtime called while the interface is down\n");
++ return -ENETDOWN;
++ }
++
+ DP(BNX2X_MSG_PTP, "PTP adjtime called, delta = %llx\n", delta);
+
+ timecounter_adjtime(&bp->timecounter, delta);
+@@ -13717,6 +13723,12 @@ static int bnx2x_ptp_gettime(struct ptp_
+ struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
+ u64 ns;
+
++ if (!netif_running(bp->dev)) {
++ DP(BNX2X_MSG_PTP,
++ "PTP gettime called while the interface is down\n");
++ return -ENETDOWN;
++ }
++
+ ns = timecounter_read(&bp->timecounter);
+
+ DP(BNX2X_MSG_PTP, "PTP gettime called, ns = %llu\n", ns);
+@@ -13732,6 +13744,12 @@ static int bnx2x_ptp_settime(struct ptp_
+ struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
+ u64 ns;
+
++ if (!netif_running(bp->dev)) {
++ DP(BNX2X_MSG_PTP,
++ "PTP settime called while the interface is down\n");
++ return -ENETDOWN;
++ }
++
+ ns = timespec64_to_ns(ts);
+
+ DP(BNX2X_MSG_PTP, "PTP settime called, ns = %llu\n", ns);
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sun, 5 Mar 2017 19:14:07 +0200
+Subject: crypto: s5p-sss - Fix completing crypto request in IRQ handler
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+
+[ Upstream commit 07de4bc88ce6a4d898cad9aa4c99c1df7e87702d ]
+
+In a regular interrupt handler driver was finishing the crypt/decrypt
+request by calling complete on crypto request. This is disallowed since
+converting to skcipher in commit b286d8b1a690 ("crypto: skcipher - Add
+skcipher walk interface") and causes a warning:
+ WARNING: CPU: 0 PID: 0 at crypto/skcipher.c:430 skcipher_walk_first+0x13c/0x14c
+
+The interrupt is marked shared but in fact there are no other users
+sharing it. Thus the simplest solution seems to be to just use a
+threaded interrupt handler, after converting it to oneshot.
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/s5p-sss.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/s5p-sss.c
++++ b/drivers/crypto/s5p-sss.c
+@@ -664,8 +664,9 @@ static int s5p_aes_probe(struct platform
+ dev_warn(dev, "feed control interrupt is not available.\n");
+ goto err_irq;
+ }
+- err = devm_request_irq(dev, pdata->irq_fc, s5p_aes_interrupt,
+- IRQF_SHARED, pdev->name, pdev);
++ err = devm_request_threaded_irq(dev, pdata->irq_fc, NULL,
++ s5p_aes_interrupt, IRQF_ONESHOT,
++ pdev->name, pdev);
+ if (err < 0) {
+ dev_warn(dev, "feed control interrupt is not available.\n");
+ goto err_irq;
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Jim Qu <Jim.Qu@amd.com>
+Date: Wed, 1 Mar 2017 15:53:29 +0800
+Subject: drm/amd/amdgpu: fix console deadlock if late init failed
+
+From: Jim Qu <Jim.Qu@amd.com>
+
+
+[ Upstream commit c085bd5119d5d0bdf3ef591a5563566be7dedced ]
+
+Signed-off-by: Jim Qu <Jim.Qu@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -1760,8 +1760,11 @@ int amdgpu_resume_kms(struct drm_device
+ }
+
+ r = amdgpu_late_init(adev);
+- if (r)
++ if (r) {
++ if (fbcon)
++ console_unlock();
+ return r;
++ }
+
+ /* pin cursors */
+ list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) {
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 17 Nov 2017 15:27:35 -0800
+Subject: dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+
+[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ]
+
+line-range is supposed to treat "1-" as "1-endoffile", so
+handle the special case by setting last_lineno to UINT_MAX.
+
+Fixes this error:
+
+ dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1
+ dynamic_debug:ddebug_exec_query: query parse failed
+
+Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/dynamic_debug.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -353,6 +353,10 @@ static int ddebug_parse_query(char *word
+ if (parse_lineno(last, &query->last_lineno) < 0)
+ return -EINVAL;
+
++ /* special case for last lineno not specified */
++ if (query->last_lineno == 0)
++ query->last_lineno = UINT_MAX;
++
+ if (query->last_lineno < query->first_lineno) {
+ pr_err("last-line:%d < 1st-line:%d\n",
+ query->last_lineno,
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Date: Wed, 28 Jun 2017 20:57:29 -0400
+Subject: EDAC, i5000, i5400: Fix definition of NRECMEMB register
+
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+
+
+[ Upstream commit a8c8261425649da58bdf08221570e5335ad33a31 ]
+
+In the i5000 and i5400 drivers, the NRECMEMB register is defined as a
+16-bit value, which results in wrong shifts in the code, as reported by
+sparse.
+
+In the datasheets ([1], section 3.9.22.20 and [2], section 3.9.22.21),
+this register is a 32-bit register. A u32 value for the register fixes
+the wrong shifts warnings and matches the datasheet.
+
+Also fix the mask to access to the CAS bits [27:16] in the i5000 driver.
+
+[1]: https://www.intel.com/content/dam/doc/datasheet/5000p-5000v-5000z-chipset-memory-controller-hub-datasheet.pdf
+[2]: https://www.intel.se/content/dam/doc/datasheet/5400-chipset-memory-controller-hub-datasheet.pdf
+
+Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20170629005729.8478-1-jeremy.lefaure@lse.epita.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i5000_edac.c | 6 +++---
+ drivers/edac/i5400_edac.c | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/edac/i5000_edac.c
++++ b/drivers/edac/i5000_edac.c
+@@ -227,7 +227,7 @@
+ #define NREC_RDWR(x) (((x)>>11) & 1)
+ #define NREC_RANK(x) (((x)>>8) & 0x7)
+ #define NRECMEMB 0xC0
+-#define NREC_CAS(x) (((x)>>16) & 0xFFFFFF)
++#define NREC_CAS(x) (((x)>>16) & 0xFFF)
+ #define NREC_RAS(x) ((x) & 0x7FFF)
+ #define NRECFGLOG 0xC4
+ #define NREEECFBDA 0xC8
+@@ -371,7 +371,7 @@ struct i5000_error_info {
+ /* These registers are input ONLY if there was a
+ * Non-Recoverable Error */
+ u16 nrecmema; /* Non-Recoverable Mem log A */
+- u16 nrecmemb; /* Non-Recoverable Mem log B */
++ u32 nrecmemb; /* Non-Recoverable Mem log B */
+
+ };
+
+@@ -407,7 +407,7 @@ static void i5000_get_error_info(struct
+ NERR_FAT_FBD, &info->nerr_fat_fbd);
+ pci_read_config_word(pvt->branchmap_werrors,
+ NRECMEMA, &info->nrecmema);
+- pci_read_config_word(pvt->branchmap_werrors,
++ pci_read_config_dword(pvt->branchmap_werrors,
+ NRECMEMB, &info->nrecmemb);
+
+ /* Clear the error bits, by writing them back */
+--- a/drivers/edac/i5400_edac.c
++++ b/drivers/edac/i5400_edac.c
+@@ -368,7 +368,7 @@ struct i5400_error_info {
+
+ /* These registers are input ONLY if there was a Non-Rec Error */
+ u16 nrecmema; /* Non-Recoverable Mem log A */
+- u16 nrecmemb; /* Non-Recoverable Mem log B */
++ u32 nrecmemb; /* Non-Recoverable Mem log B */
+
+ };
+
+@@ -458,7 +458,7 @@ static void i5400_get_error_info(struct
+ NERR_FAT_FBD, &info->nerr_fat_fbd);
+ pci_read_config_word(pvt->branchmap_werrors,
+ NRECMEMA, &info->nrecmema);
+- pci_read_config_word(pvt->branchmap_werrors,
++ pci_read_config_dword(pvt->branchmap_werrors,
+ NRECMEMB, &info->nrecmemb);
+
+ /* Clear the error bits, by writing them back */
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Date: Wed, 8 Mar 2017 20:18:09 -0500
+Subject: EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
+
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+
+
+[ Upstream commit e61555c29c28a4a3b6ba6207f4a0883ee236004d ]
+
+The MTR_DRAM_WIDTH macro returns the data width. It is sometimes used
+as if it returned a boolean true if the width if 8. Fix the tests where
+MTR_DRAM_WIDTH is misused.
