--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:44 +0000
+Subject: afs: Adjust mode bits processing
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit 627f46943ff90bcc32ddeb675d881c043c6fa2ae ]
+
+Mode bits for an afs file should not be enforced in the usual
+way.
+
+For files, the absence of user bits can restrict file access
+with respect to what is granted by the server.
+
+These bits apply regardless of the owner or the current uid; the
+rest of the mode bits (group, other) are ignored.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/security.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/afs/security.c
++++ b/fs/afs/security.c
+@@ -340,17 +340,22 @@ int afs_permission(struct inode *inode,
+ } else {
+ if (!(access & AFS_ACE_LOOKUP))
+ goto permission_denied;
++ if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR))
++ goto permission_denied;
+ if (mask & (MAY_EXEC | MAY_READ)) {
+ if (!(access & AFS_ACE_READ))
+ goto permission_denied;
++ if (!(inode->i_mode & S_IRUSR))
++ goto permission_denied;
+ } else if (mask & MAY_WRITE) {
+ if (!(access & AFS_ACE_WRITE))
+ goto permission_denied;
++ if (!(inode->i_mode & S_IWUSR))
++ goto permission_denied;
+ }
+ }
+
+ key_put(key);
+- ret = generic_permission(inode, mask);
+ _leave(" = %d", ret);
+ return ret;
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:48 +0000
+Subject: afs: Fix afs_kill_pages()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 7286a35e893176169b09715096a4aca557e2ccd2 ]
+
+Fix afs_kill_pages() in two ways:
+
+ (1) If a writeback has been partially flushed, then if we try and kill the
+ pages it contains, some of them may no longer be undergoing writeback
+ and end_page_writeback() will assert.
+
+ Fix this by checking to see whether the page in question is actually
+ undergoing writeback before ending that writeback.
+
+ (2) The loop that scans for pages to kill doesn't increase the first page
+ index, and so the loop may not terminate, but it will try to process
+ the same pages over and over again.
+
+ Fix this by increasing the first page index to one after the last page
+ we processed.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -299,10 +299,14 @@ static void afs_kill_pages(struct afs_vn
+ ASSERTCMP(pv.nr, ==, count);
+
+ for (loop = 0; loop < count; loop++) {
+- ClearPageUptodate(pv.pages[loop]);
++ struct page *page = pv.pages[loop];
++ ClearPageUptodate(page);
+ if (error)
+- SetPageError(pv.pages[loop]);
+- end_page_writeback(pv.pages[loop]);
++ SetPageError(page);
++ if (PageWriteback(page))
++ end_page_writeback(page);
++ if (page->index >= first)
++ first = page->index + 1;
+ }
+
+ __pagevec_release(&pv);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:43 +0000
+Subject: afs: Fix missing put_page()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 29c8bbbd6e21daa0997d1c3ee886b897ee7ad652 ]
+
+In afs_writepages_region(), inside the loop where we find dirty pages to
+deal with, one of the if-statements is missing a put_page().
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -503,6 +503,7 @@ static int afs_writepages_region(struct
+
+ if (PageWriteback(page) || !PageDirty(page)) {
+ unlock_page(page);
++ put_page(page);
+ continue;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:48 +0000
+Subject: afs: Fix page leak in afs_write_begin()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 6d06b0d25209c80e99c1e89700f1e09694a3766b ]
+
+afs_write_begin() leaks a ref and a lock on a page if afs_fill_page()
+fails. Fix the leak by unlocking and releasing the page in the error path.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/write.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -148,12 +148,12 @@ int afs_write_begin(struct file *file, s
+ kfree(candidate);
+ return -ENOMEM;
+ }
+- *pagep = page;
+- /* page won't leak in error case: it eventually gets cleaned off LRU */
+
+ if (!PageUptodate(page) && len != PAGE_CACHE_SIZE) {
+ ret = afs_fill_page(vnode, key, index << PAGE_CACHE_SHIFT, page);
+ if (ret < 0) {
++ unlock_page(page);
++ put_page(page);
+ kfree(candidate);
+ _leave(" = %d [prep]", ret);
+ return ret;
+@@ -161,6 +161,9 @@ int afs_write_begin(struct file *file, s
+ SetPageUptodate(page);
+ }
+
++ /* page won't leak in error case: it eventually gets cleaned off LRU */
++ *pagep = page;
++
+ try_again:
+ spin_lock(&vnode->writeback_lock);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Fix the maths in afs_fs_store_data()
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 146a1192783697810b63a1e41c4d59fc93387340 ]
+
+afs_fs_store_data() works out of the size of the write it's going to make,
+but it uses 32-bit unsigned subtraction in one place that gets
+automatically cast to loff_t.
+
+However, if to < offset, then the number goes negative, but as the result
+isn't signed, this doesn't get sign-extended to 64-bits when placed in a
+loff_t.
+
+Fix by casting the operands to loff_t.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -1225,7 +1225,7 @@ int afs_fs_store_data(struct afs_server
+ _enter(",%x,{%x:%u},,",
+ key_serial(wb->key), vnode->fid.vid, vnode->fid.vnode);
+
+- size = to - offset;
++ size = (loff_t)to - (loff_t)offset;
+ if (first != last)
+ size += (loff_t)(last - first) << PAGE_SHIFT;
+ pos = (loff_t)first << PAGE_SHIFT;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 16 Mar 2017 16:27:45 +0000
+Subject: afs: Flush outstanding writes when an fd is closed
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit 58fed94dfb17e89556b5705f20f90e5b2971b6a1 ]
+
+Flush outstanding writes in afs when an fd is closed. This is what NFS and
+CIFS do.
+
+Reported-by: Marc Dionne <marc.c.dionne@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/file.c | 1 +
+ fs/afs/internal.h | 1 +
+ fs/afs/write.c | 14 ++++++++++++++
+ 3 files changed, 16 insertions(+)
+
+--- a/fs/afs/file.c
++++ b/fs/afs/file.c
+@@ -29,6 +29,7 @@ static int afs_readpages(struct file *fi
+
+ const struct file_operations afs_file_operations = {
+ .open = afs_open,
++ .flush = afs_flush,
+ .release = afs_release,
+ .llseek = generic_file_llseek,
+ .read_iter = generic_file_read_iter,
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -749,6 +749,7 @@ extern int afs_writepages(struct address
+ extern void afs_pages_written_back(struct afs_vnode *, struct afs_call *);
+ extern ssize_t afs_file_write(struct kiocb *, struct iov_iter *);
+ extern int afs_writeback_all(struct afs_vnode *);
++extern int afs_flush(struct file *, fl_owner_t);
+ extern int afs_fsync(struct file *, loff_t, loff_t, int);
+
+
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -741,6 +741,20 @@ out:
+ }
+
+ /*
++ * Flush out all outstanding writes on a file opened for writing when it is
++ * closed.
++ */
++int afs_flush(struct file *file, fl_owner_t id)
++{
++ _enter("");
++
++ if ((file->f_mode & FMODE_WRITE) == 0)
++ return 0;
++
++ return vfs_fsync(file, 0);
++}
++
++/*
+ * notification that a previously read-only page is about to become writable
+ * - if it returns an error, the caller will deliver a bus error signal
+ */
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+Date: Thu, 16 Mar 2017 16:27:46 +0000
+Subject: afs: Migrate vlocation fields to 64-bit
+
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+
+
+[ Upstream commit 8a79790bf0b7da216627ffb85f52cfb4adbf1e4e ]
+
+get_seconds() returns real wall-clock seconds. On 32-bit systems
+this value will overflow in year 2038 and beyond. This patch changes
+afs's vlocation record to use ktime_get_real_seconds() instead, for the
+fields time_of_death and update_at.
+
+Signed-off-by: Tina Ruchandani <ruchandani.tina@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/callback.c | 7 ++++---
+ fs/afs/internal.h | 7 ++++---
+ fs/afs/server.c | 6 +++---
+ fs/afs/vlocation.c | 16 +++++++++-------
+ 4 files changed, 20 insertions(+), 16 deletions(-)
+
+--- a/fs/afs/callback.c
++++ b/fs/afs/callback.c
+@@ -362,7 +362,7 @@ static void afs_callback_updater(struct
+ {
+ struct afs_server *server;
+ struct afs_vnode *vnode, *xvnode;
+- time_t now;
++ time64_t now;
+ long timeout;
+ int ret;
+
+@@ -370,7 +370,7 @@ static void afs_callback_updater(struct
+
+ _enter("");
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+
+ /* find the first vnode to update */
+ spin_lock(&server->cb_lock);
+@@ -424,7 +424,8 @@ static void afs_callback_updater(struct
+
+ /* and then reschedule */
+ _debug("reschedule");
+- vnode->update_at = get_seconds() + afs_vnode_update_timeout;
++ vnode->update_at = ktime_get_real_seconds() +
++ afs_vnode_update_timeout;
+
+ spin_lock(&server->cb_lock);
+
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -11,6 +11,7 @@
+
+ #include <linux/compiler.h>
+ #include <linux/kernel.h>
++#include <linux/ktime.h>
+ #include <linux/fs.h>
+ #include <linux/pagemap.h>
+ #include <linux/skbuff.h>
+@@ -247,7 +248,7 @@ struct afs_cache_vhash {
+ */
+ struct afs_vlocation {
+ atomic_t usage;
+- time_t time_of_death; /* time at which put reduced usage to 0 */
++ time64_t time_of_death; /* time at which put reduced usage to 0 */
+ struct list_head link; /* link in cell volume location list */
+ struct list_head grave; /* link in master graveyard list */
+ struct list_head update; /* link in master update list */
+@@ -258,7 +259,7 @@ struct afs_vlocation {
+ struct afs_cache_vlocation vldb; /* volume information DB record */
+ struct afs_volume *vols[3]; /* volume access record pointer (index by type) */
+ wait_queue_head_t waitq; /* status change waitqueue */
+- time_t update_at; /* time at which record should be updated */
++ time64_t update_at; /* time at which record should be updated */
+ spinlock_t lock; /* access lock */
+ afs_vlocation_state_t state; /* volume location state */
+ unsigned short upd_rej_cnt; /* ENOMEDIUM count during update */
+@@ -271,7 +272,7 @@ struct afs_vlocation {
+ */
+ struct afs_server {
+ atomic_t usage;
+- time_t time_of_death; /* time at which put reduced usage to 0 */
++ time64_t time_of_death; /* time at which put reduced usage to 0 */
+ struct in_addr addr; /* server address */
+ struct afs_cell *cell; /* cell in which server resides */
+ struct list_head link; /* link in cell's server list */
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -237,7 +237,7 @@ void afs_put_server(struct afs_server *s
+ spin_lock(&afs_server_graveyard_lock);
+ if (atomic_read(&server->usage) == 0) {
+ list_move_tail(&server->grave, &afs_server_graveyard);
+- server->time_of_death = get_seconds();
++ server->time_of_death = ktime_get_real_seconds();
+ queue_delayed_work(afs_wq, &afs_server_reaper,
+ afs_server_timeout * HZ);
+ }
+@@ -272,9 +272,9 @@ static void afs_reap_server(struct work_
+ LIST_HEAD(corpses);
+ struct afs_server *server;
+ unsigned long delay, expiry;
+- time_t now;
++ time64_t now;
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+ spin_lock(&afs_server_graveyard_lock);
+
+ while (!list_empty(&afs_server_graveyard)) {
+--- a/fs/afs/vlocation.c
++++ b/fs/afs/vlocation.c
+@@ -340,7 +340,8 @@ static void afs_vlocation_queue_for_upda
+ struct afs_vlocation *xvl;
+
+ /* wait at least 10 minutes before updating... */
+- vl->update_at = get_seconds() + afs_vlocation_update_timeout;
++ vl->update_at = ktime_get_real_seconds() +
++ afs_vlocation_update_timeout;
+
+ spin_lock(&afs_vlocation_updates_lock);
+
+@@ -506,7 +507,7 @@ void afs_put_vlocation(struct afs_vlocat
+ if (atomic_read(&vl->usage) == 0) {
+ _debug("buried");
+ list_move_tail(&vl->grave, &afs_vlocation_graveyard);
+- vl->time_of_death = get_seconds();
++ vl->time_of_death = ktime_get_real_seconds();
+ queue_delayed_work(afs_wq, &afs_vlocation_reap,
+ afs_vlocation_timeout * HZ);
+
+@@ -543,11 +544,11 @@ static void afs_vlocation_reaper(struct
+ LIST_HEAD(corpses);
+ struct afs_vlocation *vl;
+ unsigned long delay, expiry;
+- time_t now;
++ time64_t now;
+
+ _enter("");
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+ spin_lock(&afs_vlocation_graveyard_lock);
+
+ while (!list_empty(&afs_vlocation_graveyard)) {
+@@ -622,13 +623,13 @@ static void afs_vlocation_updater(struct
+ {
+ struct afs_cache_vlocation vldb;
+ struct afs_vlocation *vl, *xvl;
+- time_t now;
++ time64_t now;
+ long timeout;
+ int ret;
+
+ _enter("");
+
+- now = get_seconds();
++ now = ktime_get_real_seconds();
+
+ /* find a record to update */
+ spin_lock(&afs_vlocation_updates_lock);
+@@ -684,7 +685,8 @@ static void afs_vlocation_updater(struct
+
+ /* and then reschedule */
+ _debug("reschedule");
+- vl->update_at = get_seconds() + afs_vlocation_update_timeout;
++ vl->update_at = ktime_get_real_seconds() +
++ afs_vlocation_update_timeout;
+
+ spin_lock(&afs_vlocation_updates_lock);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:47 +0000
+Subject: afs: Populate and use client modification time
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit ab94f5d0dd6fd82e7eeca5e7c8096eaea0a0261f ]
+
+The inode timestamps should be set from the client time
+in the status received from the server, rather than the
+server time which is meant for internal server use.
+
+Set AFS_SET_MTIME and populate the mtime for operations
+that take an input status, such as file/dir creation
+and StoreData. If an input time is not provided the
+server will set the vnode times based on the current server
+time.
+
+In a situation where the server has some skew with the
+client, this could lead to the client seeing a timestamp
+in the future for a file that it just created or wrote.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 18 +++++++++---------
+ fs/afs/inode.c | 2 +-
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -105,7 +105,7 @@ static void xdr_decode_AFSFetchStatus(co
+ vnode->vfs_inode.i_mode = mode;
+ }
+
+- vnode->vfs_inode.i_ctime.tv_sec = status->mtime_server;
++ vnode->vfs_inode.i_ctime.tv_sec = status->mtime_client;
+ vnode->vfs_inode.i_mtime = vnode->vfs_inode.i_ctime;
+ vnode->vfs_inode.i_atime = vnode->vfs_inode.i_ctime;
+ vnode->vfs_inode.i_version = data_version;
+@@ -703,8 +703,8 @@ int afs_fs_create(struct afs_server *ser
+ memset(bp, 0, padsz);
+ bp = (void *) bp + padsz;
+ }
+- *bp++ = htonl(AFS_SET_MODE);
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME);
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = htonl(mode & S_IALLUGO); /* unix mode */
+@@ -981,8 +981,8 @@ int afs_fs_symlink(struct afs_server *se
+ memset(bp, 0, c_padsz);
+ bp = (void *) bp + c_padsz;
+ }
+- *bp++ = htonl(AFS_SET_MODE);
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MODE | AFS_SET_MTIME);
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = htonl(S_IRWXUGO); /* unix mode */
+@@ -1192,8 +1192,8 @@ static int afs_fs_store_data64(struct af
+ *bp++ = htonl(vnode->fid.vnode);
+ *bp++ = htonl(vnode->fid.unique);
+
+- *bp++ = 0; /* mask */
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MTIME); /* mask */
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = 0; /* unix mode */
+@@ -1269,8 +1269,8 @@ int afs_fs_store_data(struct afs_server
+ *bp++ = htonl(vnode->fid.vnode);
+ *bp++ = htonl(vnode->fid.unique);
+
+- *bp++ = 0; /* mask */
+- *bp++ = 0; /* mtime */
++ *bp++ = htonl(AFS_SET_MTIME); /* mask */
++ *bp++ = htonl(vnode->vfs_inode.i_mtime.tv_sec); /* mtime */
+ *bp++ = 0; /* owner */
+ *bp++ = 0; /* group */
+ *bp++ = 0; /* unix mode */
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -71,7 +71,7 @@ static int afs_inode_map_status(struct a
+ inode->i_uid = vnode->status.owner;
+ inode->i_gid = vnode->status.group;
+ inode->i_size = vnode->status.size;
+- inode->i_ctime.tv_sec = vnode->status.mtime_server;
++ inode->i_ctime.tv_sec = vnode->status.mtime_client;
+ inode->i_ctime.tv_nsec = 0;
+ inode->i_atime = inode->i_mtime = inode->i_ctime;
+ inode->i_blocks = 0;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Marc Dionne <marc.dionne@auristor.com>
+Date: Thu, 16 Mar 2017 16:27:43 +0000
+Subject: afs: Populate group ID from vnode status
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+
+[ Upstream commit 6186f0788b31f44affceeedc7b48eb10faea120d ]
+
+The group was hard coded to GLOBAL_ROOT_GID; use the group
+ID that was received from the server.