+
+Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20170309011809.8340-1-jeremy.lefaure@lse.epita.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i5000_edac.c | 2 +-
+ drivers/edac/i5400_edac.c | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/i5000_edac.c
++++ b/drivers/edac/i5000_edac.c
+@@ -1293,7 +1293,7 @@ static int i5000_init_csrows(struct mem_
+ dimm->mtype = MEM_FB_DDR2;
+
+ /* ask what device type on this row */
+- if (MTR_DRAM_WIDTH(mtr))
++ if (MTR_DRAM_WIDTH(mtr) == 8)
+ dimm->dtype = DEV_X8;
+ else
+ dimm->dtype = DEV_X4;
+--- a/drivers/edac/i5400_edac.c
++++ b/drivers/edac/i5400_edac.c
+@@ -1207,13 +1207,14 @@ static int i5400_init_dimms(struct mem_c
+
+ dimm->nr_pages = size_mb << 8;
+ dimm->grain = 8;
+- dimm->dtype = MTR_DRAM_WIDTH(mtr) ? DEV_X8 : DEV_X4;
++ dimm->dtype = MTR_DRAM_WIDTH(mtr) == 8 ?
++ DEV_X8 : DEV_X4;
+ dimm->mtype = MEM_FB_DDR2;
+ /*
+ * The eccc mechanism is SDDC (aka SECC), with
+ * is similar to Chipkill.
+ */
+- dimm->edac_mode = MTR_DRAM_WIDTH(mtr) ?
++ dimm->edac_mode = MTR_DRAM_WIDTH(mtr) == 8 ?
+ EDAC_S8ECD8ED : EDAC_S4ECD4ED;
+ ndimms++;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Phil Reid <preid@electromag.com.au>
+Date: Mon, 20 Feb 2017 09:41:45 +0800
+Subject: gpio: altera: Use handle_level_irq when configured as a level_high
+
+From: Phil Reid <preid@electromag.com.au>
+
+
+[ Upstream commit f759921cfbf4847319d197a6ed7c9534d593f8bc ]
+
+When a threaded irq handler is chained attached to one of the gpio
+pins when configure for level irq the altera_gpio_irq_leveL_high_handler
+does not mask the interrupt while being handled by the chained irq.
+This resulting in the threaded irq not getting enough cycles to complete
+quickly enough before the irq was disabled as faulty. handle_level_irq
+should be used in this situation instead of handle_simple_irq.
+
+In gpiochip_irqchip_add set default handler to handle_bad_irq as
+per Documentation/gpio/driver.txt. Then set the correct handler in
+the set_type callback.
+
+Signed-off-by: Phil Reid <preid@electromag.com.au>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-altera.c | 26 +++++++++++---------------
+ 1 file changed, 11 insertions(+), 15 deletions(-)
+
+--- a/drivers/gpio/gpio-altera.c
++++ b/drivers/gpio/gpio-altera.c
+@@ -94,21 +94,18 @@ static int altera_gpio_irq_set_type(stru
+
+ altera_gc = to_altera(irq_data_get_irq_chip_data(d));
+
+- if (type == IRQ_TYPE_NONE)
++ if (type == IRQ_TYPE_NONE) {
++ irq_set_handler_locked(d, handle_bad_irq);
+ return 0;
+- if (type == IRQ_TYPE_LEVEL_HIGH &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_LEVEL_HIGH)
+- return 0;
+- if (type == IRQ_TYPE_EDGE_RISING &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_RISING)
+- return 0;
+- if (type == IRQ_TYPE_EDGE_FALLING &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_FALLING)
+- return 0;
+- if (type == IRQ_TYPE_EDGE_BOTH &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_BOTH)
++ }
++ if (type == altera_gc->interrupt_trigger) {
++ if (type == IRQ_TYPE_LEVEL_HIGH)
++ irq_set_handler_locked(d, handle_level_irq);
++ else
++ irq_set_handler_locked(d, handle_simple_irq);
+ return 0;
+-
++ }
++ irq_set_handler_locked(d, handle_bad_irq);
+ return -EINVAL;
+ }
+
+@@ -234,7 +231,6 @@ static void altera_gpio_irq_edge_handler
+ chained_irq_exit(chip, desc);
+ }
+
+-
+ static void altera_gpio_irq_leveL_high_handler(struct irq_desc *desc)
+ {
+ struct altera_gpio_chip *altera_gc;
+@@ -314,7 +310,7 @@ static int altera_gpio_probe(struct plat
+ altera_gc->interrupt_trigger = reg;
+
+ ret = gpiochip_irqchip_add(&altera_gc->mmchip.gc, &altera_irq_chip, 0,
+- handle_simple_irq, IRQ_TYPE_NONE);
++ handle_bad_irq, IRQ_TYPE_NONE);
+
+ if (ret) {
+ dev_info(&pdev->dev, "could not add irqchip\n");
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Daniel Drake <drake@endlessm.com>
+Date: Fri, 17 Feb 2017 07:40:52 -0600
+Subject: HID: chicony: Add support for another ASUS Zen AiO keyboard
+
+From: Daniel Drake <drake@endlessm.com>
+
+
+[ Upstream commit f2f10b7e722a75c6d75a7f7cd06b0eee3ae20f7c ]
+
+Add support for media keys on the keyboard that comes with the
+Asus V221ID and ZN241IC All In One computers.
+
+The keys to support here are WLAN, BRIGHTNESSDOWN and BRIGHTNESSUP.
+
+This device is not visibly branded as Chicony, and the USB Vendor ID
+suggests that it is a JESS device. However this seems like the right place
+to put it: the usage codes are identical to the currently supported
+devices, and this driver already supports the ASUS AIO keyboard AK1D.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/Kconfig | 4 ++--
+ drivers/hid/hid-chicony.c | 1 +
+ drivers/hid/hid-core.c | 1 +
+ drivers/hid/hid-ids.h | 1 +
+ 4 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -165,11 +165,11 @@ config HID_CHERRY
+ Support for Cherry Cymotion keyboard.
+
+ config HID_CHICONY
+- tristate "Chicony Tactical pad"
++ tristate "Chicony devices"
+ depends on HID
+ default !EXPERT
+ ---help---
+- Support for Chicony Tactical pad.
++ Support for Chicony Tactical pad and special keys on Chicony keyboards.
+
+ config HID_CORSAIR
+ tristate "Corsair devices"
+--- a/drivers/hid/hid-chicony.c
++++ b/drivers/hid/hid-chicony.c
+@@ -86,6 +86,7 @@ static const struct hid_device_id ch_dev
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_AK1D) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_ACER_SWITCH12) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_JESS, USB_DEVICE_ID_JESS_ZEN_AIO_KBD) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, ch_devices);
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1867,6 +1867,7 @@ static const struct hid_device_id hid_ha
+ { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A081) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A0C2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_HUION, USB_DEVICE_ID_HUION_TABLET) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_JESS, USB_DEVICE_ID_JESS_ZEN_AIO_KBD) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_JESS2, USB_DEVICE_ID_JESS2_COLOR_RUMBLE_PAD) },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ION, USB_DEVICE_ID_ICADE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -523,6 +523,7 @@
+
+ #define USB_VENDOR_ID_JESS 0x0c45
+ #define USB_DEVICE_ID_JESS_YUREX 0x1010
++#define USB_DEVICE_ID_JESS_ZEN_AIO_KBD 0x5112
+
+ #define USB_VENDOR_ID_JESS2 0x0f30
+ #define USB_DEVICE_ID_JESS2_COLOR_RUMBLE_PAD 0x0111
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Mon, 6 Mar 2017 15:20:51 -0500
+Subject: i2c: riic: fix restart condition
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+
+[ Upstream commit 2501c1bb054290679baad0ff7f4f07c714251f4c ]
+
+While modifying the driver to use the STOP interrupt, the completion of the
+intermediate transfers need to wake the driver back up in order to initiate
+the next transfer (restart condition). Otherwise you get never ending
+interrupts and only the first transfer sent.
+
+Fixes: 71ccea095ea1 ("i2c: riic: correctly finish transfers")
+Reported-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Tested-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-riic.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-riic.c
++++ b/drivers/i2c/busses/i2c-riic.c
+@@ -218,8 +218,12 @@ static irqreturn_t riic_tend_isr(int irq
+ }
+
+ if (riic->is_last || riic->err) {
+- riic_clear_set_bit(riic, 0, ICIER_SPIE, RIIC_ICIER);
++ riic_clear_set_bit(riic, ICIER_TEIE, ICIER_SPIE, RIIC_ICIER);
+ writeb(ICCR2_SP, riic->base + RIIC_ICCR2);
++ } else {
++ /* Transfer is complete, but do not send STOP */
++ riic_clear_set_bit(riic, ICIER_TEIE, 0, RIIC_ICIER);
++ complete(&riic->msg_done);
+ }
+
+ return IRQ_HANDLED;
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Mark Bloch <markb@mellanox.com>
+Date: Thu, 2 Nov 2017 15:22:26 +0200
+Subject: IB/mlx4: Increase maximal message size under UD QP
+
+From: Mark Bloch <markb@mellanox.com>
+
+
+[ Upstream commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca ]
+
+Maximal message should be used as a limit to the max message payload allowed,
+without the headers. The ConnectX-3 check is done against this value includes
+the headers. When the payload is 4K this will cause the NIC to drop packets.
+
+Increase maximal message to 8K as workaround, this shouldn't change current
+behaviour because we continue to set the MTU to 4k.
+
+To reproduce;
+set MTU to 4296 on the corresponding interface, for example:
+ifconfig eth0 mtu 4296 (both server and client)
+
+On server:
+ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096
+
+On client:
+ib_send_bw -d mlx4_0 -c UD <server_ip> -s 4096 -n 1000000 -i 1 -m 4096
+
+Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
+Signed-off-by: Mark Bloch <markb@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -1564,7 +1564,7 @@ static int __mlx4_ib_modify_qp(struct ib
+ context->mtu_msgmax = (IB_MTU_4096 << 5) |
+ ilog2(dev->dev->caps.max_gso_sz);
+ else
+- context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
++ context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
+ } else if (attr_mask & IB_QP_PATH_MTU) {
+ if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) {
+ pr_err("path MTU (%u) is invalid\n",
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Mon, 30 Oct 2017 14:23:13 +0200
+Subject: IB/mlx5: Assign send CQ and recv CQ of UMR QP
+
+From: Majd Dibbiny <majd@mellanox.com>
+
+
+[ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ]
+
+The UMR's QP is created by calling mlx5_ib_create_qp directly, and
+therefore the send CQ and the recv CQ on the ibqp weren't assigned.
+
+Assign them right after calling the mlx5_ib_create_qp to assure
+that any access to those pointers will work as expected and won't
+crash the system as might happen as part of reset flow.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1123,6 +1123,8 @@ static int create_umr_res(struct mlx5_ib
+ qp->real_qp = qp;
+ qp->uobject = NULL;
+ qp->qp_type = MLX5_IB_QPT_REG_UMR;
++ qp->send_cq = init_attr->send_cq;
++ qp->recv_cq = init_attr->recv_cq;
+
+ attr->qp_state = IB_QPS_INIT;
+ attr->port_num = 1;
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Sun, 5 Mar 2017 12:34:53 -0800
+Subject: ipv6: reorder icmpv6_init() and ip6_mr_init()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ]
+
+Andrey reported the following kernel crash:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+task: ffff88001f311700 task.stack: ffff88001f6e8000
+RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
+RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
+RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
+RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
+R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
+FS: 00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
+DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
+Call Trace:
+ rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ __sock_create+0x39d/0x880 net/socket.c:1226
+ sock_create_kern+0x3f/0x50 net/socket.c:1243
+ inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
+ icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
+ ops_init+0x10a/0x550 net/core/net_namespace.c:115
+ setup_net+0x261/0x660 net/core/net_namespace.c:291
+ copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
+9pnet_virtio: no channels available for device ./file1
+ create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
+ unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
+ SYSC_unshare kernel/fork.c:2281 [inline]
+ SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+This is because net->ipv6.mr6_tables is not initialized at that point,
+ip6mr_rules_init() is not called yet, therefore on the error path when
+we iterator the list, we trigger this oops. Fix this by reordering
+ip6mr_rules_init() before icmpv6_sk_init().
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/af_inet6.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -893,12 +893,12 @@ static int __init inet6_init(void)
+ err = register_pernet_subsys(&inet6_net_ops);
+ if (err)
+ goto register_pernet_fail;
+- err = icmpv6_init();
+- if (err)
+- goto icmp_fail;
+ err = ip6_mr_init();
+ if (err)
+ goto ipmr_fail;
++ err = icmpv6_init();
++ if (err)
++ goto icmp_fail;
+ err = ndisc_init();
+ if (err)
+ goto ndisc_fail;
+@@ -1016,10 +1016,10 @@ igmp_fail:
+ ndisc_cleanup();
+ ndisc_fail:
+ ip6_mr_cleanup();
+-ipmr_fail:
+- icmpv6_cleanup();
+ icmp_fail:
+ unregister_pernet_subsys(&inet6_net_ops);
++ipmr_fail:
++ icmpv6_cleanup();
+ register_pernet_fail:
+ sock_unregister(PF_INET6);
+ rtnl_unregister_all(PF_INET6);
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Keefe Liu <liuqifa@huawei.com>
+Date: Thu, 9 Nov 2017 20:09:31 +0800
+Subject: ipvlan: fix ipv6 outbound device
+
+From: Keefe Liu <liuqifa@huawei.com>
+
+
+[ Upstream commit ca29fd7cce5a6444d57fb86517589a1a31c759e1 ]
+
+When process the outbound packet of ipv6, we should assign the master
+device to output device other than input device.
+
+Signed-off-by: Keefe Liu <liuqifa@huawei.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -388,7 +388,7 @@ static int ipvlan_process_v6_outbound(st
+ struct dst_entry *dst;
+ int err, ret = NET_XMIT_DROP;
+ struct flowi6 fl6 = {
+- .flowi6_iif = dev->ifindex,
++ .flowi6_oif = dev->ifindex,
+ .daddr = ip6h->daddr,
+ .saddr = ip6h->saddr,
+ .flowi6_flags = FLOWI_FLAG_ANYSRC,
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Franck Demathieu <fdemathieu@gmail.com>
+Date: Mon, 6 Mar 2017 14:41:06 +0100
+Subject: irqchip/crossbar: Fix incorrect type of register size
+
+From: Franck Demathieu <fdemathieu@gmail.com>
+
+
+[ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ]
+
+The 'size' variable is unsigned according to the dt-bindings.
+As this variable is used as integer in other places, create a new variable
+that allows to fix the following sparse issue (-Wtypesign):
+
+ drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness)
+ drivers/irqchip/irq-crossbar.c:279:52: expected unsigned int [usertype] *out_value
+ drivers/irqchip/irq-crossbar.c:279:52: got int *<noident>
+
+Signed-off-by: Franck Demathieu <fdemathieu@gmail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-crossbar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-crossbar.c
++++ b/drivers/irqchip/irq-crossbar.c
+@@ -199,7 +199,7 @@ static const struct irq_domain_ops cross
+ static int __init crossbar_of_init(struct device_node *node)
+ {
+ int i, size, reserved = 0;
+- u32 max = 0, entry;
++ u32 max = 0, entry, reg_size;
+ const __be32 *irqsr;
+ int ret = -ENOMEM;
+
+@@ -276,9 +276,9 @@ static int __init crossbar_of_init(struc
+ if (!cb->register_offsets)
+ goto err_irq_map;
+
+- of_property_read_u32(node, "ti,reg-size", &size);
++ of_property_read_u32(node, "ti,reg-size", ®_size);
+
+- switch (size) {
++ switch (reg_size) {
+ case 1:
+ cb->write = crossbar_writeb;
+ break;
+@@ -304,7 +304,7 @@ static int __init crossbar_of_init(struc
+ continue;
+
+ cb->register_offsets[i] = reserved;
+- reserved += size;
++ reserved += reg_size;
+ }
+
+ of_property_read_u32(node, "ti,irqs-safe-map", &cb->safe_map);
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 13 Nov 2017 16:48:47 -0500
+Subject: jump_label: Invoke jump_label_test() via early_initcall()
+
+From: Jason Baron <jbaron@akamai.com>
+
+
+[ Upstream commit 92ee46efeb505ead3ab06d3c5ce695637ed5f152 ]
+
+Fengguang Wu reported that running the rcuperf test during boot can cause
+the jump_label_test() to hit a WARN_ON(). The issue is that the core jump
+label code relies on kernel_text_address() to detect when it can no longer
+update branches that may be contained in __init sections. The
+kernel_text_address() in turn assumes that if the system_state variable is
+greter than or equal to SYSTEM_RUNNING then __init sections are no longer
+valid (since the assumption is that they have been freed). However, when
+rcuperf is setup to run in early boot it can call kernel_power_off() which
+sets the system_state to SYSTEM_POWER_OFF.
+
+Since rcuperf initialization is invoked via a module_init(), we can make
+the dependency of jump_label_test() needing to complete before rcuperf
+explicit by calling it via early_initcall().
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1510609727-2238-1-git-send-email-jbaron@akamai.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/jump_label.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/jump_label.c
++++ b/kernel/jump_label.c
+@@ -553,7 +553,7 @@ static __init int jump_label_test(void)
+
+ return 0;
+ }
+-late_initcall(jump_label_test);
++early_initcall(jump_label_test);
+ #endif /* STATIC_KEYS_SELFTEST */
+
+ #endif /* HAVE_JUMP_LABEL */
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Wed, 15 Nov 2017 18:17:07 +0900
+Subject: kbuild: pkg: use --transform option to prefix paths in tar
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 2dbc644ac62bbcb9ee78e84719953f611be0413d ]
+
+For rpm-pkg and deb-pkg, a source tar file is created. All paths in
+the archive must be prefixed with the base name of the tar so that
+everything is contained in the directory when you extract it.