+
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -69,7 +69,7 @@ static int afs_inode_map_status(struct a
+
+ set_nlink(inode, vnode->status.nlink);
+ inode->i_uid = vnode->status.owner;
+- inode->i_gid = GLOBAL_ROOT_GID;
++ inode->i_gid = vnode->status.group;
+ inode->i_size = vnode->status.size;
+ inode->i_ctime.tv_sec = vnode->status.mtime_server;
+ inode->i_ctime.tv_nsec = 0;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+Date: Thu, 16 Mar 2017 16:27:46 +0000
+Subject: afs: Prevent callback expiry timer overflow
+
+From: Tina Ruchandani <ruchandani.tina@gmail.com>
+
+
+[ Upstream commit 56e714312e7dbd6bb83b2f78d3ec19a404c7649f ]
+
+get_seconds() returns real wall-clock seconds. On 32-bit systems
+this value will overflow in year 2038 and beyond. This patch changes
+afs_vnode record to use ktime_get_real_seconds() instead, for the
+fields cb_expires and cb_expires_at.
+
+Signed-off-by: Tina Ruchandani <ruchandani.tina@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/fsclient.c | 2 +-
+ fs/afs/inode.c | 7 ++++---
+ fs/afs/internal.h | 4 ++--
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/fs/afs/fsclient.c
++++ b/fs/afs/fsclient.c
+@@ -139,7 +139,7 @@ static void xdr_decode_AFSCallBack(const
+ vnode->cb_version = ntohl(*bp++);
+ vnode->cb_expiry = ntohl(*bp++);
+ vnode->cb_type = ntohl(*bp++);
+- vnode->cb_expires = vnode->cb_expiry + get_seconds();
++ vnode->cb_expires = vnode->cb_expiry + ktime_get_real_seconds();
+ *_bp = bp;
+ }
+
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -244,12 +244,13 @@ struct inode *afs_iget(struct super_bloc
+ vnode->cb_version = 0;
+ vnode->cb_expiry = 0;
+ vnode->cb_type = 0;
+- vnode->cb_expires = get_seconds();
++ vnode->cb_expires = ktime_get_real_seconds();
+ } else {
+ vnode->cb_version = cb->version;
+ vnode->cb_expiry = cb->expiry;
+ vnode->cb_type = cb->type;
+- vnode->cb_expires = vnode->cb_expiry + get_seconds();
++ vnode->cb_expires = vnode->cb_expiry +
++ ktime_get_real_seconds();
+ }
+ }
+
+@@ -322,7 +323,7 @@ int afs_validate(struct afs_vnode *vnode
+ !test_bit(AFS_VNODE_CB_BROKEN, &vnode->flags) &&
+ !test_bit(AFS_VNODE_MODIFIED, &vnode->flags) &&
+ !test_bit(AFS_VNODE_ZAP_DATA, &vnode->flags)) {
+- if (vnode->cb_expires < get_seconds() + 10) {
++ if (vnode->cb_expires < ktime_get_real_seconds() + 10) {
+ _debug("callback expired");
+ set_bit(AFS_VNODE_CB_BROKEN, &vnode->flags);
+ } else {
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -375,8 +375,8 @@ struct afs_vnode {
+ struct rb_node server_rb; /* link in server->fs_vnodes */
+ struct rb_node cb_promise; /* link in server->cb_promises */
+ struct work_struct cb_broken_work; /* work to be done on callback break */
+- time_t cb_expires; /* time at which callback expires */
+- time_t cb_expires_at; /* time used to order cb_promise */
++ time64_t cb_expires; /* time at which callback expires */
++ time64_t cb_expires_at; /* time used to order cb_promise */
+ unsigned cb_version; /* callback version */
+ unsigned cb_expiry; /* callback expiry time */
+ afs_callback_type_t cb_type; /* type of callback */
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Fri, 3 Nov 2017 11:45:18 +0000
+Subject: arm-ccn: perf: Prevent module unload while PMU is in use
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+
+[ Upstream commit c7f5828bf77dcbd61d51f4736c1d5aa35663fbb4 ]
+
+When the PMU driver is built as a module, the perf expects the
+pmu->module to be valid, so that the driver is prevented from
+being unloaded while it is in use. Fix the CCN pmu driver to
+fill in this field.
+
+Fixes: a33b0daab73a0 ("bus: ARM CCN PMU driver")
+Cc: Pawel Moll <pawel.moll@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/arm-ccn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bus/arm-ccn.c
++++ b/drivers/bus/arm-ccn.c
+@@ -1260,6 +1260,7 @@ static int arm_ccn_pmu_init(struct arm_c
+
+ /* Perf driver registration */
+ ccn->dt.pmu = (struct pmu) {
++ .module = THIS_MODULE,
+ .attr_groups = arm_ccn_pmu_attr_groups,
+ .task_ctx_nr = perf_invalid_context,
+ .event_init = arm_ccn_pmu_event_init,
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Wed, 27 Sep 2017 09:13:34 +0800
+Subject: ath9k: fix tx99 potential info leak
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+
+[ Upstream commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 ]
+
+When the user sets count to zero the string buffer would remain
+completely uninitialized which causes the kernel to parse its
+own stack data, potentially leading to an info leak. In addition
+to that, the string might be not terminated properly when the
+user data does not contain a 0-terminator.
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/tx99.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/tx99.c
++++ b/drivers/net/wireless/ath/ath9k/tx99.c
+@@ -180,6 +180,9 @@ static ssize_t write_file_tx99(struct fi
+ ssize_t len;
+ int r;
+
++ if (count < 1)
++ return -EINVAL;
++
+ if (sc->cur_chan->nvifs > 1)
+ return -EOPNOTSUPP;
+
+@@ -187,6 +190,8 @@ static ssize_t write_file_tx99(struct fi
+ if (copy_from_user(buf, user_buf, len))
+ return -EFAULT;
+
++ buf[len] = '\0';
++
+ if (strtobool(buf, &start))
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Liang Chen <liangchen.linux@gmail.com>
+Date: Mon, 30 Oct 2017 14:46:35 -0700
+Subject: bcache: explicitly destroy mutex while exiting
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+
+[ Upstream commit 330a4db89d39a6b43f36da16824eaa7a7509d34d ]
+
+mutex_destroy does nothing most of time, but it's better to call
+it to make the code future proof and it also has some meaning
+for like mutex debug.
+
+As Coly pointed out in a previous review, bcache_exit() may not be
+able to handle all the references properly if userspace registers
+cache and backing devices right before bch_debug_init runs and
+bch_debug_init failes later. So not exposing userspace interface
+until everything is ready to avoid that issue.
+
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Coly Li <colyli@suse.de>
+Reviewed-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -2083,6 +2083,7 @@ static void bcache_exit(void)
+ if (bcache_major)
+ unregister_blkdev(bcache_major, "bcache");
+ unregister_reboot_notifier(&reboot);
++ mutex_destroy(&bch_register_lock);
+ }
+
+ static int __init bcache_init(void)
+@@ -2101,14 +2102,15 @@ static int __init bcache_init(void)
+ bcache_major = register_blkdev(0, "bcache");
+ if (bcache_major < 0) {
+ unregister_reboot_notifier(&reboot);
++ mutex_destroy(&bch_register_lock);
+ return bcache_major;
+ }
+
+ if (!(bcache_wq = create_workqueue("bcache")) ||
+ !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) ||
+- sysfs_create_files(bcache_kobj, files) ||
+ bch_request_init() ||
+- bch_debug_init(bcache_kobj))
++ bch_debug_init(bcache_kobj) ||
++ sysfs_create_files(bcache_kobj, files))
+ goto err;
+
+ return 0;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+Date: Mon, 30 Oct 2017 14:46:34 -0700
+Subject: bcache: fix wrong cache_misses statistics
+
+From: "tang.junhui" <tang.junhui@zte.com.cn>
+
+
+[ Upstream commit c157313791a999646901b3e3c6888514ebc36d62 ]
+
+Currently, Cache missed IOs are identified by s->cache_miss, but actually,
+there are many situations that missed IOs are not assigned a value for
+s->cache_miss in cached_dev_cache_miss(), for example, a bypassed IO
+(s->iop.bypass = 1), or the cache_bio allocate failed. In these situations,
+it will go to out_put or out_submit, and s->cache_miss is null, which leads
+bch_mark_cache_accounting() to treat this IO as a hit IO.
+
+[ML: applied by 3-way merge]
+
+Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
+Reviewed-by: Michael Lyle <mlyle@lyle.org>
+Reviewed-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/request.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/request.c
++++ b/drivers/md/bcache/request.c
+@@ -468,6 +468,7 @@ struct search {
+ unsigned recoverable:1;
+ unsigned write:1;
+ unsigned read_dirty_data:1;
++ unsigned cache_missed:1;
+
+ unsigned long start_time;
+
+@@ -653,6 +654,7 @@ static inline struct search *search_allo
+
+ s->orig_bio = bio;
+ s->cache_miss = NULL;
++ s->cache_missed = 0;
+ s->d = d;
+ s->recoverable = 1;
+ s->write = (bio->bi_rw & REQ_WRITE) != 0;
+@@ -776,7 +778,7 @@ static void cached_dev_read_done_bh(stru
+ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+
+ bch_mark_cache_accounting(s->iop.c, s->d,
+- !s->cache_miss, s->iop.bypass);
++ !s->cache_missed, s->iop.bypass);
+ trace_bcache_read(s->orig_bio, !s->cache_miss, s->iop.bypass);
+
+ if (s->iop.error)
+@@ -795,6 +797,8 @@ static int cached_dev_cache_miss(struct
+ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
+ struct bio *miss, *cache_bio;
+
++ s->cache_missed = 1;
++
+ if (s->cache_miss || s->iop.bypass) {
+ miss = bio_next_split(bio, sectors, GFP_NOIO, s->d->bio_split);
+ ret = miss == bio ? MAP_DONE : MAP_CONTINUE;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Date: Fri, 10 Mar 2017 16:45:44 -0500
+Subject: btrfs: add missing memset while reading compressed inline extents
+
+From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+
+
+[ Upstream commit e1699d2d7bf6e6cce3e1baff19f9dd4595a58664 ]
+
+This is a story about 4 distinct (and very old) btrfs bugs.
+
+Commit c8b978188c ("Btrfs: Add zlib compression support") added
+three data corruption bugs for inline extents (bugs #1-3).
+
+Commit 93c82d5750 ("Btrfs: zero page past end of inline file items")
+fixed bug #1: uncompressed inline extents followed by a hole and more
+extents could get non-zero data in the hole as they were read. The fix
+was to add a memset in btrfs_get_extent to zero out the hole.
+
+Commit 166ae5a418 ("btrfs: fix inline compressed read err corruption")
+fixed bug #2: compressed inline extents which contained non-zero bytes
+might be replaced with zero bytes in some cases. This patch removed an
+unhelpful memset from uncompress_inline, but the case where memset is
+required was missed.
+
+There is also a memset in the decompression code, but this only covers
+decompressed data that is shorter than the ram_bytes from the extent
+ref record. This memset doesn't cover the region between the end of the
+decompressed data and the end of the page. It has also moved around a
+few times over the years, so there's no single patch to refer to.
+
+This patch fixes bug #3: compressed inline extents followed by a hole
+and more extents could get non-zero data in the hole as they were read
+(i.e. bug #3 is the same as bug #1, but s/uncompressed/compressed/).
+The fix is the same: zero out the hole in the compressed case too,
+by putting a memset back in uncompress_inline, but this time with
+correct parameters.
+
+The last and oldest bug, bug #0, is the cause of the offending inline
+extent/hole/extent pattern. Bug #0 is a subtle and mostly-harmless quirk
+of behavior somewhere in the btrfs write code. In a few special cases,
+an inline extent and hole are allowed to persist where they normally
+would be combined with later extents in the file.
+
+A fast reproducer for bug #0 is presented below. A few offending extents
+are also created in the wild during large rsync transfers with the -S
+flag. A Linux kernel build (git checkout; make allyesconfig; make -j8)
+will produce a handful of offending files as well. Once an offending
+file is created, it can present different content to userspace each
+time it is read.
+
+Bug #0 is at least 4 and possibly 8 years old. I verified every vX.Y
+kernel back to v3.5 has this behavior. There are fossil records of this
+bug's effects in commits all the way back to v2.6.32. I have no reason
+to believe bug #0 wasn't present at the beginning of btrfs compression
+support in v2.6.29, but I can't easily test kernels that old to be sure.
+
+It is not clear whether bug #0 is worth fixing. A fix would likely
+require injecting extra reads into currently write-only paths, and most
+of the exceptional cases caused by bug #0 are already handled now.
+
+Whether we like them or not, bug #0's inline extents followed by holes
+are part of the btrfs de-facto disk format now, and we need to be able
+to read them without data corruption or an infoleak. So enough about
+bug #0, let's get back to bug #3 (this patch).
+
+An example of on-disk structure leading to data corruption found in
+the wild:
+
+ item 61 key (606890 INODE_ITEM 0) itemoff 9662 itemsize 160
+ inode generation 50 transid 50 size 47424 nbytes 49141
+ block group 0 mode 100644 links 1 uid 0 gid 0
+ rdev 0 flags 0x0(none)
+ item 62 key (606890 INODE_REF 603050) itemoff 9642 itemsize 20
+ inode ref index 3 namelen 10 name: DB_File.so
+ item 63 key (606890 EXTENT_DATA 0) itemoff 8280 itemsize 1362
+ inline extent data size 1341 ram 4085 compress(zlib)
+ item 64 key (606890 EXTENT_DATA 4096) itemoff 8227 itemsize 53
+ extent data disk byte 5367308288 nr 20480
+ extent data offset 0 nr 45056 ram 45056
+ extent compression(zlib)
+
+Different data appears in userspace during each read of the 11 bytes
+between 4085 and 4096. The extent in item 63 is not long enough to
+fill the first page of the file, so a memset is required to fill the
+space between item 63 (ending at 4085) and item 64 (beginning at 4096)
+with zero.
+
+Here is a reproducer from Liu Bo, which demonstrates another method
+of creating the same inline extent and hole pattern:
+
+Using 'page_poison=on' kernel command line (or enable
+CONFIG_PAGE_POISONING) run the following:
+
+ # touch foo
+ # chattr +c foo
+ # xfs_io -f -c "pwrite -W 0 1000" foo
+ # xfs_io -f -c "falloc 4 8188" foo
+ # od -x foo
+ # echo 3 >/proc/sys/vm/drop_caches
+ # od -x foo
+
+This produce the following on my box:
+
+Correct output: file contains 1000 data bytes followed
+by zeros:
+
+ 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
+ *
+ 0001740 cdcd cdcd cdcd cdcd 0000 0000 0000 0000
+ 0001760 0000 0000 0000 0000 0000 0000 0000 0000
+ *
+ 0020000
+
+Actual output: the data after the first 1000 bytes
+will be different each run:
+
+ 0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
+ *
+ 0001740 cdcd cdcd cdcd cdcd 6c63 7400 635f 006d
+ 0001760 5f74 6f43 7400 435f 0053 5f74 7363 7400
+ 0002000 435f 0056 5f74 6164 7400 645f 0062 5f74
+ (...)
+
+Signed-off-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Chris Mason <clm@fb.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6735,6 +6735,20 @@ static noinline int uncompress_inline(st
+ max_size = min_t(unsigned long, PAGE_CACHE_SIZE, max_size);
+ ret = btrfs_decompress(compress_type, tmp, page,
+ extent_offset, inline_size, max_size);
++
++ /*
++ * decompression code contains a memset to fill in any space between the end
++ * of the uncompressed data and the end of max_size in case the decompressed
++ * data ends up shorter than ram_bytes. That doesn't cover the hole between
++ * the end of an inline extent and the beginning of the next block, so we
++ * cover that region here.
++ */
++
++ if (max_size + pg_offset < PAGE_SIZE) {
++ char *map = kmap(page);
++ memset(map + pg_offset + max_size, 0, PAGE_SIZE - max_size - pg_offset);
++ kunmap(page);
++ }
+ kfree(tmp);
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Date: Tue, 1 Aug 2017 12:40:07 +0200
+Subject: clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU
+
+From: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+
+
+[ Upstream commit c68ee58d9ee7b856ac722f18f4f26579c8fbd2b4 ]
+
+On i.MX6 SoCs without VPU (in my case MCIMX6D4AVT10AC), the hdmi driver
+fails to probe:
+
+[ 2.540030] dwhdmi-imx 120000.hdmi: Unsupported HDMI controller
+(0000:00:00)
+[ 2.548199] imx-drm display-subsystem: failed to bind 120000.hdmi
+(ops dw_hdmi_imx_ops): -19
+[ 2.557403] imx-drm display-subsystem: master bind failed: -19
+
+That's because hdmi_isfr's parent, video_27m, is not correctly ungated.
+As explained in commit 5ccc248cc537 ("ARM: imx6q: clk: Add support for
+mipi_core_cfg clock as a shared clock gate"), video_27m is gated by
+CCM_CCGR3[CG8].
+
+On i.MX6 SoCs with VPU, the hdmi is working thanks to the
+CCM_CMEOR[mod_en_ov_vpu] bit which makes the video_27m ungated whatever
+is in CCM_CCGR3[CG8]. The issue can be reproduced by setting
+CCMEOR[mod_en_ov_vpu] to 0.
+
+Make the HDMI work in every case by setting hdmi_isfr's parent to
+mipi_core_cfg.
+
+Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/imx/clk-imx6q.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/imx/clk-imx6q.c
++++ b/drivers/clk/imx/clk-imx6q.c
+@@ -419,7 +419,7 @@ static void __init imx6q_clocks_init(str
+ clk[IMX6QDL_CLK_GPU2D_CORE] = imx_clk_gate2("gpu2d_core", "gpu2d_core_podf", base + 0x6c, 24);
+ clk[IMX6QDL_CLK_GPU3D_CORE] = imx_clk_gate2("gpu3d_core", "gpu3d_core_podf", base + 0x6c, 26);
+ clk[IMX6QDL_CLK_HDMI_IAHB] = imx_clk_gate2("hdmi_iahb", "ahb", base + 0x70, 0);
+- clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "video_27m", base + 0x70, 4);
++ clk[IMX6QDL_CLK_HDMI_ISFR] = imx_clk_gate2("hdmi_isfr", "mipi_core_cfg", base + 0x70, 4);
+ clk[IMX6QDL_CLK_I2C1] = imx_clk_gate2("i2c1", "ipg_per", base + 0x70, 6);
+ clk[IMX6QDL_CLK_I2C2] = imx_clk_gate2("i2c2", "ipg_per", base + 0x70, 8);
+ clk[IMX6QDL_CLK_I2C3] = imx_clk_gate2("i2c3", "ipg_per", base + 0x70, 10);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Chen Zhong <chen.zhong@mediatek.com>
+Date: Thu, 5 Oct 2017 11:50:23 +0800
+Subject: clk: mediatek: add the option for determining PLL source clock
+
+From: Chen Zhong <chen.zhong@mediatek.com>
+
+
+[ Upstream commit c955bf3998efa3355790a4d8c82874582f1bc727 ]
+
+Since the previous setup always sets the PLL using crystal 26MHz, this
+doesn't always happen in every MediaTek platform. So the patch added
+flexibility for assigning extra member for determining the PLL source
+clock.
+
+Signed-off-by: Chen Zhong <chen.zhong@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/mediatek/clk-mtk.h | 1 +
+ drivers/clk/mediatek/clk-pll.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/clk/mediatek/clk-mtk.h
++++ b/drivers/clk/mediatek/clk-mtk.h
+@@ -174,6 +174,7 @@ struct mtk_pll_data {
+ uint32_t pcw_reg;
+ int pcw_shift;
+ const struct mtk_pll_div_table *div_table;
++ const char *parent_name;
+ };
+
+ void mtk_clk_register_plls(struct device_node *node,
+--- a/drivers/clk/mediatek/clk-pll.c
++++ b/drivers/clk/mediatek/clk-pll.c
+@@ -302,7 +302,10 @@ static struct clk *mtk_clk_register_pll(
+
+ init.name = data->name;
+ init.ops = &mtk_pll_ops;
+- init.parent_names = &parent_name;
++ if (data->parent_name)
++ init.parent_names = &data->parent_name;
++ else
++ init.parent_names = &parent_name;
+ init.num_parents = 1;
+
+ clk = clk_register(NULL, &pll->hw);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Date: Tue, 19 Sep 2017 04:48:10 +0200
+Subject: clk: tegra: Fix cclk_lp divisor register
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+
+[ Upstream commit 54eff2264d3e9fd7e3987de1d7eba1d3581c631e ]
+
+According to comments in code and common sense, cclk_lp uses its
+own divisor, not cclk_g's.
+
+Fixes: b08e8c0ecc42 ("clk: tegra: add clock support for Tegra30")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/tegra/clk-tegra30.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/tegra/clk-tegra30.c
++++ b/drivers/clk/tegra/clk-tegra30.c
+@@ -1063,7 +1063,7 @@ static void __init tegra30_super_clk_ini
+ * U71 divider of cclk_lp.
+ */
+ clk = tegra_clk_register_divider("pll_p_out3_cclklp", "pll_p_out3",
+- clk_base + SUPER_CCLKG_DIVIDER, 0,
++ clk_base + SUPER_CCLKLP_DIVIDER, 0,
+ TEGRA_DIVIDER_INT, 16, 8, 1, NULL);
+ clk_register_clkdev(clk, "pll_p_out3_cclklp", NULL);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Robert Baronescu <robert.baronescu@nxp.com>
+Date: Tue, 10 Oct 2017 13:22:00 +0300
+Subject: crypto: tcrypt - fix buffer lengths in test_aead_speed()
+
+From: Robert Baronescu <robert.baronescu@nxp.com>
+
+
+[ Upstream commit 7aacbfcb331ceff3ac43096d563a1f93ed46e35e ]
+
+Fix the way the length of the buffers used for
+encryption / decryption are computed.
+For e.g. in case of encryption, input buffer does not contain
+an authentication tag.
+
+Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/tcrypt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/crypto/tcrypt.c
++++ b/crypto/tcrypt.c
+@@ -410,7 +410,7 @@ static void test_aead_speed(const char *
+ }
+
+ sg_init_aead(sg, xbuf,
+- *b_size + (enc ? authsize : 0));
++ *b_size + (enc ? 0 : authsize));
+
+ sg_init_aead(sgout, xoutbuf,
+ *b_size + (enc ? authsize : 0));
+@@ -418,7 +418,9 @@ static void test_aead_speed(const char *
+ sg_set_buf(&sg[0], assoc, aad_size);
+ sg_set_buf(&sgout[0], assoc, aad_size);
+
+- aead_request_set_crypt(req, sg, sgout, *b_size, iv);
++ aead_request_set_crypt(req, sg, sgout,
++ *b_size + (enc ? 0 : authsize),
++ iv);
+ aead_request_set_ad(req, aad_size);
+
+ if (secs)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Matthias Kaehlcke <mka@chromium.org>
+Date: Mon, 13 Mar 2017 14:30:29 -0700
+Subject: dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
+
+From: Matthias Kaehlcke <mka@chromium.org>
+
+
+[ Upstream commit 23f963e91fd81f44f6b316b1c24db563354c6be8 ]
+
+This fixes the following warning when building with clang and
+CONFIG_DMA_ENGINE_RAID=n :
+
+drivers/dma/dmaengine.c:1102:11: error: array index 2 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
+ return &unmap_pool[2];
+ ^ ~
+drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
+static struct dmaengine_unmap_pool unmap_pool[] = {
+^
+drivers/dma/dmaengine.c:1104:11: error: array index 3 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
+ return &unmap_pool[3];
+ ^ ~
+drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
+static struct dmaengine_unmap_pool unmap_pool[] = {
+
+Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/dmaengine.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/dma/dmaengine.c
++++ b/drivers/dma/dmaengine.c
+@@ -1023,12 +1023,14 @@ static struct dmaengine_unmap_pool *__ge
+ switch (order) {
+ case 0 ... 1:
+ return &unmap_pool[0];
++#if IS_ENABLED(CONFIG_DMA_ENGINE_RAID)
+ case 2 ... 4:
+ return &unmap_pool[1];
+ case 5 ... 7:
+ return &unmap_pool[2];
+ case 8:
+ return &unmap_pool[3];
++#endif
+ default:
+ BUG();
+ return NULL;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Date: Thu, 19 Oct 2017 01:15:13 +0000
+Subject: dmaengine: rcar-dmac: use TCRB instead of TCR for residue
+
+From: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+
+
+[ Upstream commit 847449f23dcbff68234525f90dd53c7c7db18cad ]
+
+SYS/RT/Audio DMAC includes independent data buffers for reading
+and writing. Therefore, the read transfer counter and write transfer
+counter have different values.
+TCR indicates read counter, and TCRB indicates write counter.
+The relationship is like below.
+
+ TCR TCRB
+[SOURCE] -> [DMAC] -> [SINK]
+
+In the MEM_TO_DEV direction, what really matters is how much data has
+been written to the device. If the DMA is interrupted between read and
+write, then, the data doesn't end up in the destination, so shouldn't
+be counted. TCRB is thus the register we should use in this cases.
+
+In the DEV_TO_MEM direction, the situation is more complex. Both the
+read and write side are important. What matters from a data consumer
+point of view is how much data has been written to memory.
+On the other hand, if the transfer is interrupted between read and
+write, we'll end up losing data. It can also be important to report.
+
+In the MEM_TO_MEM direction, what matters is of course how much data
+has been written to memory from data consumer point of view.
+Here, because read and write have independent data buffers, it will
+take a while for TCR and TCRB to become equal. Thus we should check
+TCRB in this case, too.
+
+Thus, all cases we should check TCRB instead of TCR.
+
+Without this patch, Sound Capture has noise after PluseAudio support
+(= 07b7acb51d2 ("ASoC: rsnd: update pointer more accurate")), because
+the recorder will use wrong residue counter which indicates transferred
+from sound device, but in reality the data was not yet put to memory
+and recorder will record it.
+
+Signed-off-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+[Kuninori: added detail information in log]
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -1180,7 +1180,7 @@ static unsigned int rcar_dmac_chan_get_r
+ }
+
+ /* Add the residue for the current chunk. */
+- residue += rcar_dmac_chan_read(chan, RCAR_DMATCR) << desc->xfer_shift;
++ residue += rcar_dmac_chan_read(chan, RCAR_DMATCRB) << desc->xfer_shift;
+
+ return residue;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 8 Nov 2017 12:02:25 +0200
+Subject: dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+
+[ Upstream commit 288e7560e4d3e259aa28f8f58a8dfe63627a1bf6 ]
+
+The used 0x1f mask is only valid for am335x family of SoC, different family
+using this type of crossbar might have different number of electable
+events. In case of am43xx family 0x3f mask should have been used for
+example.
+Instead of trying to handle each family's mask, just use u8 type to store
+the mux value since the event offsets are aligned to byte offset.
+
+Fixes: 42dbdcc6bf965 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vinod.koul@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/ti-dma-crossbar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma/ti-dma-crossbar.c
++++ b/drivers/dma/ti-dma-crossbar.c
+@@ -46,12 +46,12 @@ struct ti_am335x_xbar_data {
+
+ struct ti_am335x_xbar_map {
+ u16 dma_line;
+- u16 mux_val;
++ u8 mux_val;
+ };
+
+-static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u16 val)
++static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val)
+ {
+- writeb_relaxed(val & 0x1f, iomem + event);
++ writeb_relaxed(val, iomem + event);
+ }
+
+ static void ti_am335x_xbar_free(struct device *dev, void *route_data)
+@@ -102,7 +102,7 @@ static void *ti_am335x_xbar_route_alloca
+ }
+
+ map->dma_line = (u16)dma_spec->args[0];
+- map->mux_val = (u16)dma_spec->args[2];
++ map->mux_val = (u8)dma_spec->args[2];
+
+ dma_spec->args[2] = 0;
+ dma_spec->args_count = 2;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Date: Tue, 28 Feb 2017 10:11:45 +0200
+Subject: drm/omap: fix dmabuf mmap for dma_alloc'ed buffers
+
+From: Tomi Valkeinen <tomi.valkeinen@ti.com>
+
+
+[ Upstream commit 9fa1d7537242bd580ffa99c4725a0407096aad26 ]
+
+omap_gem_dmabuf_mmap() returns an error (with a WARN) when called for a
+buffer which is allocated with dma_alloc_*(). This prevents dmabuf mmap
+from working on SoCs without DMM, e.g. AM4 and OMAP3.
+
+I could not find any reason for omap_gem_dmabuf_mmap() rejecting such
+buffers, and just removing the if() fixes the limitation.
+
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c
++++ b/drivers/gpu/drm/omapdrm/omap_gem_dmabuf.c
+@@ -142,9 +142,6 @@ static int omap_gem_dmabuf_mmap(struct d
+ struct drm_gem_object *obj = buffer->priv;
+ int ret = 0;
+
+- if (WARN_ON(!obj->filp))
+- return -EINVAL;
+-
+ ret = drm_gem_mmap_obj(obj, omap_gem_mmap_size(obj), vma);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 15 Mar 2017 21:11:46 -0400
+Subject: drm/radeon: reinstate oland workaround for sclk
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+
+[ Upstream commit 66822d815ae61ecb2d9dba9031517e8a8476969d ]
+
+Higher sclks seem to be unstable on some boards.
+
+bug: https://bugs.freedesktop.org/show_bug.cgi?id=100222
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -3030,9 +3030,13 @@ static void si_apply_state_adjust_rules(
+ max_mclk = 80000;
+ }
+ } else if (rdev->family == CHIP_OLAND) {
+- if ((rdev->pdev->device == 0x6604) &&
+- (rdev->pdev->subsystem_vendor == 0x1028) &&
+- (rdev->pdev->subsystem_device == 0x066F)) {
++ if ((rdev->pdev->revision == 0xC7) ||
++ (rdev->pdev->revision == 0x80) ||
++ (rdev->pdev->revision == 0x81) ||
++ (rdev->pdev->revision == 0x83) ||
++ (rdev->pdev->revision == 0x87) ||
++ (rdev->pdev->device == 0x6604) ||
++ (rdev->pdev->device == 0x6605)) {
+ max_sclk = 75000;
+ }
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 14 Mar 2017 14:42:03 -0400
+Subject: drm/radeon/si: add dpm quirk for Oland
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+
+[ Upstream commit 0f424de1fd9bc4ab24bd1fe5430ab5618e803e31 ]
+
+OLAND 0x1002:0x6604 0x1028:0x066F 0x00 seems to have problems
+with higher sclks.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -3029,6 +3029,12 @@ static void si_apply_state_adjust_rules(
+ max_sclk = 75000;
+ max_mclk = 80000;
+ }
++ } else if (rdev->family == CHIP_OLAND) {
++ if ((rdev->pdev->device == 0x6604) &&
++ (rdev->pdev->subsystem_vendor == 0x1028) &&
++ (rdev->pdev->subsystem_device == 0x066F)) {
++ max_sclk = 75000;
++ }
+ }
+ /* Apply dpm quirks */
+ while (p && p->chip_device != 0) {
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Daniel Drake <drake@endlessm.com>
+Date: Tue, 7 Feb 2017 13:08:23 -0600
+Subject: efi/esrt: Cleanup bad memory map log messages
+
+From: Daniel Drake <drake@endlessm.com>
+
+
+[ Upstream commit 822f5845f710e57d7e2df1fd1ee00d6e19d334fe ]
+
+The Intel Compute Stick STCK1A8LFC and Weibu F3C platforms both
+log 2 error messages during boot:
+
+ efi: requested map not found.
+ esrt: ESRT header is not in the memory map.
+
+Searching the web, this seems to affect many other platforms too.
+Since these messages are logged as errors, they appear on-screen during
+the boot process even when using the "quiet" boot parameter used by
+distros.
+
+Demote the ESRT error to a warning so that it does not appear on-screen,
+and delete the error logging from efi_mem_desc_lookup; both callsites
+of that function log more specific messages upon failure.