+
+Currently, scripts/package/Makefile uses a symlink for that, and
+removes it after the tar is created.
+
+If you terminate the build during the tar creation, the symlink is
+left over. Then, at the next package build, you will see a warning
+like follows:
+
+ ln: '.' and 'kernel-4.14.0+/.' are the same file
+
+It is possible to fix it by adding -n (--no-dereference) option to
+the "ln" command, but a cleaner way is to use --transform option
+of "tar" command. This option is GNU extension, but it should not
+hurt to use it in the Linux build system.
+
+The 'S' flag is needed to exclude symlinks from the path fixup.
+Without it, symlinks in the kernel are broken.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/package/Makefile | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/scripts/package/Makefile
++++ b/scripts/package/Makefile
+@@ -39,10 +39,9 @@ if test "$(objtree)" != "$(srctree)"; th
+ false; \
+ fi ; \
+ $(srctree)/scripts/setlocalversion --save-scmversion; \
+-ln -sf $(srctree) $(2); \
+ tar -cz $(RCS_TAR_IGNORE) -f $(2).tar.gz \
+- $(addprefix $(2)/,$(TAR_CONTENT) $(3)); \
+-rm -f $(2) $(objtree)/.scmversion
++ --transform 's:^:$(2)/:S' $(TAR_CONTENT) $(3); \
++rm -f $(objtree)/.scmversion
+
+ # rpm-pkg
+ # ---------------------------------------------------------------------------
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 6 Mar 2017 04:03:28 -0800
+Subject: KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 2f707d97982286b307ef2a9b034e19aabc1abb56 ]
+
+Reported by syzkaller:
+
+ WARNING: CPU: 1 PID: 27742 at arch/x86/kvm/vmx.c:11029
+ nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
+ CPU: 1 PID: 27742 Comm: a.out Not tainted 4.10.0+ #229
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:15 [inline]
+ dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
+ panic+0x1fb/0x412 kernel/panic.c:179
+ __warn+0x1c4/0x1e0 kernel/panic.c:540
+ warn_slowpath_null+0x2c/0x40 kernel/panic.c:583
+ nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
+ vmx_leave_nested arch/x86/kvm/vmx.c:11136 [inline]
+ vmx_set_msr+0x1565/0x1910 arch/x86/kvm/vmx.c:3324
+ kvm_set_msr+0xd4/0x170 arch/x86/kvm/x86.c:1099
+ do_set_msr+0x11e/0x190 arch/x86/kvm/x86.c:1128
+ __msr_io arch/x86/kvm/x86.c:2577 [inline]
+ msr_io+0x24b/0x450 arch/x86/kvm/x86.c:2614
+ kvm_arch_vcpu_ioctl+0x35b/0x46a0 arch/x86/kvm/x86.c:3497
+ kvm_vcpu_ioctl+0x232/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2721
+ vfs_ioctl fs/ioctl.c:43 [inline]
+ do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683
+ SYSC_ioctl fs/ioctl.c:698 [inline]
+ SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+The syzkaller folks reported a nested_run_pending warning during userspace
+clear VMX capability which is exposed to L1 before.
+
+The warning gets thrown while doing
+
+(*(uint32_t*)0x20aecfe8 = (uint32_t)0x1);
+(*(uint32_t*)0x20aecfec = (uint32_t)0x0);
+(*(uint32_t*)0x20aecff0 = (uint32_t)0x3a);
+(*(uint32_t*)0x20aecff4 = (uint32_t)0x0);
+(*(uint64_t*)0x20aecff8 = (uint64_t)0x0);
+r[29] = syscall(__NR_ioctl, r[4], 0x4008ae89ul,
+ 0x20aecfe8ul, 0, 0, 0, 0, 0, 0);
+
+i.e. KVM_SET_MSR ioctl with
+
+struct kvm_msrs {
+ .nmsrs = 1,
+ .pad = 0,
+ .entries = {
+ {.index = MSR_IA32_FEATURE_CONTROL,
+ .reserved = 0,
+ .data = 0}
+ }
+}
+
+The VMLANCH/VMRESUME emulation should be stopped since the CPU is going to
+reset here. This patch resets the nested_run_pending since the CPU is going
+to be reset hence there should be nothing pending.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Suggested-by: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: David Hildenbrand <david@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10555,8 +10555,10 @@ static void nested_vmx_vmexit(struct kvm
+ */
+ static void vmx_leave_nested(struct kvm_vcpu *vcpu)
+ {
+- if (is_guest_mode(vcpu))
++ if (is_guest_mode(vcpu)) {
++ to_vmx(vcpu)->nested.nested_run_pending = 0;
+ nested_vmx_vmexit(vcpu, -1, 0, 0);
++ }
+ free_nested(to_vmx(vcpu));
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Jim Mattson <jmattson@google.com>
+Date: Thu, 2 Mar 2017 12:41:48 -0800
+Subject: kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
+
+From: Jim Mattson <jmattson@google.com>
+
+
+[ Upstream commit 587d7e72aedca91cee80c0a56811649c3efab765 ]
+
+VMCLEAR should silently ignore a failure to clear the launch state of
+the VMCS referenced by the operand.
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+[Changed "kvm_write_guest(vcpu->kvm" to "kvm_vcpu_write_guest(vcpu".]
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 22 ++++------------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6924,9 +6924,8 @@ static int handle_vmoff(struct kvm_vcpu
+ static int handle_vmclear(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
++ u32 zero = 0;
+ gpa_t vmptr;
+- struct vmcs12 *vmcs12;
+- struct page *page;
+
+ if (!nested_vmx_check_permission(vcpu))
+ return 1;
+@@ -6937,22 +6936,9 @@ static int handle_vmclear(struct kvm_vcp
+ if (vmptr == vmx->nested.current_vmptr)
+ nested_release_vmcs12(vmx);
+
+- page = nested_get_page(vcpu, vmptr);
+- if (page == NULL) {
+- /*
+- * For accurate processor emulation, VMCLEAR beyond available
+- * physical memory should do nothing at all. However, it is
+- * possible that a nested vmx bug, not a guest hypervisor bug,
+- * resulted in this case, so let's shut down before doing any
+- * more damage:
+- */
+- kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
+- return 1;
+- }
+- vmcs12 = kmap(page);
+- vmcs12->launch_state = 0;
+- kunmap(page);
+- nested_release_page(page);
++ kvm_vcpu_write_guest(vcpu,
++ vmptr + offsetof(struct vmcs12, launch_state),
++ &zero, sizeof(zero));
+
+ nested_free_vmcs02(vmx, vmptr);
+
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Stephen Bates <sbates@raithlin.com>
+Date: Fri, 17 Nov 2017 15:28:16 -0800
+Subject: lib/genalloc.c: make the avail variable an atomic_long_t
+
+From: Stephen Bates <sbates@raithlin.com>
+
+
+[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ]
+
+If the amount of resources allocated to a gen_pool exceeds 2^32 then the
+avail atomic overflows and this causes problems when clients try and
+borrow resources from the pool. This is only expected to be an issue on
+64 bit systems.
+
+Add the <linux/atomic.h> header to pull in atomic_long* operations. So
+that 32 bit systems continue to use atomic32_t but 64 bit systems can
+use atomic64_t.