+
+Out of curiosity I looked closer at the Weibu F3C. There is no entry in
+the UEFI-provided memory map which corresponds to the ESRT pointer, but
+hacking the code to map it anyway, the ESRT does appear to be valid with
+2 entries.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Acked-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/efi.c | 1 -
+ drivers/firmware/efi/esrt.c | 2 +-
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -310,7 +310,6 @@ int __init efi_mem_desc_lookup(u64 phys_
+
+ early_memunmap(md, sizeof (*md));
+ }
+- pr_err_once("requested map not found.\n");
+ return -ENOENT;
+ }
+
+--- a/drivers/firmware/efi/esrt.c
++++ b/drivers/firmware/efi/esrt.c
+@@ -253,7 +253,7 @@ void __init efi_esrt_init(void)
+
+ rc = efi_mem_desc_lookup(efi.esrt, &md);
+ if (rc < 0) {
+- pr_err("ESRT header is not in the memory map.\n");
++ pr_warn("ESRT header is not in the memory map.\n");
+ return;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Thu, 9 Nov 2017 18:09:33 +0100
+Subject: fbdev: controlfb: Add missing modes to fix out of bounds access
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+
+[ Upstream commit ac831a379d34109451b3c41a44a20ee10ecb615f ]
+
+Dan's static analysis says:
+
+ drivers/video/fbdev/controlfb.c:560 control_setup()
+ error: buffer overflow 'control_mac_modes' 20 <= 21
+
+Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22,
+which may lead to an out of bounds read when parsing vmode commandline
+options.
+
+The bug was introduced in v2.4.5.6, when 2 new modes were added to
+macmodes.h, but control_mac_modes[] wasn't updated:
+
+https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad
+
+Augment control_mac_modes[] with the two new video modes to fix this.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/controlfb.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/controlfb.h
++++ b/drivers/video/fbdev/controlfb.h
+@@ -141,5 +141,7 @@ static struct max_cmodes control_mac_mod
+ {{ 1, 2}}, /* 1152x870, 75Hz */
+ {{ 0, 1}}, /* 1280x960, 75Hz */
+ {{ 0, 1}}, /* 1280x1024, 75Hz */
++ {{ 1, 2}}, /* 1152x768, 60Hz */
++ {{ 0, 1}}, /* 1600x1024, 60Hz */
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Taku Izumi <izumi.taku@jp.fujitsu.com>
+Date: Wed, 15 Mar 2017 13:47:50 +0900
+Subject: fjes: Fix wrong netdevice feature flags
+
+From: Taku Izumi <izumi.taku@jp.fujitsu.com>
+
+
+[ Upstream commit fe8daf5fa715f7214952f06a387e4b7de818c5be ]
+
+This patch fixes netdev->features for Extended Socket network device.
+
+Currently Extended Socket network device's netdev->feature claims
+NETIF_F_HW_CSUM, however this is completely wrong. There's no feature
+of checksum offloading.
+That causes invalid TCP/UDP checksum and packet rejection when IP
+forwarding from Extended Socket network device to other network device.
+
+NETIF_F_HW_CSUM should be omitted.
+
+Signed-off-by: Taku Izumi <izumi.taku@jp.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/fjes/fjes_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1205,7 +1205,7 @@ static void fjes_netdev_setup(struct net
+ fjes_set_ethtool_ops(netdev);
+ netdev->mtu = fjes_support_mtu[0];
+ netdev->flags |= IFF_BROADCAST;
+- netdev->features |= NETIF_F_HW_CSUM | NETIF_F_HW_VLAN_CTAG_FILTER;
++ netdev->features |= NETIF_F_HW_VLAN_CTAG_FILTER;
+ }
+
+ static void fjes_irq_watch_task(struct work_struct *work)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Bob Peterson <rpeterso@redhat.com>
+Date: Wed, 20 Sep 2017 08:30:04 -0500
+Subject: GFS2: Take inode off order_write list when setting jdata flag
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+
+[ Upstream commit cc555b09d8c3817aeebda43a14ab67049a5653f7 ]
+
+This patch fixes a deadlock caused when the jdata flag is set for
+inodes that are already on the ordered write list. Since it is
+on the ordered write list, log_flush calls gfs2_ordered_write which
+calls filemap_fdatawrite. But since the inode had the jdata flag
+set, that calls gfs2_jdata_writepages, which tries to start a new
+transaction. A new transaction cannot be started because it tries
+to acquire the log_flush rwsem which is already locked by the log
+flush operation.
+
+The bottom line is: We cannot switch an inode from ordered to jdata
+until we eliminate any ordered data pages (via log flush) or any
+log_flush operation afterward will create the circular dependency
+above. So we need to flush the log before setting the diskflags to
+switch the file mode, then we need to remove the inode from the
+ordered writes list.
+
+Before this patch, the log flush was done for jdata->ordered, but
+that's wrong. If we're going from jdata to ordered, we don't need
+to call gfs2_log_flush because the call to filemap_fdatawrite will
+do it for us:
+
+ filemap_fdatawrite() -> __filemap_fdatawrite_range()
+ __filemap_fdatawrite_range() -> do_writepages()
+ do_writepages() -> gfs2_jdata_writepages()
+ gfs2_jdata_writepages() -> gfs2_log_flush()
+
+This patch modifies function do_gfs2_set_flags so that if a file
+has its jdata flag set, and it's already on the ordered write list,
+the log will be flushed and it will be removed from the list
+before setting the flag.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Acked-by: Abhijith Das <adas@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/gfs2/file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -255,7 +255,7 @@ static int do_gfs2_set_flags(struct file
+ goto out;
+ }
+ if ((flags ^ new_flags) & GFS2_DIF_JDATA) {
+- if (flags & GFS2_DIF_JDATA)
++ if (new_flags & GFS2_DIF_JDATA)
+ gfs2_log_flush(sdp, ip->i_gl, NORMAL_FLUSH);
+ error = filemap_fdatawrite(inode->i_mapping);
+ if (error)
+@@ -263,6 +263,8 @@ static int do_gfs2_set_flags(struct file
+ error = filemap_fdatawait(inode->i_mapping);
+ if (error)
+ goto out;
++ if (new_flags & GFS2_DIF_JDATA)
++ gfs2_ordered_del_inode(ip);
+ }
+ error = gfs2_trans_begin(sdp, RES_DINODE, 0);
+ if (error)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Alex Vesker <valex@mellanox.com>
+Date: Tue, 10 Oct 2017 10:36:41 +0300
+Subject: IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop
+
+From: Alex Vesker <valex@mellanox.com>
+
+
+[ Upstream commit b4b678b06f6eef18bff44a338c01870234db0bc9 ]
+
+When ndo_open and ndo_stop are called RTNL lock should be held.
+In this specific case ipoib_ib_dev_open calls the offloaded ndo_open
+which re-sets the number of TX queue assuming RTNL lock is held.
+Since RTNL lock is not held, RTNL assert will fail.
+
+Signed-off-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -1044,10 +1044,15 @@ static void __ipoib_ib_dev_flush(struct
+ ipoib_ib_dev_down(dev);
+
+ if (level == IPOIB_FLUSH_HEAVY) {
++ rtnl_lock();
+ if (test_bit(IPOIB_FLAG_INITIALIZED, &priv->flags))
+ ipoib_ib_dev_stop(dev);
+- if (ipoib_ib_dev_open(dev) != 0)
++
++ result = ipoib_ib_dev_open(dev);
++ rtnl_unlock();
++ if (result)
+ return;
++
+ if (netif_queue_stopped(dev))
+ netif_start_queue(dev);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 28 Feb 2017 17:14:41 -0800
+Subject: Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+
+[ Upstream commit a4c2a13129f7c5bcf81704c06851601593303fd5 ]
+
+TUXEDO BU1406 does not implement active multiplexing mode properly,
+and takes around 550 ms in i8042_set_mux_mode(). Given that the
+device does not have external AUX port, there is no downside in
+disabling the MUX mode.
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Suggested-by: Vojtech Pavlik <vojtech@suse.cz>
+Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -520,6 +520,13 @@ static const struct dmi_system_id __init
+ DMI_MATCH(DMI_PRODUCT_NAME, "IC4I"),
+ },
+ },
++ {
++ /* TUXEDO BU1406 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "N24_25BU"),
++ },
++ },
+ { }
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 30 Jun 2016 16:10:51 +0300
+Subject: intel_th: pci: Add Gemini Lake support
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+
+[ Upstream commit 340837f985c2cb87ca0868d4aa9ce42b0fab3a21 ]
+
+This adds Intel(R) Trace Hub PCI ID for Gemini Lake SOC.
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/intel_th/pci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/pci.c
++++ b/drivers/hwtracing/intel_th/pci.c
+@@ -82,6 +82,11 @@ static const struct pci_device_id intel_
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x9da6),
+ .driver_data = (kernel_ulong_t)0,
+ },
++ {
++ /* Gemini Lake */
++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e),
++ .driver_data = (kernel_ulong_t)0,
++ },
+ { 0 },
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Fri, 15 Sep 2017 16:03:13 +0800
+Subject: iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+
+[ Upstream commit 12d5a43b2dffb6cd28062b4e19024f7982393288 ]
+
+tpg must free when call core_tpg_register() return fail
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target_configfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_configfs.c
++++ b/drivers/target/iscsi/iscsi_target_configfs.c
+@@ -1210,7 +1210,7 @@ static struct se_portal_group *lio_targe
+
+ ret = core_tpg_register(wwn, &tpg->tpg_se_tpg, SCSI_PROTOCOL_ISCSI);
+ if (ret < 0)
+- return NULL;
++ goto free_out;
+
+ ret = iscsit_tpg_add_portal_group(tiqn, tpg);
+ if (ret != 0)
+@@ -1222,6 +1222,7 @@ static struct se_portal_group *lio_targe
+ return &tpg->tpg_se_tpg;
+ out:
+ core_tpg_deregister(&tpg->tpg_se_tpg);
++free_out:
+ kfree(tpg);
+ return NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Wed, 25 Oct 2017 15:57:55 +0200
+Subject: l2tp: cleanup l2tp_tunnel_delete calls
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+
+[ Upstream commit 4dc12ffeaeac939097a3f55c881d3dc3523dff0c ]
+
+l2tp_tunnel_delete does not return anything since commit 62b982eeb458
+("l2tp: fix race condition in l2tp_tunnel_delete"). But call sites of
+l2tp_tunnel_delete still do casts to void to avoid unused return value
+warnings.
+
+Kill these now useless casts.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: Guillaume Nault <g.nault@alphalink.fr>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 2 +-
+ net/l2tp/l2tp_netlink.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1856,7 +1856,7 @@ static __net_exit void l2tp_exit_net(str
+
+ rcu_read_lock_bh();
+ list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- (void)l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+ }
+ rcu_read_unlock_bh();
+ }
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -285,7 +285,7 @@ static int l2tp_nl_cmd_tunnel_delete(str
+ l2tp_tunnel_notify(&l2tp_nl_family, info,
+ tunnel, L2TP_CMD_TUNNEL_DELETE);
+
+- (void) l2tp_tunnel_delete(tunnel);
++ l2tp_tunnel_delete(tunnel);
+
+ out:
+ return ret;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 13 Oct 2017 13:40:24 -0700
+Subject: macvlan: Only deliver one copy of the frame to the macvlan interface
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+
+[ Upstream commit dd6b9c2c332b40f142740d1b11fb77c653ff98ea ]
+
+This patch intoduces a slight adjustment for macvlan to address the fact
+that in source mode I was seeing two copies of any packet addressed to the
+macvlan interface being delivered where there should have been only one.
+
+The issue appears to be that one copy was delivered based on the source MAC
+address and then the second copy was being delivered based on the
+destination MAC address. To fix it I am just treating a unicast address
+match as though it is not a match since source based macvlan isn't supposed
+to be matching based on the destination MAC anyway.
+
+Fixes: 79cf79abce71 ("macvlan: add source mode")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -441,7 +441,7 @@ static rx_handler_result_t macvlan_handl
+ struct macvlan_dev, list);
+ else
+ vlan = macvlan_hash_lookup(port, eth->h_dest);
+- if (vlan == NULL)
++ if (!vlan || vlan->mode == MACVLAN_MODE_SOURCE)
+ return RX_HANDLER_PASS;
+
+ dev = vlan->dev;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Guoqing Jiang <gqjiang@suse.com>
+Date: Fri, 24 Feb 2017 11:15:12 +0800
+Subject: md-cluster: free md_cluster_info if node leave cluster
+
+From: Guoqing Jiang <gqjiang@suse.com>
+
+
+[ Upstream commit 9c8043f337f14d1743006dfc59c03e80a42e3884 ]
+
+To avoid memory leak, we need to free the cinfo which
+is allocated when node join cluster.
+
+Reviewed-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-cluster.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -821,6 +821,7 @@ static int leave(struct mddev *mddev)
+ lockres_free(cinfo->no_new_dev_lockres);
+ lockres_free(cinfo->bitmap_lockres);
+ dlm_release_lockspace(cinfo->lockspace, 2);
++ kfree(cinfo);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Tue, 14 Mar 2017 14:00:00 +0100
+Subject: mlxsw: reg: Fix SPVM max record count
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+
+[ Upstream commit f004ec065b4879d6bc9ba0211af2169b3ce3097f ]
+
+The num_rec field is 8 bit, so the maximal count number is 255. This
+fixes vlans not being enabled for wider ranges than 255.
+
+Fixes: b2e345f9a454 ("mlxsw: reg: Add Switch Port VID and Switch Port VLAN Membership registers definitions")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -599,7 +599,7 @@ static inline void mlxsw_reg_spvid_pack(
+ #define MLXSW_REG_SPVM_ID 0x200F
+ #define MLXSW_REG_SPVM_BASE_LEN 0x04 /* base length, without records */
+ #define MLXSW_REG_SPVM_REC_LEN 0x04 /* record length */
+-#define MLXSW_REG_SPVM_REC_MAX_COUNT 256
++#define MLXSW_REG_SPVM_REC_MAX_COUNT 255
+ #define MLXSW_REG_SPVM_LEN (MLXSW_REG_SPVM_BASE_LEN + \
+ MLXSW_REG_SPVM_REC_LEN * MLXSW_REG_SPVM_REC_MAX_COUNT)
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Tue, 14 Mar 2017 14:00:01 +0100
+Subject: mlxsw: reg: Fix SPVMLR max record count
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+
+[ Upstream commit e9093b1183bbac462d2caef3eac165778c0b1bf1 ]
+
+The num_rec field is 8 bit, so the maximal count number is 255.
+This fixes vlans learning not being enabled for wider ranges than 255.
+
+Fixes: a4feea74cd7a ("mlxsw: reg: Add Switch Port VLAN MAC Learning register definition")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/reg.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/reg.h
+@@ -1139,7 +1139,7 @@ static inline void mlxsw_reg_sfmr_pack(c
+ #define MLXSW_REG_SPVMLR_ID 0x2020
+ #define MLXSW_REG_SPVMLR_BASE_LEN 0x04 /* base length, without records */
+ #define MLXSW_REG_SPVMLR_REC_LEN 0x04 /* record length */
+-#define MLXSW_REG_SPVMLR_REC_MAX_COUNT 256
++#define MLXSW_REG_SPVMLR_REC_MAX_COUNT 255
+ #define MLXSW_REG_SPVMLR_LEN (MLXSW_REG_SPVMLR_BASE_LEN + \
+ MLXSW_REG_SPVMLR_REC_LEN * \
+ MLXSW_REG_SPVMLR_REC_MAX_COUNT)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Fri, 3 Nov 2017 12:21:21 +0100
+Subject: mm: Handle 0 flags in _calc_vm_trans() macro
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit 592e254502041f953e84d091eae2c68cba04c10b ]
+
+_calc_vm_trans() does not handle the situation when some of the passed
+flags are 0 (which can happen if these VM flags do not make sense for
+the architecture). Improve the _calc_vm_trans() macro to return 0 in
+such situation. Since all passed flags are constant, this does not add
+any runtime overhead.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mman.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/mman.h
++++ b/include/linux/mman.h
+@@ -63,8 +63,9 @@ static inline int arch_validate_prot(uns
+ * ("bit1" and "bit2" must be single bits)
+ */
+ #define _calc_vm_trans(x, bit1, bit2) \
++ ((!(bit1) || !(bit2)) ? 0 : \
+ ((bit1) <= (bit2) ? ((x) & (bit1)) * ((bit2) / (bit1)) \
+- : ((x) & (bit1)) / ((bit1) / (bit2)))
++ : ((x) & (bit1)) / ((bit1) / (bit2))))
+
+ /*
+ * Combine the mmap "prot" argument into "vm_flags" used internally.
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: yong mao <yong.mao@mediatek.com>
+Date: Sat, 4 Mar 2017 15:10:03 +0800
+Subject: mmc: mediatek: Fixed bug where clock frequency could be set wrong
+
+From: yong mao <yong.mao@mediatek.com>
+
+
+[ Upstream commit 40ceda09c8c84694c2ca6b00bcc6dc71e8e62d96 ]
+
+This patch can fix two issues:
+
+Issue 1:
+In previous code, div may be overflow when setting clock frequency
+as f_min. We can use DIV_ROUND_UP to fix this boundary related
+issue.
+
+Issue 2:
+In previous code, we can not set the correct clock frequency when
+div equals 0xff.
+
+Signed-off-by: Yong Mao <yong.mao@mediatek.com>
+Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
+Reviewed-by: Daniel Kurtz <djkurtz@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -570,7 +570,7 @@ static void msdc_set_mclk(struct msdc_ho
+ }
+ }
+ sdr_set_field(host->base + MSDC_CFG, MSDC_CFG_CKMOD | MSDC_CFG_CKDIV,
+- (mode << 8) | (div % 0xff));
++ (mode << 8) | div);
+ sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_CKPDN);
+ while (!(readl(host->base + MSDC_CFG) & MSDC_CFG_CKSTB))
+ cpu_relax();
+@@ -1540,7 +1540,7 @@ static int msdc_drv_probe(struct platfor
+ host->src_clk_freq = clk_get_rate(host->src_clk);
+ /* Set host parameters to mmc */
+ mmc->ops = &mt_msdc_ops;
+- mmc->f_min = host->src_clk_freq / (4 * 255);
++ mmc->f_min = DIV_ROUND_UP(host->src_clk_freq, 4 * 255);
+
+ mmc->caps |= MMC_CAP_ERASE | MMC_CAP_CMD23;
+ mmc->caps |= MMC_CAP_RUNTIME_RESUME;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:44 -0800
+Subject: net: bcmgenet: correct MIB access of UniMAC RUNT counters
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 1ad3d225e5a40ca6c586989b4baaca710544c15a ]
+
+The gap between the Tx status counters and the Rx RUNT counters is now
+being added to allow correct reporting of the registers.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -876,13 +876,16 @@ static void bcmgenet_update_mib_counters
+ case BCMGENET_STAT_NETDEV:
+ case BCMGENET_STAT_SOFT:
+ continue;
+- case BCMGENET_STAT_MIB_RX:
+- case BCMGENET_STAT_MIB_TX:
+ case BCMGENET_STAT_RUNT:
+- if (s->type != BCMGENET_STAT_MIB_RX)
+- offset = BCMGENET_STAT_OFFSET;
++ offset += BCMGENET_STAT_OFFSET;
++ /* fall through */
++ case BCMGENET_STAT_MIB_TX:
++ offset += BCMGENET_STAT_OFFSET;
++ /* fall through */
++ case BCMGENET_STAT_MIB_RX:
+ val = bcmgenet_umac_readl(priv,
+ UMAC_MIB_START + j + offset);
++ offset = 0; /* Reset Offset */
+ break;
+ case BCMGENET_STAT_MISC:
+ if (GENET_IS_V1(priv)) {
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:43 -0800
+Subject: net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit ffff71328a3c321f7c14cc1edd33577717037744 ]
+
+The location of the RBUF overflow and error counters has moved between
+different version of the GENET MAC. This commit corrects the driver to
+read from the correct locations depending on the version of the GENET
+MAC.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 60 ++++++++++++++++++++++---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 10 ++--
+ 2 files changed, 60 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1,7 +1,7 @@
+ /*
+ * Broadcom GENET (Gigabit Ethernet) controller driver
+ *
+- * Copyright (c) 2014 Broadcom Corporation
++ * Copyright (c) 2014-2017 Broadcom
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -778,8 +778,9 @@ static const struct bcmgenet_stats bcmge
+ STAT_GENET_RUNT("rx_runt_bytes", mib.rx_runt_bytes),
+ /* Misc UniMAC counters */
+ STAT_GENET_MISC("rbuf_ovflow_cnt", mib.rbuf_ovflow_cnt,
+- UMAC_RBUF_OVFL_CNT),
+- STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt, UMAC_RBUF_ERR_CNT),
++ UMAC_RBUF_OVFL_CNT_V1),
++ STAT_GENET_MISC("rbuf_err_cnt", mib.rbuf_err_cnt,
++ UMAC_RBUF_ERR_CNT_V1),
+ STAT_GENET_MISC("mdf_err_cnt", mib.mdf_err_cnt, UMAC_MDF_ERR_CNT),
+ STAT_GENET_SOFT_MIB("alloc_rx_buff_failed", mib.alloc_rx_buff_failed),
+ STAT_GENET_SOFT_MIB("rx_dma_failed", mib.rx_dma_failed),
+@@ -821,6 +822,45 @@ static void bcmgenet_get_strings(struct
+ }
+ }
+
++static u32 bcmgenet_update_stat_misc(struct bcmgenet_priv *priv, u16 offset)
++{
++ u16 new_offset;
++ u32 val;
++
++ switch (offset) {
++ case UMAC_RBUF_OVFL_CNT_V1:
++ if (GENET_IS_V2(priv))
++ new_offset = RBUF_OVFL_CNT_V2;
++ else
++ new_offset = RBUF_OVFL_CNT_V3PLUS;
++
++ val = bcmgenet_rbuf_readl(priv, new_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_rbuf_writel(priv, 0, new_offset);
++ break;
++ case UMAC_RBUF_ERR_CNT_V1:
++ if (GENET_IS_V2(priv))
++ new_offset = RBUF_ERR_CNT_V2;
++ else
++ new_offset = RBUF_ERR_CNT_V3PLUS;
++
++ val = bcmgenet_rbuf_readl(priv, new_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_rbuf_writel(priv, 0, new_offset);
++ break;
++ default:
++ val = bcmgenet_umac_readl(priv, offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_umac_writel(priv, 0, offset);
++ break;
++ }
++
++ return val;
++}
++
+ static void bcmgenet_update_mib_counters(struct bcmgenet_priv *priv)
+ {
+ int i, j = 0;
+@@ -845,10 +885,16 @@ static void bcmgenet_update_mib_counters
+ UMAC_MIB_START + j + offset);
+ break;
+ case BCMGENET_STAT_MISC:
+- val = bcmgenet_umac_readl(priv, s->reg_offset);
+- /* clear if overflowed */
+- if (val == ~0)
+- bcmgenet_umac_writel(priv, 0, s->reg_offset);
++ if (GENET_IS_V1(priv)) {
++ val = bcmgenet_umac_readl(priv, s->reg_offset);
++ /* clear if overflowed */
++ if (val == ~0)
++ bcmgenet_umac_writel(priv, 0,
++ s->reg_offset);
++ } else {
++ val = bcmgenet_update_stat_misc(priv,
++ s->reg_offset);
++ }
+ break;
+ }
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014 Broadcom Corporation
++ * Copyright (c) 2014-2017 Broadcom
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -214,7 +214,9 @@ struct bcmgenet_mib_counters {
+ #define MDIO_REG_SHIFT 16
+ #define MDIO_REG_MASK 0x1F
+
+-#define UMAC_RBUF_OVFL_CNT 0x61C
++#define UMAC_RBUF_OVFL_CNT_V1 0x61C
++#define RBUF_OVFL_CNT_V2 0x80
++#define RBUF_OVFL_CNT_V3PLUS 0x94
+
+ #define UMAC_MPD_CTRL 0x620
+ #define MPD_EN (1 << 0)
+@@ -224,7 +226,9 @@ struct bcmgenet_mib_counters {
+
+ #define UMAC_MPD_PW_MS 0x624
+ #define UMAC_MPD_PW_LS 0x628
+-#define UMAC_RBUF_ERR_CNT 0x634
++#define UMAC_RBUF_ERR_CNT_V1 0x634
++#define RBUF_ERR_CNT_V2 0x84
++#define RBUF_ERR_CNT_V3PLUS 0x98
+ #define UMAC_MDF_ERR_CNT 0x638
+ #define UMAC_MDF_CTRL 0x650
+ #define UMAC_MDF_ADDR 0x654
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:46 -0800
+Subject: net: bcmgenet: power down internal phy if open or resume fails
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 7627409cc4970e8c8b9de6945ad86a575290a94e ]
+
+Since the internal PHY is powered up during the open and resume
+functions it should be powered back down if the functions fail.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2950,6 +2950,8 @@ err_irq0:
+ err_fini_dma:
+ bcmgenet_fini_dma(priv);
+ err_clk_disable:
++ if (priv->internal_phy)
++ bcmgenet_power_down(priv, GENET_POWER_PASSIVE);
+ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
+@@ -3653,6 +3655,8 @@ static int bcmgenet_resume(struct device
+ return 0;
+
+ out_clk_disable:
++ if (priv->internal_phy)
++ bcmgenet_power_down(priv, GENET_POWER_PASSIVE);
+ clk_disable_unprepare(priv->clk);
+ return ret;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:48 -0800
+Subject: net: bcmgenet: Power up the internal PHY before probing the MII
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit 6be371b053dc86f11465cc1abce2e99bda0a0574 ]
+
+When using the internal PHY it must be powered up when the MII is probed
+or the PHY will not be detected. Since the PHY is powered up at reset
+this has not been a problem. However, when the kernel is restarted with
+kexec the PHY will likely be powered down when the kernel starts so it
+will not be detected and the Ethernet link will not be established.
+
+This commit explicitly powers up the internal PHY when the GENET driver
+is probed to correct this behavior.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3384,6 +3384,7 @@ static int bcmgenet_probe(struct platfor
+ const void *macaddr;
+ struct resource *r;
+ int err = -EIO;
++ const char *phy_mode_str;
+
+ /* Up to GENET_MAX_MQ_CNT + 1 TX queues and RX queues */
+ dev = alloc_etherdev_mqs(sizeof(*priv), GENET_MAX_MQ_CNT + 1,
+@@ -3489,6 +3490,13 @@ static int bcmgenet_probe(struct platfor
+ priv->clk_eee = NULL;
+ }
+
++ /* If this is an internal GPHY, power it on now, before UniMAC is
++ * brought out of reset as absolutely no UniMAC activity is allowed
++ */
++ if (dn && !of_property_read_string(dn, "phy-mode", &phy_mode_str) &&
++ !strcasecmp(phy_mode_str, "internal"))
++ bcmgenet_power_up(priv, GENET_POWER_PASSIVE);
++
+ err = reset_umac(priv);
+ if (err)
+ goto err_clk_disable;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 9 Mar 2017 16:58:45 -0800
+Subject: net: bcmgenet: reserved phy revisions must be checked first
+
+From: Doug Berger <opendmb@gmail.com>
+
+
+[ Upstream commit eca4bad73409aedc6ff22f823c18b67a4f08c851 ]
+
+The reserved gphy_rev value of 0x01ff must be tested before the old
+or new scheme for GPHY major versioning are tested, otherwise it will
+be treated as 0xff00 according to the old scheme.
+
+Fixes: b04a2f5b9ff5 ("net: bcmgenet: add support for new GENET PHY revision scheme")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3326,6 +3326,12 @@ static void bcmgenet_set_hw_params(struc
+ */
+ gphy_rev = reg & 0xffff;
+
++ /* This is reserved so should require special treatment */
++ if (gphy_rev == 0 || gphy_rev == 0x01ff) {
++ pr_warn("Invalid GPHY revision detected: 0x%04x\n", gphy_rev);
++ return;
++ }
++
+ /* This is the good old scheme, just GPHY major, no minor nor patch */
+ if ((gphy_rev & 0xf0) != 0)
+ priv->gphy_rev = gphy_rev << 8;
+@@ -3334,12 +3340,6 @@ static void bcmgenet_set_hw_params(struc
+ else if ((gphy_rev & 0xff00) != 0)
+ priv->gphy_rev = gphy_rev;
+
+- /* This is reserved so should require special treatment */
+- else if (gphy_rev == 0 || gphy_rev == 0x01ff) {
+- pr_warn("Invalid GPHY revision detected: 0x%04x\n", gphy_rev);
+- return;
+- }
+-
+ #ifdef CONFIG_PHYS_ADDR_T_64BIT
+ if (!(params->flags & GENET_HAS_40BITS))
+ pr_warn("GENET does not support 40-bits PA\n");
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Alexander Potapenko <glider@google.com>
+Date: Wed, 8 Mar 2017 18:08:16 +0100
+Subject: net: initialize msg.msg_flags in recvfrom
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 9f138fa609c47403374a862a08a41394be53d461 ]
+
+KMSAN reports a use of uninitialized memory in put_cmsg() because
+msg.msg_flags in recvfrom haven't been initialized properly.
+The flag values don't affect the result on this path, but it's still a
+good idea to initialize them explicitly.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1697,6 +1697,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void
+ /* We assume all kernel code knows the size of sockaddr_storage */
+ msg.msg_namelen = 0;
+ msg.msg_iocb = NULL;
++ msg.msg_flags = 0;
+ if (sock->file->f_flags & O_NONBLOCK)
+ flags |= MSG_DONTWAIT;
+ err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Mon, 13 Mar 2017 19:29:08 +0200
+Subject: net/mlx4_core: Avoid delays during VF driver device shutdown
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+
+[ Upstream commit 4cbe4dac82e423ecc9a0ba46af24a860853259f4 ]
+
+Some Hypervisors detach VFs from VMs by instantly causing an FLR event
+to be generated for a VF.
+
+In the mlx4 case, this will cause that VF's comm channel to be disabled
+before the VM has an opportunity to invoke the VF device's "shutdown"
+method.
+
+For such Hypervisors, there is a race condition between the VF's
+shutdown method and its internal-error detection/reset thread.
+
+The internal-error detection/reset thread (which runs every 5 seconds) also
+detects a disabled comm channel. If the internal-error detection/reset
+flow wins the race, we still get delays (while that flow tries repeatedly
+to detect comm-channel recovery).
+
+The cited commit fixed the command timeout problem when the
+internal-error detection/reset flow loses the race.
+
+This commit avoids the unneeded delays when the internal-error
+detection/reset flow wins.
+
+Fixes: d585df1c5ccf ("net/mlx4_core: Avoid command timeouts during VF driver device shutdown")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reported-by: Simon Xiao <sixiao@microsoft.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/cmd.c | 11 +++++++++++
+ drivers/net/ethernet/mellanox/mlx4/main.c | 11 +++++++++++
+ include/linux/mlx4/device.h | 1 +
+ 3 files changed, 23 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
+@@ -2278,6 +2278,17 @@ static int sync_toggles(struct mlx4_dev
+ rd_toggle = swab32(readl(&priv->mfunc.comm->slave_read));
+ if (wr_toggle == 0xffffffff || rd_toggle == 0xffffffff) {
+ /* PCI might be offline */
++
++ /* If device removal has been requested,
++ * do not continue retrying.
++ */
++ if (dev->persist->interface_state &
++ MLX4_INTERFACE_STATE_NOWAIT) {
++ mlx4_warn(dev,
++ "communication channel is offline\n");
++ return -EIO;
++ }
++
+ msleep(100);
+ wr_toggle = swab32(readl(&priv->mfunc.comm->
+ slave_write));
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -1763,6 +1763,14 @@ static int mlx4_comm_check_offline(struc
+ (u32)(1 << COMM_CHAN_OFFLINE_OFFSET));
+ if (!offline_bit)
+ return 0;
++
++ /* If device removal has been requested,
++ * do not continue retrying.
++ */
++ if (dev->persist->interface_state &
++ MLX4_INTERFACE_STATE_NOWAIT)
++ break;
++
+ /* There are cases as part of AER/Reset flow that PF needs
+ * around 100 msec to load. We therefore sleep for 100 msec
+ * to allow other tasks to make use of that CPU during this
+@@ -3690,6 +3698,9 @@ static void mlx4_remove_one(struct pci_d
+ struct mlx4_priv *priv = mlx4_priv(dev);
+ int active_vfs = 0;
+
++ if (mlx4_is_slave(dev))
++ persist->interface_state |= MLX4_INTERFACE_STATE_NOWAIT;
++
+ mutex_lock(&persist->interface_state_mutex);
+ persist->interface_state |= MLX4_INTERFACE_STATE_DELETION;
+ mutex_unlock(&persist->interface_state_mutex);
+--- a/include/linux/mlx4/device.h
++++ b/include/linux/mlx4/device.h
+@@ -460,6 +460,7 @@ enum {
+ enum {
+ MLX4_INTERFACE_STATE_UP = 1 << 0,
+ MLX4_INTERFACE_STATE_DELETION = 1 << 1,
++ MLX4_INTERFACE_STATE_NOWAIT = 1 << 2,
+ };
+
+ #define MSTR_SM_CHANGE_MASK (MLX4_EQ_PORT_INFO_MSTR_SM_SL_CHANGE_MASK | \
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Vlad Yasevich <vyasevich@gmail.com>
+Date: Tue, 14 Mar 2017 08:58:08 -0400
+Subject: net: Resend IGMP memberships upon peer notification.
+
+From: Vlad Yasevich <vyasevich@gmail.com>
+
+
+[ Upstream commit 37c343b4f4e70e9dc328ab04903c0ec8d154c1a4 ]
+
+When we notify peers of potential changes, it's also good to update
+IGMP memberships. For example, during VM migration, updating IGMP
+memberships will redirect existing multicast streams to the VM at the
+new location.