+
+Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com
+Signed-off-by: Stephen Bates <sbates@raithlin.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Reviewed-by: Daniel Mentz <danielmentz@google.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/genalloc.h | 3 ++-
+ lib/genalloc.c | 10 +++++-----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -31,6 +31,7 @@
+ #define __GENALLOC_H__
+
+ #include <linux/spinlock_types.h>
++#include <linux/atomic.h>
+
+ struct device;
+ struct device_node;
+@@ -68,7 +69,7 @@ struct gen_pool {
+ */
+ struct gen_pool_chunk {
+ struct list_head next_chunk; /* next chunk in pool */
+- atomic_t avail;
++ atomic_long_t avail;
+ phys_addr_t phys_addr; /* physical starting address of memory chunk */
+ unsigned long start_addr; /* start address of memory chunk */
+ unsigned long end_addr; /* end address of memory chunk (inclusive) */
+--- a/lib/genalloc.c
++++ b/lib/genalloc.c
+@@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p
+ chunk->phys_addr = phys;
+ chunk->start_addr = virt;
+ chunk->end_addr = virt + size - 1;
+- atomic_set(&chunk->avail, size);
++ atomic_long_set(&chunk->avail, size);
+
+ spin_lock(&pool->lock);
+ list_add_rcu(&chunk->next_chunk, &pool->chunks);
+@@ -285,7 +285,7 @@ unsigned long gen_pool_alloc(struct gen_
+ nbits = (size + (1UL << order) - 1) >> order;
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
+- if (size > atomic_read(&chunk->avail))
++ if (size > atomic_long_read(&chunk->avail))
+ continue;
+
+ start_bit = 0;
+@@ -305,7 +305,7 @@ retry:
+
+ addr = chunk->start_addr + ((unsigned long)start_bit << order);
+ size = nbits << order;
+- atomic_sub(size, &chunk->avail);
++ atomic_long_sub(size, &chunk->avail);
+ break;
+ }
+ rcu_read_unlock();
+@@ -371,7 +371,7 @@ void gen_pool_free(struct gen_pool *pool
+ remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
+ BUG_ON(remain);
+ size = nbits << order;
+- atomic_add(size, &chunk->avail);
++ atomic_long_add(size, &chunk->avail);
+ rcu_read_unlock();
+ return;
+ }
+@@ -445,7 +445,7 @@ size_t gen_pool_avail(struct gen_pool *p
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
+- avail += atomic_read(&chunk->avail);
++ avail += atomic_long_read(&chunk->avail);
+ rcu_read_unlock();
+ return avail;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 6 Mar 2017 15:26:54 -0500
+Subject: libata: drop WARN from protocol error in ata_sff_qc_issue()
+
+From: Tejun Heo <tj@kernel.org>
+
+
+[ Upstream commit 0580b762a4d6b70817476b90042813f8573283fa ]
+
+ata_sff_qc_issue() expects upper layers to never issue commands on a
+command protocol that it doesn't implement. While the assumption
+holds fine with the usual IO path, nothing filters based on the
+command protocol in the passthrough path (which was added later),
+allowing the warning to be tripped with a passthrough command with the
+right (well, wrong) protocol.
+
+Failing with AC_ERR_SYSTEM is the right thing to do anyway. Remove
+the unnecessary WARN.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/CACT4Y+bXkvevNZU8uP6X0QVqsj6wNoUA_1exfTSOzc+SmUtMOA@mail.gmail.com
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-sff.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -1480,7 +1480,6 @@ unsigned int ata_sff_qc_issue(struct ata
+ break;
+
+ default:
+- WARN_ON_ONCE(1);
+ return AC_ERR_SYSTEM;
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Fri, 10 Nov 2017 18:48:50 +0000
+Subject: mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+
+[ Upstream commit 67bd52386125ce1159c0581cbcd2740addf33cd4 ]
+
+hwsim_new_radio_nl() now copies the name attribute in order to add a
+null-terminator. mac80211_hwsim_new_radio() (indirectly) copies it
+again into the net_device structure, so the first copy is not used or
+freed later. Free the first copy before returning.
+
+Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2885,6 +2885,7 @@ static int hwsim_new_radio_nl(struct sk_
+ {
+ struct hwsim_new_radio_params param = { 0 };
+ const char *hwname = NULL;
++ int ret;
+
+ param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
+ param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
+@@ -2924,7 +2925,9 @@ static int hwsim_new_radio_nl(struct sk_
+ param.regd = hwsim_world_regdom_custom[idx];
+ }
+
+- return mac80211_hwsim_new_radio(info, ¶m);
++ ret = mac80211_hwsim_new_radio(info, ¶m);
++ kfree(hwname);
++ return ret;
+ }
+
+ static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info)
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: David Daney <david.daney@cavium.com>
+Date: Wed, 1 Mar 2017 14:04:53 -0800
+Subject: module: set __jump_table alignment to 8
+
+From: David Daney <david.daney@cavium.com>
+
+
+[ Upstream commit ab42632156becd35d3884ee5c14da2bedbf3149a ]
+
+For powerpc the __jump_table section in modules is not aligned, this
+causes a WARN_ON() splat when loading a module containing a __jump_table.
+
+Strict alignment became necessary with commit 3821fd35b58d
+("jump_label: Reduce the size of struct static_key"), currently in
+linux-next, which uses the two least significant bits of pointers to
+__jump_table elements.
+
+Fix by forcing __jump_table to 8, which is the same alignment used for
+this section in the kernel proper.
+
+Link: http://lkml.kernel.org/r/20170301220453.4756-1-david.daney@cavium.com
+
+Reviewed-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Jessica Yu <jeyu@redhat.com>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: David Daney <david.daney@cavium.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/module-common.lds | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/scripts/module-common.lds
++++ b/scripts/module-common.lds
+@@ -19,4 +19,6 @@ SECTIONS {
+
+ . = ALIGN(8);
+ .init_array 0 : { *(SORT(.init_array.*)) *(.init_array) }
++
++ __jump_table 0 : ALIGN(8) { KEEP(*(__jump_table)) }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 3 Mar 2017 21:44:00 +0100
+Subject: netfilter: don't track fragmented packets
+
+From: Florian Westphal <fw@strlen.de>
+
+
+[ Upstream commit 7b4fdf77a450ec0fdcb2f677b080ddbf2c186544 ]
+
+Andrey reports syzkaller splat caused by
+
+NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));
+
+in ipv4 nat. But this assertion (and the comment) are wrong, this function
+does see fragments when IP_NODEFRAG setsockopt is used.
+
+As conntrack doesn't track packets without complete l4 header, only the
+first fragment is tracked.
+
+Because applying nat to first packet but not the rest makes no sense this
+also turns off tracking of all fragments.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 ++++
+ net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 -----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+@@ -158,6 +158,10 @@ static unsigned int ipv4_conntrack_local
+ if (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr))
+ return NF_ACCEPT;
++
++ if (ip_is_fragment(ip_hdr(skb))) /* IP_NODEFRAG setsockopt set */
++ return NF_ACCEPT;
++
+ return nf_conntrack_in(state->net, PF_INET, state->hook, skb);
+ }
+
+--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+@@ -268,11 +268,6 @@ nf_nat_ipv4_fn(void *priv, struct sk_buf
+ /* maniptype == SRC for postrouting. */
+ enum nf_nat_manip_type maniptype = HOOK2MANIP(state->hook);
+
+- /* We never see fragments: conntrack defrags on pre-routing
+- * and local-out, and nf_nat_out protects post-routing.
+- */
+- NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));
+-
+ ct = nf_ct_get(skb, &ctinfo);
+ /* Can't track? It's not due to stress, or conntrack would
+ * have dropped it. Hence it's the user's responsibilty to
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 6 Nov 2017 15:28:04 -0500
+Subject: NFS: Fix a typo in nfs_rename()
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ]
+
+On successful rename, the "old_dentry" is retained and is attached to
+the "new_dir", so we need to call nfs_set_verifier() accordingly.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -2051,7 +2051,7 @@ out:
+ if (new_inode != NULL)
+ nfs_drop_nlink(new_inode);
+ d_move(old_dentry, new_dentry);
+- nfs_set_verifier(new_dentry,
++ nfs_set_verifier(old_dentry,
+ nfs_save_change_attribute(new_dir));
+ } else if (error == -ENOENT)
+ nfs_dentry_handle_enoent(old_dentry);
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Wed, 22 Feb 2017 15:43:59 +1100
+Subject: powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+
+[ Upstream commit 7aafac11e308d37ed3c509829bb43d80c1811ac3 ]
+
+The IODA2 specification says that a 64 DMA address cannot use top 4 bits
+(3 are reserved and one is a "TVE select"); bottom page_shift bits
+cannot be used for multilevel table addressing either.
+
+The existing IODA2 table allocation code aligns the minimum TCE table
+size to PAGE_SIZE so in the case of 64K system pages and 4K IOMMU pages,
+we have 64-4-12=48 bits. Since 64K page stores 8192 TCEs, i.e. needs
+13 bits, the maximum number of levels is 48/13 = 3 so we physically
+cannot address more and EEH happens on DMA accesses.
+
+This adds a check that too many levels were requested.
+
+It is still possible to have 5 levels in the case of 4K system page size.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Acked-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -2270,6 +2270,9 @@ static long pnv_pci_ioda2_table_alloc_pa
+ level_shift = entries_shift + 3;
+ level_shift = max_t(unsigned, level_shift, PAGE_SHIFT);
+
++ if ((level_shift - 3) * levels + page_shift >= 60)
++ return -EINVAL;
++
+ /* Allocate TCE table */
+ addr = pnv_pci_ioda2_table_do_alloc_pages(nid, level_shift,
+ levels, tce_table_size, &offset, &total_allocated);
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Sasha Levin <alexander.levin@verizon.com>
+Date: Thu, 7 Dec 2017 23:21:06 -0500
+Subject: Revert "drm/armada: Fix compile fail"
+
+From: Sasha Levin <alexander.levin@verizon.com>
+
+
+This reverts commit 82f260d472c3b4dbb7324624e395c3e91f73a040.