+
+Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1300,6 +1300,7 @@ void netdev_notify_peers(struct net_devi
+ {
+ rtnl_lock();
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, dev);
++ call_netdevice_notifiers(NETDEV_RESEND_IGMP, dev);
+ rtnl_unlock();
+ }
+ EXPORT_SYMBOL(netdev_notify_peers);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:42:03 +0100
+Subject: net: wimax/i2400m: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit 6e526fdff7be4f13b24f929a04c0e9ae6761291e ]
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+The endpoints are specifically dereferenced in the i2400m_bootrom_init
+path during probe (e.g. in i2400mu_tx_bulk_out).
+
+Fixes: f398e4240fce ("i2400m/USB: probe/disconnect, dev init/shutdown
+and reset backends")
+Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com>
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wimax/i2400m/usb.c
++++ b/drivers/net/wimax/i2400m/usb.c
+@@ -467,6 +467,9 @@ int i2400mu_probe(struct usb_interface *
+ struct i2400mu *i2400mu;
+ struct usb_device *usb_dev = interface_to_usbdev(iface);
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 4)
++ return -ENODEV;
++
+ if (usb_dev->speed != USB_SPEED_HIGH)
+ dev_err(dev, "device not connected as high speed\n");
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 9 Mar 2017 23:22:30 +0100
+Subject: netfilter: bridge: honor frag_max_size when refragmenting
+
+From: Florian Westphal <fw@strlen.de>
+
+
+[ Upstream commit 4ca60d08cbe65f501baad64af50fceba79c19fbb ]
+
+consider a bridge with mtu 9000, but end host sending smaller
+packets to another host with mtu < 9000.
+
+In this case, after reassembly, bridge+defrag would refragment,
+and then attempt to send the reassembled packet as long as it
+was below 9k.
+
+Instead we have to cap by the largest fragment size seen.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netfilter_hooks.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -701,18 +701,20 @@ static unsigned int nf_bridge_mtu_reduct
+
+ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+- struct nf_bridge_info *nf_bridge;
+- unsigned int mtu_reserved;
++ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
++ unsigned int mtu, mtu_reserved;
+
+ mtu_reserved = nf_bridge_mtu_reduction(skb);
++ mtu = skb->dev->mtu;
+
+- if (skb_is_gso(skb) || skb->len + mtu_reserved <= skb->dev->mtu) {
++ if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
++ mtu = nf_bridge->frag_max_size;
++
++ if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
+ nf_bridge_info_free(skb);
+ return br_dev_queue_push_xmit(net, sk, skb);
+ }
+
+- nf_bridge = nf_bridge_info_get(skb);
+-
+ /* This is wrong! We should preserve the original fragment
+ * boundaries by preserving frag_list rather than refragmenting.
+ */
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: KUWAZAWA Takuya <albatross0@gmail.com>
+Date: Sun, 15 Oct 2017 20:54:10 +0900
+Subject: netfilter: ipvs: Fix inappropriate output of procfs
+
+From: KUWAZAWA Takuya <albatross0@gmail.com>
+
+
+[ Upstream commit c5504f724c86ee925e7ffb80aa342cfd57959b13 ]
+
+Information about ipvs in different network namespace can be seen via procfs.
+
+How to reproduce:
+
+ # ip netns add ns01
+ # ip netns add ns02
+ # ip netns exec ns01 ip a add dev lo 127.0.0.1/8
+ # ip netns exec ns02 ip a add dev lo 127.0.0.1/8
+ # ip netns exec ns01 ipvsadm -A -t 10.1.1.1:80
+ # ip netns exec ns02 ipvsadm -A -t 10.1.1.2:80
+
+The ipvsadm displays information about its own network namespace only.
+
+ # ip netns exec ns01 ipvsadm -Ln
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 10.1.1.1:80 wlc
+
+ # ip netns exec ns02 ipvsadm -Ln
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 10.1.1.2:80 wlc
+
+But I can see information about other network namespace via procfs.
+
+ # ip netns exec ns01 cat /proc/net/ip_vs
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 0A010101:0050 wlc
+ TCP 0A010102:0050 wlc
+
+ # ip netns exec ns02 cat /proc/net/ip_vs
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ TCP 0A010102:0050 wlc
+
+Signed-off-by: KUWAZAWA Takuya <albatross0@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1999,12 +1999,16 @@ static int ip_vs_info_seq_show(struct se
+ seq_puts(seq,
+ " -> RemoteAddress:Port Forward Weight ActiveConn InActConn\n");
+ } else {
++ struct net *net = seq_file_net(seq);
++ struct netns_ipvs *ipvs = net_ipvs(net);
+ const struct ip_vs_service *svc = v;
+ const struct ip_vs_iter *iter = seq->private;
+ const struct ip_vs_dest *dest;
+ struct ip_vs_scheduler *sched = rcu_dereference(svc->scheduler);
+ char *sched_name = sched ? sched->name : "none";
+
++ if (svc->ipvs != ipvs)
++ return 0;
+ if (iter->table == ip_vs_svc_table) {
+ #ifdef CONFIG_IP_VS_IPV6
+ if (svc->af == AF_INET6)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Mar 2017 11:36:39 +1100
+Subject: NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 928c6fb3a9bfd6c5b287aa3465226add551c13c0 ]
+
+Current code will return 1 if the version is supported,
+and -1 if it isn't.
+This is confusing and inconsistent with the one place where this
+is used.
+So change to return 1 if it is supported, and zero if not.
+i.e. an error is never returned.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -151,7 +151,8 @@ int nfsd_vers(int vers, enum vers_op cha
+
+ int nfsd_minorversion(u32 minorversion, enum vers_op change)
+ {
+- if (minorversion > NFSD_SUPPORTED_MINOR_VERSION)
++ if (minorversion > NFSD_SUPPORTED_MINOR_VERSION &&
++ change != NFSD_AVAIL)
+ return -1;
+ switch(change) {
+ case NFSD_SET:
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Fri, 10 Mar 2017 11:36:39 +1100
+Subject: NFSD: fix nfsd_reset_versions for NFSv4.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 800a938f0bf9130c8256116649c0cc5806bfb2fd ]
+
+If you write "-2 -3 -4" to the "versions" file, it will
+notice that no versions are enabled, and nfsd_reset_versions()
+is called.
+This enables all major versions, not no minor versions.
+So we lose the invariant that NFSv4 is only advertised when
+at least one minor is enabled.
+
+Fix the code to explicitly enable minor versions for v4,
+change it to use nfsd_vers() to test and set, and simplify
+the code.
+
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -330,23 +330,20 @@ static void nfsd_last_thread(struct svc_
+
+ void nfsd_reset_versions(void)
+ {
+- int found_one = 0;
+ int i;
+
+- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++) {
+- if (nfsd_program.pg_vers[i])
+- found_one = 1;
+- }
++ for (i = 0; i < NFSD_NRVERS; i++)
++ if (nfsd_vers(i, NFSD_TEST))
++ return;
+
+- if (!found_one) {
+- for (i = NFSD_MINVERS; i < NFSD_NRVERS; i++)
+- nfsd_program.pg_vers[i] = nfsd_version[i];
+-#if defined(CONFIG_NFSD_V2_ACL) || defined(CONFIG_NFSD_V3_ACL)
+- for (i = NFSD_ACL_MINVERS; i < NFSD_ACL_NRVERS; i++)
+- nfsd_acl_program.pg_vers[i] =
+- nfsd_acl_version[i];
+-#endif
+- }
++ for (i = 0; i < NFSD_NRVERS; i++)
++ if (i != 4)
++ nfsd_vers(i, NFSD_SET);
++ else {
++ int minor = 0;
++ while (nfsd_minorversion(minor, NFSD_SET) >= 0)
++ minor++;
++ }
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Wed, 8 Mar 2017 14:39:15 -0500
+Subject: NFSv4.1 respect server's max size in CREATE_SESSION
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+
+[ Upstream commit 033853325fe3bdc70819a8b97915bd3bca41d3af ]
+
+Currently client doesn't respect max sizes server returns in CREATE_SESSION.
+nfs4_session_set_rwsize() gets called and server->rsize, server->wsize are 0
+so they never get set to the sizes returned by the server.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -895,9 +895,9 @@ static void nfs4_session_set_rwsize(stru
+ server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead;
+ server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead;
+
+- if (server->rsize > server_resp_sz)
++ if (!server->rsize || server->rsize > server_resp_sz)
+ server->rsize = server_resp_sz;
+- if (server->wsize > server_rqst_sz)
++ if (!server->wsize || server->wsize > server_rqst_sz)
+ server->wsize = server_rqst_sz;
+ #endif /* CONFIG_NFS_V4_1 */
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Stafford Horne <shorne@gmail.com>
+Date: Mon, 13 Mar 2017 07:44:45 +0900
+Subject: openrisc: fix issue handling 8 byte get_user calls
+
+From: Stafford Horne <shorne@gmail.com>
+
+
+[ Upstream commit 154e67cd8e8f964809d0e75e44bb121b169c75b3 ]
+
+Was getting the following error with allmodconfig:
+
+ ERROR: "__get_user_bad" [lib/test_user_copy.ko] undefined!
+
+This was simply a missing break statement, causing an unwanted fall
+through.
+
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/openrisc/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/openrisc/include/asm/uaccess.h
++++ b/arch/openrisc/include/asm/uaccess.h
+@@ -215,7 +215,7 @@ do { \
+ case 1: __get_user_asm(x, ptr, retval, "l.lbz"); break; \
+ case 2: __get_user_asm(x, ptr, retval, "l.lhz"); break; \
+ case 4: __get_user_asm(x, ptr, retval, "l.lwz"); break; \
+- case 8: __get_user_asm2(x, ptr, retval); \
++ case 8: __get_user_asm2(x, ptr, retval); break; \
+ default: (x) = __get_user_bad(); \
+ } \
+ } while (0)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 11 Oct 2017 15:35:56 -0600
+Subject: PCI: Detach driver before procfs & sysfs teardown on device remove
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+
+[ Upstream commit 16b6c8bb687cc3bec914de09061fcb8411951fda ]
+
+When removing a device, for example a VF being removed due to SR-IOV
+teardown, a "soft" hot-unplug via 'echo 1 > remove' in sysfs, or an actual
+hot-unplug, we first remove the procfs and sysfs attributes for the device
+before attempting to release the device from any driver bound to it.
+Unbinding the driver from the device can take time. The device might need
+to write out data or it might be actively in use. If it's in use by
+userspace through a vfio driver, the unbind might block until the user
+releases the device. This leads to a potentially non-trivial amount of
+time where the device exists, but we've torn down the interfaces that
+userspace uses to examine devices, for instance lspci might generate this
+sort of error:
+
+ pcilib: Cannot open /sys/bus/pci/devices/0000:01:0a.3/config
+ lspci: Unable to read the standard configuration space header of device 0000:01:0a.3
+
+We don't seem to have any dependence on this teardown ordering in the
+kernel, so let's unbind the driver first, which is also more symmetric with
+the instantiation of the device in pci_bus_add_device().
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/remove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/remove.c
++++ b/drivers/pci/remove.c
+@@ -20,9 +20,9 @@ static void pci_stop_dev(struct pci_dev
+ pci_pme_active(dev, false);
+
+ if (dev->is_added) {
++ device_release_driver(&dev->dev);
+ pci_proc_detach_device(dev);
+ pci_remove_sysfs_dev_files(dev);
+- device_release_driver(&dev->dev);
+ dev->is_added = 0;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Qiang <zhengqiang10@huawei.com>
+Date: Thu, 28 Sep 2017 11:54:34 +0800
+Subject: PCI/PME: Handle invalid data when reading Root Status
+
+From: Qiang <zhengqiang10@huawei.com>
+
+
+[ Upstream commit 3ad3f8ce50914288731a3018b27ee44ab803e170 ]
+
+PCIe PME and native hotplug share the same interrupt number, so hotplug
+interrupts are also processed by PME. In some cases, e.g., a Link Down
+interrupt, a device may be present but unreachable, so when we try to
+read its Root Status register, the read fails and we get all ones data
+(0xffffffff).
+
+Previously, we interpreted that data as PCI_EXP_RTSTA_PME being set, i.e.,
+"some device has asserted PME," so we scheduled pcie_pme_work_fn(). This
+caused an infinite loop because pcie_pme_work_fn() tried to handle PME
+requests until PCI_EXP_RTSTA_PME is cleared, but with the link down,
+PCI_EXP_RTSTA_PME can't be cleared.
+
+Check for the invalid 0xffffffff data everywhere we read the Root Status
+register.
+
+1469d17dd341 ("PCI: pciehp: Handle invalid data when reading from
+non-existent devices") added similar checks in the hotplug driver.
+
+Signed-off-by: Qiang Zheng <zhengqiang10@huawei.com>
+[bhelgaas: changelog, also check in pcie_pme_work_fn(), use "~0" to follow
+other similar checks]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/pme.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/pme.c
++++ b/drivers/pci/pcie/pme.c
+@@ -233,6 +233,9 @@ static void pcie_pme_work_fn(struct work
+ break;
+
+ pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta);
++ if (rtsta == (u32) ~0)
++ break;
++
+ if (rtsta & PCI_EXP_RTSTA_PME) {
+ /*
+ * Clear PME status of the port. If there are other
+@@ -280,7 +283,7 @@ static irqreturn_t pcie_pme_irq(int irq,
+ spin_lock_irqsave(&data->lock, flags);
+ pcie_capability_read_dword(port, PCI_EXP_RTSTA, &rtsta);
+
+- if (!(rtsta & PCI_EXP_RTSTA_PME)) {
++ if (rtsta == (u32) ~0 || !(rtsta & PCI_EXP_RTSTA_PME)) {
+ spin_unlock_irqrestore(&data->lock, flags);
+ return IRQ_NONE;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 15 Mar 2017 22:53:37 +0100
+Subject: perf symbols: Fix symbols__fixup_end heuristic for corner cases
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+
+[ Upstream commit e7ede72a6d40cb3a30c087142d79381ca8a31dab ]
+
+The current symbols__fixup_end() heuristic for the last entry in the rb
+tree is suboptimal as it leads to not being able to recognize the symbol
+in the call graph in a couple of corner cases, for example:
+
+ i) If the symbol has a start address (f.e. exposed via kallsyms)
+ that is at a page boundary, then the roundup(curr->start, 4096)
+ for the last entry will result in curr->start == curr->end with
+ a symbol length of zero.
+
+ii) If the symbol has a start address that is shortly before a page
+ boundary, then also here, curr->end - curr->start will just be
+ very few bytes, where it's unrealistic that we could perform a
+ match against.
+
+Instead, change the heuristic to roundup(curr->start, 4096) + 4096, so
+that we can catch such corner cases and have a better chance to find
+that specific symbol. It's still just best effort as the real end of the
+symbol is unknown to us (and could even be at a larger offset than the
+current range), but better than the current situation.
+
+Alexei reported that he recently run into case i) with a JITed eBPF
+program (these are all page aligned) as the last symbol which wasn't
+properly shown in the call graph (while other eBPF program symbols in
+the rb tree were displayed correctly). Since this is a generic issue,
+lets try to improve the heuristic a bit.
+
+Reported-and-Tested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Fixes: 2e538c4a1847 ("perf tools: Improve kernel/modules symbol lookup")
+Link: http://lkml.kernel.org/r/bb5c80d27743be6f12afc68405f1956a330e1bc9.1489614365.git.daniel@iogearbox.net
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/symbol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/util/symbol.c
++++ b/tools/perf/util/symbol.c
+@@ -200,7 +200,7 @@ void symbols__fixup_end(struct rb_root *
+
+ /* Last entry */
+ if (curr->end == curr->start)
+- curr->end = roundup(curr->start, 4096);
++ curr->end = roundup(curr->start, 4096) + 4096;
+ }
+
+ void __map_groups__fixup_end(struct map_groups *mg, enum map_type type)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 11 Oct 2017 11:57:15 +0200
+Subject: pinctrl: adi2: Fix Kconfig build problem
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+
+[ Upstream commit 1c363531dd814dc4fe10865722bf6b0f72ce4673 ]
+
+The build robot is complaining on Blackfin:
+
+drivers/pinctrl/pinctrl-adi2.c: In function 'port_setup':
+>> drivers/pinctrl/pinctrl-adi2.c:221:21: error: dereferencing
+ pointer to incomplete type 'struct gpio_port_t'
+ writew(readw(®s->port_fer) & ~BIT(offset),
+ ^~
+drivers/pinctrl/pinctrl-adi2.c: In function 'adi_gpio_ack_irq':
+>> drivers/pinctrl/pinctrl-adi2.c:266:18: error: dereferencing
+pointer to incomplete type 'struct bfin_pint_regs'
+ if (readl(®s->invert_set) & pintbit)
+ ^~
+It seems the driver need to include <asm/gpio.h> and <asm/irq.h>
+to compile.
+
+The Blackfin architecture was re-defining the Kconfig
+PINCTRL symbol which is not OK, so replaced this with
+PINCTRL_BLACKFIN_ADI2 which selects PINCTRL and PINCTRL_ADI2
+just like most arches do.
+
+Further, the old GPIO driver symbol GPIO_ADI was possible to
+select at the same time as selecting PINCTRL. This was not
+working because the arch-local <asm/gpio.h> header contains
+an explicit #ifndef PINCTRL clause making compilation break
+if you combine them. The same is true for DEBUG_MMRS.
+
+Make sure the ADI2 pinctrl driver is not selected at the same
+time as the old GPIO implementation. (This should be converted
+to use gpiolib or pincontrol and move to drivers/...) Also make
+sure the old GPIO_ADI driver or DEBUG_MMRS is not selected at
+the same time as the new PINCTRL implementation, and only make
+PINCTRL_ADI2 selectable for the Blackfin families that actually
+have it.
+
+This way it is still possible to add e.g. I2C-based pin
+control expanders on the Blackfin.
+
+Cc: Steven Miao <realmz6@gmail.com>
+Cc: Huanhuan Feng <huanhuan.feng@analog.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/blackfin/Kconfig | 7 +++++--
+ arch/blackfin/Kconfig.debug | 1 +
+ drivers/pinctrl/Kconfig | 3 ++-
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/blackfin/Kconfig
++++ b/arch/blackfin/Kconfig
+@@ -318,11 +318,14 @@ config BF53x
+
+ config GPIO_ADI
+ def_bool y
++ depends on !PINCTRL
+ depends on (BF51x || BF52x || BF53x || BF538 || BF539 || BF561)
+
+-config PINCTRL
++config PINCTRL_BLACKFIN_ADI2
+ def_bool y
+- depends on BF54x || BF60x
++ depends on (BF54x || BF60x)
++ select PINCTRL
++ select PINCTRL_ADI2
+
+ config MEM_MT48LC64M4A2FB_7E
+ bool
+--- a/arch/blackfin/Kconfig.debug
++++ b/arch/blackfin/Kconfig.debug
+@@ -17,6 +17,7 @@ config DEBUG_VERBOSE
+
+ config DEBUG_MMRS
+ tristate "Generate Blackfin MMR tree"
++ depends on !PINCTRL
+ select DEBUG_FS
+ help
+ Create a tree of Blackfin MMRs via the debugfs tree. If
+--- a/drivers/pinctrl/Kconfig
++++ b/drivers/pinctrl/Kconfig
+@@ -26,7 +26,8 @@ config DEBUG_PINCTRL
+
+ config PINCTRL_ADI2
+ bool "ADI pin controller driver"
+- depends on BLACKFIN
++ depends on (BF54x || BF60x)
++ depends on !GPIO_ADI
+ select PINMUX
+ select IRQ_DOMAIN
+ help
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Markus Elfring <elfring@users.sourceforge.net>
+Date: Wed, 1 Nov 2017 18:42:45 +0100
+Subject: platform/x86: sony-laptop: Fix error handling in sony_nc_setup_rfkill()
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+
+[ Upstream commit f6c8a317ab208aee223776327c06f23342492d54 ]
+
+Source code review for a specific software refactoring showed the need
+for another correction because the error code "-1" was returned so far
+if a call of the function "sony_call_snc_handle" failed here.
+Thus assign the return value from these two function calls also to
+the variable "err" and provide it in case of a failure.
+
+Fixes: d6f15ed876b83a1a0eba1d0473eef58acc95444a ("sony-laptop: use soft rfkill status stored in hw")
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lkml.org/lkml/2017/10/31/463
+Link: https://lkml.kernel.org/r/<CAHp75VcMkXCioCzmLE0+BTmkqc5RSOx9yPO0ectVHMrMvewgwg@mail.gmail.com>
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/sony-laptop.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/platform/x86/sony-laptop.c
++++ b/drivers/platform/x86/sony-laptop.c
+@@ -1655,17 +1655,19 @@ static int sony_nc_setup_rfkill(struct a
+ if (!rfk)
+ return -ENOMEM;
+
+- if (sony_call_snc_handle(sony_rfkill_handle, 0x200, &result) < 0) {
++ err = sony_call_snc_handle(sony_rfkill_handle, 0x200, &result);
++ if (err < 0) {
+ rfkill_destroy(rfk);
+- return -1;
++ return err;
+ }
+ hwblock = !(result & 0x1);
+
+- if (sony_call_snc_handle(sony_rfkill_handle,
+- sony_rfkill_address[nc_type],
+- &result) < 0) {
++ err = sony_call_snc_handle(sony_rfkill_handle,
++ sony_rfkill_address[nc_type],
++ &result);
++ if (err < 0) {
+ rfkill_destroy(rfk);
+- return -1;
++ return err;
+ }
+ swblock = !(result & 0x2);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Wed, 18 Oct 2017 11:16:47 +0200
+Subject: powerpc/ipic: Fix status get and status clear
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+
+[ Upstream commit 6b148a7ce72a7f87c81cbcde48af014abc0516a9 ]
+
+IPIC Status is provided by register IPIC_SERSR and not by IPIC_SERMR
+which is the mask register.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/ipic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/sysdev/ipic.c
++++ b/arch/powerpc/sysdev/ipic.c
+@@ -845,12 +845,12 @@ void ipic_disable_mcp(enum ipic_mcp_irq
+
+ u32 ipic_get_mcp_status(void)
+ {
+- return ipic_read(primary_ipic->regs, IPIC_SERMR);
++ return ipic_read(primary_ipic->regs, IPIC_SERSR);
+ }
+
+ void ipic_clear_mcp_status(u32 mask)
+ {
+- ipic_write(primary_ipic->regs, IPIC_SERMR, mask);
++ ipic_write(primary_ipic->regs, IPIC_SERSR, mask);
+ }
+
+ /* Return an interrupt vector or NO_IRQ if no interrupt is pending. */
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: "William A. Kennington III" <wak@google.com>
+Date: Fri, 22 Sep 2017 16:58:00 -0700
+Subject: powerpc/opal: Fix EBUSY bug in acquiring tokens
+
+From: "William A. Kennington III" <wak@google.com>
+
+
+[ Upstream commit 71e24d7731a2903b1ae2bba2b2971c654d9c2aa6 ]
+
+The current code checks the completion map to look for the first token
+that is complete. In some cases, a completion can come in but the
+token can still be on lease to the caller processing the completion.
+If this completed but unreleased token is the first token found in the
+bitmap by another tasks trying to acquire a token, then the
+__test_and_set_bit call will fail since the token will still be on
+lease. The acquisition will then fail with an EBUSY.
+
+This patch reorganizes the acquisition code to look at the
+opal_async_token_map for an unleased token. If the token has no lease
+it must have no outstanding completions so we should never see an
+EBUSY, unless we have leased out too many tokens. Since
+opal_async_get_token_inrerruptible is protected by a semaphore, we
+will practically never see EBUSY anymore.
+
+Fixes: 8d7248232208 ("powerpc/powernv: Infrastructure to support OPAL async completion")
+Signed-off-by: William A. Kennington III <wak@google.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/opal-async.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/platforms/powernv/opal-async.c
++++ b/arch/powerpc/platforms/powernv/opal-async.c
+@@ -39,18 +39,18 @@ int __opal_async_get_token(void)
+ int token;
+
+ spin_lock_irqsave(&opal_async_comp_lock, flags);
+- token = find_first_bit(opal_async_complete_map, opal_max_async_tokens);
++ token = find_first_zero_bit(opal_async_token_map, opal_max_async_tokens);
+ if (token >= opal_max_async_tokens) {
+ token = -EBUSY;
+ goto out;
+ }
+
+- if (__test_and_set_bit(token, opal_async_token_map)) {
++ if (!__test_and_clear_bit(token, opal_async_complete_map)) {
+ token = -EBUSY;
+ goto out;
+ }
+
+- __clear_bit(token, opal_async_complete_map);
++ __set_bit(token, opal_async_token_map);
+
+ out:
+ spin_unlock_irqrestore(&opal_async_comp_lock, flags);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Mon, 9 Oct 2017 21:52:44 +1100
+Subject: powerpc/perf/hv-24x7: Fix incorrect comparison in memord
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+
+[ Upstream commit 05c14c03138532a3cb2aa29c2960445c8753343b ]
+
+In the hv-24x7 code there is a function memord() which tries to
+implement a sort function return -1, 0, 1. However one of the
+conditions is incorrect, such that it can never be true, because we
+will have already returned.
+
+I don't believe there is a bug in practice though, because the
+comparisons are an optimisation prior to calling memcmp().
+
+Fix it by swapping the second comparision, so it can be true.
+
+Reported-by: David Binderman <dcb314@hotmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/perf/hv-24x7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/perf/hv-24x7.c
++++ b/arch/powerpc/perf/hv-24x7.c
+@@ -514,7 +514,7 @@ static int memord(const void *d1, size_t
+ {
+ if (s1 < s2)
+ return 1;
+- if (s2 > s1)
++ if (s1 > s2)
+ return -1;
+
+ return memcmp(d1, d2, s1);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Shriya <shriyak@linux.vnet.ibm.com>
+Date: Fri, 13 Oct 2017 10:06:41 +0530
+Subject: powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
+
+From: Shriya <shriyak@linux.vnet.ibm.com>
+
+
+[ Upstream commit cd77b5ce208c153260ed7882d8910f2395bfaabd ]
+
+The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which
+returns the last frequency requested by the kernel, but may not
+reflect the actual frequency the processor is running at. This patch
+makes a call to cpufreq_get() instead which returns the current
+frequency reported by the hardware.
+
+Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()")
+Signed-off-by: Shriya <shriyak@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/setup.c
++++ b/arch/powerpc/platforms/powernv/setup.c
+@@ -295,7 +295,7 @@ static unsigned long pnv_get_proc_freq(u
+ {
+ unsigned long ret_freq;
+
+- ret_freq = cpufreq_quick_get(cpu) * 1000ul;
++ ret_freq = cpufreq_get(cpu) * 1000ul;
+
+ /*
+ * If the backend cpufreq driver does not exist,
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Tue, 31 Oct 2017 18:25:37 +0800
+Subject: ppp: Destroy the mutex when cleanup
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+
+[ Upstream commit f02b2320b27c16b644691267ee3b5c110846f49e ]
+
+The mutex_destroy only makes sense when enable DEBUG_MUTEX. For the
+good readbility, it's better to invoke it in exit func when the init
+func invokes mutex_init.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -942,6 +942,7 @@ static __net_exit void ppp_exit_net(stru
+ unregister_netdevice_many(&list);
+ rtnl_unlock();
+
++ mutex_destroy(&pn->all_ppp_mutex);
+ idr_destroy(&pn->units_idr);
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: NeilBrown <neilb@suse.com>
+Date: Tue, 17 Oct 2017 16:18:36 +1100
+Subject: raid5: Set R5_Expanded on parity devices as well as data.
+
+From: NeilBrown <neilb@suse.com>
+
+
+[ Upstream commit 235b6003fb28f0dd8e7ed8fbdb088bb548291766 ]
+
+When reshaping a fully degraded raid5/raid6 to a larger
+nubmer of devices, the new device(s) are not in-sync
+and so that can make the newly grown stripe appear to be
+"failed".
+To avoid this, we set the R5_Expanded flag to say "Even though
+this device is not fully in-sync, this block is safe so
+don't treat the device as failed for this stripe".
+This flag is set for data devices, not not for parity devices.
+
+Consequently, if you have a RAID6 with two devices that are partly
+recovered and a spare, and start a reshape to include the spare,
+then when the reshape gets past the point where the recovery was
+up to, it will think the stripes are failed and will get into
+an infinite loop, failing to make progress.
+
+So when contructing parity on an EXPAND_READY stripe,
+set R5_Expanded.
+
+Reported-by: Curt <lightspd@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/raid5.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -1681,8 +1681,11 @@ static void ops_complete_reconstruct(voi
+ struct r5dev *dev = &sh->dev[i];
+
+ if (dev->written || i == pd_idx || i == qd_idx) {
+- if (!discard && !test_bit(R5_SkipCopy, &dev->flags))
++ if (!discard && !test_bit(R5_SkipCopy, &dev->flags)) {
+ set_bit(R5_UPTODATE, &dev->flags);
++ if (test_bit(STRIPE_EXPAND_READY, &sh->state))
++ set_bit(R5_Expanded, &dev->flags);
++ }
+ if (fua)
+ set_bit(R5_WantFUA, &dev->flags);
+ if (sync)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Wed, 11 Oct 2017 10:48:45 -0700
+Subject: RDMA/cma: Avoid triggering undefined behavior
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+
+[ Upstream commit c0b64f58e8d49570aa9ee55d880f92c20ff0166b ]
+
+According to the C standard the behavior of computations with
+integer operands is as follows:
+* A computation involving unsigned operands can never overflow,
+ because a result that cannot be represented by the resulting
+ unsigned integer type is reduced modulo the number that is one
+ greater than the largest value that can be represented by the
+ resulting type.
+* The behavior for signed integer underflow and overflow is
+ undefined.
+
+Hence only use unsigned integers when checking for integer
+overflow.
+
+This patch is what I came up with after having analyzed the
+following smatch warnings:
+
+drivers/infiniband/core/cma.c:3448: cma_resolve_ib_udp() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len'
+drivers/infiniband/core/cma.c:3505: cma_connect_ib() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len'
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Acked-by: Sean Hefty <sean.hefty@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1353,7 +1353,7 @@ static struct rdma_id_private *cma_id_fr
+ return id_priv;
+ }
+
+-static inline int cma_user_data_offset(struct rdma_id_private *id_priv)
++static inline u8 cma_user_data_offset(struct rdma_id_private *id_priv)
+ {
+ return cma_family(id_priv) == AF_IB ? 0 : sizeof(struct cma_hdr);
+ }
+@@ -1731,7 +1731,8 @@ static int cma_req_handler(struct ib_cm_
+ struct rdma_id_private *listen_id, *conn_id;
+ struct rdma_cm_event event;
+ struct net_device *net_dev;
+- int offset, ret;
++ u8 offset;
++ int ret;
+
+ listen_id = cma_id_from_event(cm_id, ib_event, &net_dev);
+ if (IS_ERR(listen_id))
+@@ -3118,7 +3119,8 @@ static int cma_resolve_ib_udp(struct rdm
+ struct ib_cm_sidr_req_param req;
+ struct ib_cm_id *id;
+ void *private_data;
+- int offset, ret;
++ u8 offset;
++ int ret;
+
+ memset(&req, 0, sizeof req);
+ offset = cma_user_data_offset(id_priv);
+@@ -3175,7 +3177,8 @@ static int cma_connect_ib(struct rdma_id
+ struct rdma_route *route;
+ void *private_data;
+ struct ib_cm_id *id;
+- int offset, ret;
++ u8 offset;
++ int ret;
+
+ memset(&req, 0, sizeof req);
+ offset = cma_user_data_offset(id_priv);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Tue, 7 Nov 2017 13:12:17 +0100
+Subject: rtc: pcf8563: fix output clock rate
+
+From: Philipp Zabel <p.zabel@pengutronix.de>
+
+
+[ Upstream commit a3350f9c57ffad569c40f7320b89da1f3061c5bb ]
+
+The pcf8563_clkout_recalc_rate function erroneously ignores the
+frequency index read from the CLKO register and always returns
+32768 Hz.
+
+Fixes: a39a6405d5f9 ("rtc: pcf8563: add CLKOUT to common clock framework")
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-pcf8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-pcf8563.c
++++ b/drivers/rtc/rtc-pcf8563.c
+@@ -427,7 +427,7 @@ static unsigned long pcf8563_clkout_reca
+ return 0;
+
+ buf &= PCF8563_REG_CLKO_F_MASK;
+- return clkout_rates[ret];
++ return clkout_rates[buf];
+ }
+
+ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+Date: Thu, 2 Mar 2017 15:10:57 +0100
+Subject: sched/deadline: Make sure the replenishment timer fires in the next period
+
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+
+
+[ Upstream commit 5ac69d37784b237707a7b15d199cdb6c6fdb6780 ]
+
+Currently, the replenishment timer is set to fire at the deadline
+of a task. Although that works for implicit deadline tasks because the
+deadline is equals to the begin of the next period, that is not correct
+for constrained deadline tasks (deadline < period).