+
+Not required on < 4.10.
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/armada/Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/gpu/drm/armada/Makefile
++++ b/drivers/gpu/drm/armada/Makefile
+@@ -4,5 +4,3 @@ armada-y += armada_510.o
+ armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o
+
+ obj-$(CONFIG_DRM_ARMADA) := armada.o
+-
+-CFLAGS_armada_trace.o := -I$(src)
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Sasha Levin <alexander.levin@verizon.com>
+Date: Fri, 8 Dec 2017 00:11:47 -0500
+Subject: Revert "s390/kbuild: enable modversions for symbols exported from asm"
+
+From: Sasha Levin <alexander.levin@verizon.com>
+
+
+This reverts commit cabab3f9f5ca077535080b3252e6168935b914af.
+
+Not needed for < 4.9.
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/asm-prototypes.h | 8 --------
+ 1 file changed, 8 deletions(-)
+ delete mode 100644 arch/s390/include/asm/asm-prototypes.h
+
+--- a/arch/s390/include/asm/asm-prototypes.h
++++ /dev/null
+@@ -1,8 +0,0 @@
+-#ifndef _ASM_S390_PROTOTYPES_H
+-
+-#include <linux/kvm_host.h>
+-#include <linux/ftrace.h>
+-#include <asm/fpu/api.h>
+-#include <asm-generic/asm-prototypes.h>
+-
+-#endif /* _ASM_S390_PROTOTYPES_H */
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Sasha Levin <alexander.levin@verizon.com>
+Date: Thu, 7 Dec 2017 23:23:42 -0500
+Subject: Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
+
+From: Sasha Levin <alexander.levin@verizon.com>
+
+
+This reverts commit dadab2d4e3cf708ceba22ecddd94aedfecb39199.
+
+Not required on < 4.10.
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/spi/Kconfig
++++ b/drivers/spi/Kconfig
+@@ -315,7 +315,6 @@ config SPI_FSL_SPI
+ config SPI_FSL_DSPI
+ tristate "Freescale DSPI controller"
+ select REGMAP_MMIO
+- depends on HAS_DMA
+ depends on SOC_VF610 || SOC_LS1021A || ARCH_LAYERSCAPE || COMPILE_TEST
+ help
+ This enables support for the Freescale DSPI controller in master
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:18 +0800
+Subject: route: also update fnhe_genid when updating a route cache
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cebe84c6190d741045a322f5343f717139993c08 ]
+
+Now when ip route flush cache and it turn out all fnhe_genid != genid.
+If a redirect/pmtu icmp packet comes and the old fnhe is found and all
+it's members but fnhe_genid will be updated.
+
+Then next time when it looks up route and tries to rebind this fnhe to
+the new dst, the fnhe will be flushed due to fnhe_genid != genid. It
+causes this redirect/pmtu icmp packet acutally not to be applied.
+
+This patch is to also reset fnhe_genid when updating a route cache.
+
+Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions")
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -624,9 +624,12 @@ static void update_or_create_fnhe(struct
+ struct fnhe_hash_bucket *hash;
+ struct fib_nh_exception *fnhe;
+ struct rtable *rt;
++ u32 genid, hval;
+ unsigned int i;
+ int depth;
+- u32 hval = fnhe_hashfun(daddr);
++
++ genid = fnhe_genid(dev_net(nh->nh_dev));
++ hval = fnhe_hashfun(daddr);
+
+ spin_lock_bh(&fnhe_lock);
+
+@@ -649,6 +652,8 @@ static void update_or_create_fnhe(struct
+ }
+
+ if (fnhe) {
++ if (fnhe->fnhe_genid != genid)
++ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+ if (pmtu) {
+@@ -673,7 +678,7 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_next = hash->chain;
+ rcu_assign_pointer(hash->chain, fnhe);
+ }
+- fnhe->fnhe_genid = fnhe_genid(dev_net(nh->nh_dev));
++ fnhe->fnhe_genid = genid;
+ fnhe->fnhe_daddr = daddr;
+ fnhe->fnhe_gw = gw;
+ fnhe->fnhe_pmtu = pmtu;
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:06 +0800
+Subject: route: update fnhe_expires for redirect when the fnhe exists
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit e39d5246111399dbc6e11cd39fd8580191b86c47 ]
+
+Now when creating fnhe for redirect, it sets fnhe_expires for this
+new route cache. But when updating the exist one, it doesn't do it.
+It will cause this fnhe never to be expired.
+
+Paolo already noticed it before, in Jianlin's test case, it became
+even worse:
+
+When ip route flush cache, the old fnhe is not to be removed, but
+only clean it's members. When redirect comes again, this fnhe will
+be found and updated, but never be expired due to fnhe_expires not
+being set.
+
+So fix it by simply updating fnhe_expires even it's for redirect.
+
+Fixes: aee06da6726d ("ipv4: use seqlock for nh_exceptions")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -656,10 +656,9 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+- if (pmtu) {
++ if (pmtu)
+ fnhe->fnhe_pmtu = pmtu;
+- fnhe->fnhe_expires = max(1UL, expires);
+- }
++ fnhe->fnhe_expires = max(1UL, expires);
+ /* Update all cached dsts too */
+ rt = rcu_dereference(fnhe->fnhe_rth_input);
+ if (rt)
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: James Smart <jsmart2021@gmail.com>
+Date: Sat, 4 Mar 2017 09:30:25 -0800
+Subject: scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
+
+From: James Smart <jsmart2021@gmail.com>
+
+
+[ Upstream commit 5d181531bc6169e19a02a27d202cf0e982db9d0e ]
+
+if REG_VPI fails, the driver was incorrectly issuing INIT_VFI
+(a SLI4 command) on a SLI3 adapter.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -7887,11 +7887,17 @@ lpfc_cmpl_reg_new_vport(struct lpfc_hba
+ spin_lock_irq(shost->host_lock);
+ vport->fc_flag |= FC_VPORT_NEEDS_REG_VPI;
+ spin_unlock_irq(shost->host_lock);
+- if (vport->port_type == LPFC_PHYSICAL_PORT
+- && !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG))
+- lpfc_issue_init_vfi(vport);
+- else
++ if (mb->mbxStatus == MBX_NOT_FINISHED)
++ break;
++ if ((vport->port_type == LPFC_PHYSICAL_PORT) &&
++ !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) {
++ if (phba->sli_rev == LPFC_SLI_REV4)
++ lpfc_issue_init_vfi(vport);
++ else
++ lpfc_initial_flogi(vport);
++ } else {
+ lpfc_initial_fdisc(vport);
++ }
+ break;
+ }
+ } else {
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:55:54 +0800
+Subject: sctp: do not free asoc when it is already dead in sctp_sendmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ca3af4dd28cff4e7216e213ba3b671fbf9f84758 ]
+
+Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without
+holding sock sk. It means the current asoc can be freed elsewhere,
+like when receiving an abort packet.
+
+If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf
+returns err, the asoc will be freed again due to new_asoc is not nil.
+An use-after-free issue would be triggered by this.
+
+This patch is to fix it by setting new_asoc with nil if the asoc is
+already dead when cpu schedules back, so that it will not be freed
+again in sctp_sendmsg.
+
+v1->v2:
+ set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1954,8 +1954,14 @@ static int sctp_sendmsg(struct sock *sk,
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+- if (err)
++ if (err) {
++ if (err == -ESRCH) {
++ /* asoc is already dead. */
++ new_asoc = NULL;
++ err = -EPIPE;
++ }
+ goto out_free;
++ }
+ }
+
+ /* If an address is passed with the sendto/sendmsg call, it is used
+@@ -6992,10 +6998,11 @@ static int sctp_wait_for_sndbuf(struct s
+ for (;;) {
+ prepare_to_wait_exclusive(&asoc->wait, &wait,
+ TASK_INTERRUPTIBLE);
++ if (asoc->base.dead)
++ goto do_dead;
+ if (!*timeo_p)
+ goto do_nonblock;
+- if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING ||
+- asoc->base.dead)
++ if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
+ goto do_error;
+ if (signal_pending(current))
+ goto do_interrupted;
+@@ -7020,6 +7027,10 @@ out:
+
+ return err;
+
++do_dead:
++ err = -ESRCH;
++ goto out;
++
+ do_error:
+ err = -EPIPE;
+ goto out;
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:57:26 +0800
+Subject: sctp: use the right sk after waking up from wait_buf sleep
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff ]
+
+Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads
+sleeping on it") fixed the race between peeloff and wait sndbuf by
+checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().
+
+But it actually doesn't work, as even if waitqueue_active returns false
+the waiting sndbuf thread may still not yet hold sk lock. After asoc is
+peeled off, sk is not asoc->base.sk any more, then to hold the old sk
+lock couldn't make assoc safe to access.
+
+This patch is to fix this by changing to hold the new sk lock if sk is
+not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
+new sk.
+
+With this fix, there is no more race between peeloff and waitbuf, the
+check 'waitqueue_active' in sctp_do_peeloff can be removed.
+
+Thanks Marcelo and Neil for making this clear.
+
+v1->v2:
+ fix it by changing to lock the new sock instead of adding a flag in asoc.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -82,8 +82,8 @@
+ /* Forward declarations for internal helper functions. */
+ static int sctp_writeable(struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p,
+- size_t msg_len);
++static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
++ size_t msg_len, struct sock **orig_sk);
+ static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
+ static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
+ static int sctp_wait_for_accept(struct sock *sk, long timeo);
+@@ -1953,7 +1953,8 @@ static int sctp_sendmsg(struct sock *sk,
+
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
++ /* sk can be changed by peel off when waiting for buf. */
++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
+ if (err) {
+ if (err == -ESRCH) {
+ /* asoc is already dead. */
+@@ -4466,12 +4467,6 @@ int sctp_do_peeloff(struct sock *sk, sct
+ if (!asoc)
+ return -EINVAL;
+
+- /* If there is a thread waiting on more sndbuf space for
+- * sending on this asoc, it cannot be peeled.
+- */
+- if (waitqueue_active(&asoc->wait))
+- return -EBUSY;
+-
+ /* An association cannot be branched off from an already peeled-off
+ * socket, nor is this supported for tcp style sockets.
+ */
+@@ -6981,7 +6976,7 @@ void sctp_sock_rfree(struct sk_buff *skb
+
+ /* Helper function to wait for space in the sndbuf. */
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+- size_t msg_len)
++ size_t msg_len, struct sock **orig_sk)
+ {
+ struct sock *sk = asoc->base.sk;
+ int err = 0;
+@@ -7015,11 +7010,17 @@ static int sctp_wait_for_sndbuf(struct s
+ release_sock(sk);
+ current_timeo = schedule_timeout(current_timeo);
+ lock_sock(sk);
++ if (sk != asoc->base.sk) {
++ release_sock(sk);
++ sk = asoc->base.sk;
++ lock_sock(sk);
++ }
+
+ *timeo_p = current_timeo;
+ }
+
+ out:
++ *orig_sk = sk;
+ finish_wait(&asoc->wait, &wait);
+
+ /* Release the association's refcnt. */
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Date: Sun, 26 Feb 2017 11:38:39 +0530
+Subject: selftest/powerpc: Fix false failures for skipped tests
+
+From: Sachin Sant <sachinp@linux.vnet.ibm.com>
+
+
+[ Upstream commit a6d8a21596df041f36f4c2ccc260c459e3e851f1 ]
+
+Tests under alignment subdirectory are skipped when executed on previous
+generation hardware, but harness still marks them as failed.
+
+ test: test_copy_unaligned
+ tags: git_version:unknown
+ [SKIP] Test skipped on line 26
+ skip: test_copy_unaligned
+ selftests: copy_unaligned [FAIL]
+
+The MAGIC_SKIP_RETURN_VALUE value assigned to rc variable is retained till
+the program exit which causes the test to be marked as failed.
+
+This patch resets the value before returning to the main() routine.
+With this patch the test o/p is as follows:
+
+ test: test_copy_unaligned
+ tags: git_version:unknown
+ [SKIP] Test skipped on line 26
+ skip: test_copy_unaligned
+ selftests: copy_unaligned [PASS]
+
+Signed-off-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/harness.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/powerpc/harness.c
++++ b/tools/testing/selftests/powerpc/harness.c
+@@ -109,9 +109,11 @@ int test_harness(int (test_function)(voi
+
+ rc = run_test(test_function, name);
+
+- if (rc == MAGIC_SKIP_RETURN_VALUE)
++ if (rc == MAGIC_SKIP_RETURN_VALUE) {
+ test_skip(name);
+- else
++ /* so that skipped test is not marked as failed */
++ rc = 0;
++ } else
+ test_finish(name, rc);
+
+ return rc;
thp-fix-madv_dontneed-vs.-numa-balancing-race.patch
mm-drop-unused-pmdp_huge_get_and_clear_notify.patch
drm-extra-printk-wrapper-macros.patch
+revert-drm-armada-fix-compile-fail.patch
+revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch
+revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch
+vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch
+arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch
+x86-hpet-prevent-might-sleep-splat-on-resume.patch
+selftest-powerpc-fix-false-failures-for-skipped-tests.patch
+module-set-__jump_table-alignment-to-8.patch
+arm-omap2-fix-device-node-reference-counts.patch
+arm-omap2-release-device-node-after-it-is-no-longer-needed.patch
+gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch
+hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch
+usb-gadget-configs-plug-memory-leak.patch
+usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch
+kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch
+libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch
+workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch
+scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch
+irqchip-crossbar-fix-incorrect-type-of-register-size.patch
+kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch
+arm-kvm-survive-unknown-traps-from-guests.patch
+arm64-kvm-survive-unknown-traps-from-guests.patch
+spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch
+bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch
+bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch
+bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch
+ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch
+crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch
+i2c-riic-fix-restart-condition.patch
+zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch
+netfilter-don-t-track-fragmented-packets.patch
+axonram-fix-gendisk-handling.patch
+drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch
+powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch
+edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch
+edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch
+kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch
+mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch
+route-also-update-fnhe_genid-when-updating-a-route-cache.patch
+route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch
+lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch
+dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch
+nfs-fix-a-typo-in-nfs_rename.patch
+sunrpc-fix-rpc_task_begin-trace-point.patch
+block-wake-up-all-tasks-blocked-in-get_request.patch
+sparc64-mm-set-fields-in-deferred-pages.patch
+sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch
+sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch
+atm-horizon-fix-irq-release-error.patch
+jump_label-invoke-jump_label_test-via-early_initcall.patch
+xfrm-copy-policy-family-in-clone_policy.patch
+ib-mlx4-increase-maximal-message-size-under-ud-qp.patch
+ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch
+afs-connect-up-the-cb.probeuuid.patch
+ipvlan-fix-ipv6-outbound-device.patch
+audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+Date: Wed, 15 Nov 2017 17:36:18 -0800
+Subject: sparc64/mm: set fields in deferred pages
+
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+
+
+[ Upstream commit 2a20aa171071a334d80c4e5d5af719d8374702fc ]
+
+Without deferred struct page feature (CONFIG_DEFERRED_STRUCT_PAGE_INIT),
+flags and other fields in "struct page"es are never changed prior to
+first initializing struct pages by going through __init_single_page().
+
+With deferred struct page feature enabled there is a case where we set
+some fields prior to initializing:
+
+mem_init() {
+ register_page_bootmem_info();
+ free_all_bootmem();
+ ...
+}
+
+When register_page_bootmem_info() is called only non-deferred struct
+pages are initialized. But, this function goes through some reserved
+pages which might be part of the deferred, and thus are not yet
+initialized.
+
+mem_init
+register_page_bootmem_info
+register_page_bootmem_info_node
+ get_page_bootmem
+ .. setting fields here ..
+ such as: page->freelist = (void *)type;
+
+free_all_bootmem()
+free_low_memory_core_early()
+ for_each_reserved_mem_region()
+ reserve_bootmem_region()
+ init_reserved_page() <- Only if this is deferred reserved page
+ __init_single_pfn()
+ __init_single_page()
+ memset(0) <-- Loose the set fields here
+
+We end up with similar issue as in the previous patch, where currently
+we do not observe problem as memory is zeroed. But, if flag asserts are
+changed we can start hitting issues.
+
+Also, because in this patch series we will stop zeroing struct page
+memory during allocation, we must make sure that struct pages are
+properly initialized prior to using them.
+
+The deferred-reserved pages are initialized in free_all_bootmem().
+Therefore, the fix is to switch the above calls.
+
+Link: http://lkml.kernel.org/r/20171013173214.27300-4-pasha.tatashin@oracle.com
+Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
+Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
+Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Reviewed-by: Bob Picco <bob.picco@oracle.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/mm/init_64.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/mm/init_64.c
++++ b/arch/sparc/mm/init_64.c
+@@ -2402,10 +2402,17 @@ void __init mem_init(void)
+ {
+ high_memory = __va(last_valid_pfn << PAGE_SHIFT);
+
+- register_page_bootmem_info();
+ free_all_bootmem();
+
+ /*
++ * Must be done after boot memory is put on freelist, because here we
++ * might set fields in deferred struct pages that have not yet been
++ * initialized, and free_all_bootmem() initializes all the reserved
++ * deferred pages for us.