+
+For instance:
+
+f.c:
+ --------------- %< ---------------
+int main (void)
+{
+ for(;;);
+}
+ --------------- >% ---------------
+
+ # gcc -o f f.c
+
+ # trace-cmd record -e sched:sched_switch \
+ -e syscalls:sys_exit_sched_setattr \
+ chrt -d --sched-runtime 490000000 \
+ --sched-deadline 500000000 \
+ --sched-period 1000000000 0 ./f
+
+ # trace-cmd report | grep "{pid of ./f}"
+
+After setting parameters, the task is replenished and continue running
+until being throttled:
+
+ f-11295 [003] 13322.113776: sys_exit_sched_setattr: 0x0
+
+The task is throttled after running 492318 ms, as expected:
+
+ f-11295 [003] 13322.606094: sched_switch: f:11295 [-1] R ==> watchdog/3:32 [0]
+
+But then, the task is replenished 500719 ms after the first
+replenishment:
+
+ <idle>-0 [003] 13322.614495: sched_switch: swapper/3:0 [120] R ==> f:11295 [-1]
+
+Running for 490277 ms:
+
+ f-11295 [003] 13323.104772: sched_switch: f:11295 [-1] R ==> swapper/3:0 [120]
+
+Hence, in the first period, the task runs 2 * runtime, and that is a bug.
+
+During the first replenishment, the next deadline is set one period away.
+So the runtime / period starts to be respected. However, as the second
+replenishment took place in the wrong instant, the next replenishment
+will also be held in a wrong instant of time. Rather than occurring in
+the nth period away from the first activation, it is taking place
+in the (nth period - relative deadline).
+
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Luca Abeni <luca.abeni@santannapisa.it>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Reviewed-by: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/ac50d89887c25285b47465638354b63362f8adff.1488392936.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -510,10 +510,15 @@ static void update_dl_entity(struct sche
+ }
+ }
+
++static inline u64 dl_next_period(struct sched_dl_entity *dl_se)
++{
++ return dl_se->deadline - dl_se->dl_deadline + dl_se->dl_period;
++}
++
+ /*
+ * If the entity depleted all its runtime, and if we want it to sleep
+ * while waiting for some new execution time to become available, we
+- * set the bandwidth enforcement timer to the replenishment instant
++ * set the bandwidth replenishment timer to the replenishment instant
+ * and try to activate it.
+ *
+ * Notice that it is important for the caller to know if the timer
+@@ -535,7 +540,7 @@ static int start_dl_timer(struct task_st
+ * that it is actually coming from rq->clock and not from
+ * hrtimer's time base reading.
+ */
+- act = ns_to_ktime(dl_se->deadline);
++ act = ns_to_ktime(dl_next_period(dl_se));
+ now = hrtimer_cb_get_time(timer);
+ delta = ktime_to_ns(now) - rq_clock(rq);
+ act = ktime_add_ns(act, delta);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+Date: Thu, 2 Mar 2017 15:10:58 +0100
+Subject: sched/deadline: Throttle a constrained deadline task activated after the deadline
+
+From: Daniel Bristot de Oliveira <bristot@redhat.com>
+
+
+[ Upstream commit df8eac8cafce7d086be3bd5cf5a838fa37594dfb ]
+
+During the activation, CBS checks if it can reuse the current task's
+runtime and period. If the deadline of the task is in the past, CBS
+cannot use the runtime, and so it replenishes the task. This rule
+works fine for implicit deadline tasks (deadline == period), and the
+CBS was designed for implicit deadline tasks. However, a task with
+constrained deadline (deadine < period) might be awakened after the
+deadline, but before the next period. In this case, replenishing the
+task would allow it to run for runtime / deadline. As in this case
+deadline < period, CBS enables a task to run for more than the
+runtime / period. In a very loaded system, this can cause a domino
+effect, making other tasks miss their deadlines.
+
+To avoid this problem, in the activation of a constrained deadline
+task after the deadline but before the next period, throttle the
+task and set the replenishing timer to the begin of the next period,
+unless it is boosted.
+
+Reproducer:
+
+ --------------- %< ---------------
+ int main (int argc, char **argv)
+ {
+ int ret;
+ int flags = 0;
+ unsigned long l = 0;
+ struct timespec ts;
+ struct sched_attr attr;
+
+ memset(&attr, 0, sizeof(attr));
+ attr.size = sizeof(attr);
+
+ attr.sched_policy = SCHED_DEADLINE;
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+ ts.tv_sec = 0;
+ ts.tv_nsec = 2000 * 1000; /* 2 ms */
+
+ ret = sched_setattr(0, &attr, flags);
+
+ if (ret < 0) {
+ perror("sched_setattr");
+ exit(-1);
+ }
+
+ for(;;) {
+ /* XXX: you may need to adjust the loop */
+ for (l = 0; l < 150000; l++);
+ /*
+ * The ideia is to go to sleep right before the deadline
+ * and then wake up before the next period to receive
+ * a new replenishment.
+ */
+ nanosleep(&ts, NULL);
+ }
+
+ exit(0);
+ }
+ --------------- >% ---------------
+
+On my box, this reproducer uses almost 50% of the CPU time, which is
+obviously wrong for a task with 2/2000 reservation.
+
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luca Abeni <luca.abeni@santannapisa.it>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/edf58354e01db46bf42df8d2dd32418833f68c89.1488392936.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -704,6 +704,37 @@ void init_dl_task_timer(struct sched_dl_
+ timer->function = dl_task_timer;
+ }
+
++/*
++ * During the activation, CBS checks if it can reuse the current task's
++ * runtime and period. If the deadline of the task is in the past, CBS
++ * cannot use the runtime, and so it replenishes the task. This rule
++ * works fine for implicit deadline tasks (deadline == period), and the
++ * CBS was designed for implicit deadline tasks. However, a task with
++ * constrained deadline (deadine < period) might be awakened after the
++ * deadline, but before the next period. In this case, replenishing the
++ * task would allow it to run for runtime / deadline. As in this case
++ * deadline < period, CBS enables a task to run for more than the
++ * runtime / period. In a very loaded system, this can cause a domino
++ * effect, making other tasks miss their deadlines.
++ *
++ * To avoid this problem, in the activation of a constrained deadline
++ * task after the deadline but before the next period, throttle the
++ * task and set the replenishing timer to the begin of the next period,
++ * unless it is boosted.
++ */
++static inline void dl_check_constrained_dl(struct sched_dl_entity *dl_se)
++{
++ struct task_struct *p = dl_task_of(dl_se);
++ struct rq *rq = rq_of_dl_rq(dl_rq_of_se(dl_se));
++
++ if (dl_time_before(dl_se->deadline, rq_clock(rq)) &&
++ dl_time_before(rq_clock(rq), dl_next_period(dl_se))) {
++ if (unlikely(dl_se->dl_boosted || !start_dl_timer(p)))
++ return;
++ dl_se->dl_throttled = 1;
++ }
++}
++
+ static
+ int dl_runtime_exceeded(struct sched_dl_entity *dl_se)
+ {
+@@ -958,6 +989,11 @@ static void dequeue_dl_entity(struct sch
+ __dequeue_dl_entity(dl_se);
+ }
+
++static inline bool dl_is_constrained(struct sched_dl_entity *dl_se)
++{
++ return dl_se->dl_deadline < dl_se->dl_period;
++}
++
+ static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags)
+ {
+ struct task_struct *pi_task = rt_mutex_get_top_task(p);
+@@ -984,6 +1020,15 @@ static void enqueue_task_dl(struct rq *r
+ }
+
+ /*
++ * Check if a constrained deadline task was activated
++ * after the deadline but before the next period.
++ * If that is the case, the task will be throttled and
++ * the replenishment timer will be set to the next period.
++ */
++ if (!p->dl.dl_throttled && dl_is_constrained(&p->dl))
++ dl_check_constrained_dl(&p->dl);
++
++ /*
+ * If p is throttled, we do nothing. In fact, if it exhausted
+ * its budget it needs a replenishment and, since it now is on
+ * its rq, the bandwidth timer callback (which clearly has not
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Thu, 2 Mar 2017 15:10:59 +0100
+Subject: sched/deadline: Use deadline instead of period when calculating overflow
+
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+
+
+[ Upstream commit 2317d5f1c34913bac5971d93d69fb6c31bb74670 ]
+
+I was testing Daniel's changes with his test case, and tweaked it a
+little. Instead of having the runtime equal to the deadline, I
+increased the deadline ten fold.
+
+Daniel's test case had:
+
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+To make it more interesting, I changed it to:
+
+ attr.sched_runtime = 2 * 1000 * 1000; /* 2 ms */
+ attr.sched_deadline = 20 * 1000 * 1000; /* 20 ms */
+ attr.sched_period = 2 * 1000 * 1000 * 1000; /* 2 s */
+
+The results were rather surprising. The behavior that Daniel's patch
+was fixing came back. The task started using much more than .1% of the
+CPU. More like 20%.
+
+Looking into this I found that it was due to the dl_entity_overflow()
+constantly returning true. That's because it uses the relative period
+against relative runtime vs the absolute deadline against absolute
+runtime.
+
+ runtime / (deadline - t) > dl_runtime / dl_period
+
+There's even a comment mentioning this, and saying that when relative
+deadline equals relative period, that the equation is the same as using
+deadline instead of period. That comment is backwards! What we really
+want is:
+
+ runtime / (deadline - t) > dl_runtime / dl_deadline
+
+We care about if the runtime can make its deadline, not its period. And
+then we can say "when the deadline equals the period, the equation is
+the same as using dl_period instead of dl_deadline".
+
+After correcting this, now when the task gets enqueued, it can throttle
+correctly, and Daniel's fix to the throttling of sleeping deadline
+tasks works even when the runtime and deadline are not the same.
+
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Cc: Juri Lelli <juri.lelli@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luca Abeni <luca.abeni@santannapisa.it>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
+Link: http://lkml.kernel.org/r/02135a27f1ae3fe5fd032568a5a2f370e190e8d7.1488392936.git.bristot@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -441,13 +441,13 @@ static void replenish_dl_entity(struct s
+ *
+ * This function returns true if:
+ *
+- * runtime / (deadline - t) > dl_runtime / dl_period ,
++ * runtime / (deadline - t) > dl_runtime / dl_deadline ,
+ *
+ * IOW we can't recycle current parameters.
+ *
+- * Notice that the bandwidth check is done against the period. For
++ * Notice that the bandwidth check is done against the deadline. For
+ * task with deadline equal to period this is the same of using
+- * dl_deadline instead of dl_period in the equation above.
++ * dl_period instead of dl_deadline in the equation above.
+ */
+ static bool dl_entity_overflow(struct sched_dl_entity *dl_se,
+ struct sched_dl_entity *pi_se, u64 t)
+@@ -472,7 +472,7 @@ static bool dl_entity_overflow(struct sc
+ * of anything below microseconds resolution is actually fiction
+ * (but still we want to give the user that illusion >;).
+ */
+- left = (pi_se->dl_period >> DL_SCALE) * (dl_se->runtime >> DL_SCALE);
++ left = (pi_se->dl_deadline >> DL_SCALE) * (dl_se->runtime >> DL_SCALE);
+ right = ((dl_se->deadline - t) >> DL_SCALE) *
+ (pi_se->dl_runtime >> DL_SCALE);
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Oct 2017 10:50:37 +0300
+Subject: scsi: bfa: integer overflow in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 3e351275655d3c84dc28abf170def9786db5176d ]
+
+We could allocate less memory than intended because we do:
+
+ bfad->regdata = kzalloc(len << 2, GFP_KERNEL);
+
+The shift can overflow leading to a crash. This is debugfs code so the
+impact is very small. I fixed the network version of this in March with
+commit 13e2d5187f6b ("bna: integer overflow bug in debugfs").
+
+Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/bfa/bfad_debugfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/bfa/bfad_debugfs.c
++++ b/drivers/scsi/bfa/bfad_debugfs.c
+@@ -254,7 +254,8 @@ bfad_debugfs_write_regrd(struct file *fi
+ struct bfad_s *bfad = port->bfad;
+ struct bfa_s *bfa = &bfad->bfa;
+ struct bfa_ioc_s *ioc = &bfa->ioc;
+- int addr, len, rc, i;
++ int addr, rc, i;
++ u32 len;
+ u32 *regbuf;
+ void __iomem *rb, *reg_addr;
+ unsigned long flags;
+@@ -265,7 +266,7 @@ bfad_debugfs_write_regrd(struct file *fi
+ return PTR_ERR(kern_buf);
+
+ rc = sscanf(kern_buf, "%x:%x", &addr, &len);
+- if (rc < 2) {
++ if (rc < 2 || len > (UINT_MAX >> 2)) {
+ printk(KERN_INFO
+ "bfad[%d]: %s failed to read user buf\n",
+ bfad->inst_no, __func__);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Martin Wilck <mwilck@suse.de>
+Date: Fri, 20 Oct 2017 16:51:14 -0500
+Subject: scsi: hpsa: cleanup sas_phy structures in sysfs when unloading
+
+From: Martin Wilck <mwilck@suse.de>
+
+
+[ Upstream commit 55ca38b4255bb336c2d35990bdb2b368e19b435a ]
+
+I am resubmitting this patch on behalf of Martin Wilck with his
+permission.
+
+The original patch can be found here:
+https://www.spinics.net/lists/linux-scsi/msg102083.html
+
+This patch did not help until Hannes's
+commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod")
+was applied to the kernel.
+
+--------------------------------------
+Original patch description from Martin:
+--------------------------------------
+
+When the hpsa module is unloaded using rmmod, dangling
+symlinks remain under /sys/class/sas_phy. Fix this by
+calling sas_phy_delete() rather than sas_phy_free (which,
+according to comments, should not be called for PHYs that
+have been set up successfully, anyway).
+
+Tested-by: Don Brace <don.brace@microsemi.com>
+Reviewed-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin Wilck <mwilck@suse.de>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -9335,9 +9335,9 @@ static void hpsa_free_sas_phy(struct hps
+ struct sas_phy *phy = hpsa_sas_phy->phy;
+
+ sas_port_delete_phy(hpsa_sas_phy->parent_port->port, phy);
+- sas_phy_free(phy);
+ if (hpsa_sas_phy->added_to_port)
+ list_del(&hpsa_sas_phy->phy_list_entry);
++ sas_phy_delete(phy);
+ kfree(hpsa_sas_phy);
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Martin Wilck <mwilck@suse.de>
+Date: Fri, 20 Oct 2017 16:51:08 -0500
+Subject: scsi: hpsa: destroy sas transport properties before scsi_host
+
+From: Martin Wilck <mwilck@suse.de>
+
+
+[ Upstream commit dfb2e6f46b3074eb85203d8f0888b71ec1c2e37a ]
+
+This patch cleans up a lot of warnings when unloading the driver.
+
+A current example of the stack trace starts with:
+ [ 142.570715] sysfs group 'power' not found for kobject 'port-5:0'
+There can be hundreds of these messages during a driver unload.
+
+I am resubmitting this patch on behalf of Martin Wilck with his
+permission.
+
+His original patch can be found here:
+https://www.spinics.net/lists/linux-scsi/msg102085.html
+
+This patch did not help until Hannes's
+commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod")
+was applied to the kernel.
+
+---------------------------
+Original patch description:
+---------------------------
+
+Unloading the hpsa driver causes warnings
+
+[ 1063.793652] WARNING: CPU: 1 PID: 4850 at ../fs/sysfs/group.c:237 device_del+0x54/0x240()
+[ 1063.793659] sysfs group ffffffff81cf21a0 not found for kobject 'port-2:0'
+
+with two different stacks:
+1)
+[ 1063.793774] [<ffffffff81448af4>] device_del+0x54/0x240
+[ 1063.793780] [<ffffffff8145178a>] transport_remove_classdev+0x4a/0x60
+[ 1063.793784] [<ffffffff81451216>] attribute_container_device_trigger+0xa6/0xb0
+[ 1063.793802] [<ffffffffa0105d46>] sas_port_delete+0x126/0x160 [scsi_transport_sas]
+[ 1063.793819] [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa]
+
+2)
+[ 1063.797103] [<ffffffff81448af4>] device_del+0x54/0x240
+[ 1063.797118] [<ffffffffa0105d4e>] sas_port_delete+0x12e/0x160 [scsi_transport_sas]
+[ 1063.797134] [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa]
+
+This is caused by the fact that host device hostX is deleted before the
+SAS transport devices hostX/port-a:b.
+
+This patch fixes this by reverting the order of device deletions.
+
+Tested-by: Don Brace <don.brace@microsemi.com>
+Reviewed-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin Wilck <mwilck@suse.de>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -8808,6 +8808,8 @@ static void hpsa_remove_one(struct pci_d
+ destroy_workqueue(h->rescan_ctlr_wq);
+ destroy_workqueue(h->resubmit_wq);
+
++ hpsa_delete_sas_host(h);
++
+ /*
+ * Call before disabling interrupts.
+