++ */
++ register_page_bootmem_info();
++
++ /*
+ * Set up the zero page, mark it reserved, so that page count
+ * is not manipulated when freeing the page from user ptes.
+ */
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+Date: Thu, 2 Mar 2017 13:08:36 +0100
+Subject: spi_ks8995: fix "BUG: key accdaa28 not in .data!"
+
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+
+
+[ Upstream commit 4342696df764ec65dcdfbd0c10d90ea52505f8ba ]
+
+Signed-off-by: Maarten Blomme <Maarten.Blomme@flir.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/spi_ks8995.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -310,6 +310,7 @@ static int ks8995_probe(struct spi_devic
+ if (err)
+ return err;
+
++ sysfs_attr_init(&ks->regs_attr.attr);
+ err = sysfs_create_bin_file(&spi->dev.kobj, &ks->regs_attr);
+ if (err) {
+ dev_err(&spi->dev, "unable to create sysfs file, err=%d\n",
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 3 Nov 2017 13:46:06 -0400
+Subject: sunrpc: Fix rpc_task_begin trace point
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+
+[ Upstream commit b2bfe5915d5fe7577221031a39ac722a0a2a1199 ]
+
+The rpc_task_begin trace point always display a task ID of zero.
+Move the trace point call site so that it picks up the new task ID.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/sched.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -273,10 +273,9 @@ static inline void rpc_task_set_debuginf
+
+ static void rpc_set_active(struct rpc_task *task)
+ {
+- trace_rpc_task_begin(task->tk_client, task, NULL);
+-
+ rpc_task_set_debuginfo(task);
+ set_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
++ trace_rpc_task_begin(task->tk_client, task, NULL);
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: John Keeping <john@metanate.com>
+Date: Tue, 28 Feb 2017 10:55:30 +0000
+Subject: usb: gadget: configs: plug memory leak
+
+From: John Keeping <john@metanate.com>
+
+
+[ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ]
+
+When binding a gadget to a device, "name" is stored in gi->udc_name, but
+this does not happen when unregistering and the string is leaked.
+
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -270,6 +270,7 @@ static ssize_t gadget_dev_desc_UDC_store
+ ret = unregister_gadget(gi);
+ if (ret)
+ goto err;
++ kfree(name);
+ } else {
+ if (gi->udc_name) {
+ ret = -EBUSY;
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 21 Feb 2017 22:33:11 +0100
+Subject: USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ]
+
+'kbuf' is allocated just a few lines above using 'memdup_user()'.
+If the 'if (dev->buf)' test fails, this memory is never released.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1837,8 +1837,10 @@ dev_config (struct file *fd, const char
+
+ spin_lock_irq (&dev->lock);
+ value = -EINVAL;
+- if (dev->buf)
++ if (dev->buf) {
++ kfree(kbuf);
+ goto fail;
++ }
+ dev->buf = kbuf;
+
+ /* full or low speed config */
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 15 Feb 2017 11:38:58 +0100
+Subject: vti6: Don't report path MTU below IPV6_MIN_MTU.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+
+[ Upstream commit e3dc847a5f85b43ee2bfc8eae407a7e383483228 ]
+
+In vti6_xmit(), the check for IPV6_MIN_MTU before we
+send a ICMPV6_PKT_TOOBIG message is missing. So we might
+report a PMTU below 1280. Fix this by adding the required
+check.
+
+Fixes: ccd740cbc6e ("vti6: Add pmtu handling to vti6_xmit.")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -474,11 +474,15 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ if (!skb->ignore_df && skb->len > mtu) {
+ skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
+
+- if (skb->protocol == htons(ETH_P_IPV6))
++ if (skb->protocol == htons(ETH_P_IPV6)) {
++ if (mtu < IPV6_MIN_MTU)
++ mtu = IPV6_MIN_MTU;
++
+ icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
+- else
++ } else {
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
+ htonl(mtu));
++ }
+
+ return -EMSGSIZE;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 6 Mar 2017 15:33:42 -0500
+Subject: workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
+
+From: Tejun Heo <tj@kernel.org>
+
+
+[ Upstream commit 637fdbae60d6cb9f6e963c1079d7e0445c86ff7d ]
+
+If queue_delayed_work() gets called with NULL @wq, the kernel will
+oops asynchronuosly on timer expiration which isn't too helpful in
+tracking down the offender. This actually happened with smc.
+
+__queue_delayed_work() already does several input sanity checks
+synchronously. Add NULL @wq check.
+
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Link: http://lkml.kernel.org/r/20170227171439.jshx3qplflyrgcv7@codemonkey.org.uk
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -1479,6 +1479,7 @@ static void __queue_delayed_work(int cpu
+ struct timer_list *timer = &dwork->timer;
+ struct work_struct *work = &dwork->work;
+
++ WARN_ON_ONCE(!wq);
+ WARN_ON_ONCE(timer->function != delayed_work_timer_fn ||
+ timer->data != (unsigned long)dwork);
+ WARN_ON_ONCE(timer_pending(timer));
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 1 Mar 2017 21:10:17 +0100
+Subject: x86/hpet: Prevent might sleep splat on resume
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit bb1a2c26165640ba2cbcfe06c81e9f9d6db4e643 ]
+
+Sergey reported a might sleep warning triggered from the hpet resume
+path. It's caused by the call to disable_irq() from interrupt disabled
+context.
+
+The problem with the low level resume code is that it is not accounted as a
+special system_state like we do during the boot process. Calling the same
+code during system boot would not trigger the warning. That's inconsistent
+at best.
+
+In this particular case it's trivial to replace the disable_irq() with
+disable_hardirq() because this particular code path is solely used from
+system resume and the involved hpet interrupts can never be force threaded.
+
+Reported-and-tested-by: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1703012108460.3684@nanos
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/hpet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -353,7 +353,7 @@ static int hpet_resume(struct clock_even
+
+ irq_domain_deactivate_irq(irq_get_irq_data(hdev->irq));
+ irq_domain_activate_irq(irq_get_irq_data(hdev->irq));
+- disable_irq(hdev->irq);
++ disable_hardirq(hdev->irq);
+ irq_set_affinity(hdev->irq, cpumask_of(hdev->cpu));
+ enable_irq(hdev->irq);
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 10 Nov 2017 14:14:06 +1100
+Subject: xfrm: Copy policy family in clone_policy
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+
+[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ]
+
+The syzbot found an ancient bug in the IPsec code. When we cloned
+a socket policy (for example, for a child TCP socket derived from a
+listening socket), we did not copy the family field. This results
+in a live policy with a zero family field. This triggers a BUG_ON
+check in the af_key code when the cloned policy is retrieved.
+
+This patch fixes it by copying the family field over.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1361,6 +1361,7 @@ static struct xfrm_policy *clone_policy(
+ newp->xfrm_nr = old->xfrm_nr;
+ newp->index = old->index;
+ newp->type = old->type;
++ newp->family = old->family;
+ memcpy(newp->xfrm_vec, old->xfrm_vec,
+ newp->xfrm_nr*sizeof(struct xfrm_tmpl));
+ write_lock_bh(&net->xfrm.xfrm_policy_lock);
--- /dev/null
+From foo@baz Tue Dec 12 13:38:50 CET 2017
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Mon, 6 Mar 2017 11:23:35 +0100
+Subject: zram: set physical queue limits to avoid array out of bounds accesses
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+
+[ Upstream commit 0bc315381fe9ed9fb91db8b0e82171b645ac008f ]
+
+zram can handle at most SECTORS_PER_PAGE sectors in a bio's bvec. When using
+the NVMe over Fabrics loopback target which potentially sends a huge bulk of
+pages attached to the bio's bvec this results in a kernel panic because of
+array out of bounds accesses in zram_decompress_page().
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1247,6 +1247,8 @@ static int zram_add(void)
+ blk_queue_io_min(zram->disk->queue, PAGE_SIZE);
+ blk_queue_io_opt(zram->disk->queue, PAGE_SIZE);
+ zram->disk->queue->limits.discard_granularity = PAGE_SIZE;
++ zram->disk->queue->limits.max_sectors = SECTORS_PER_PAGE;
++ zram->disk->queue->limits.chunk_sectors = 0;
+ blk_queue_max_discard_sectors(zram->disk->queue, UINT_MAX);
+ /*
+ * zram_bio_discard() will clear all logical blocks if logical block
projects / thirdparty / kernel / stable-queue.git / commitdiff
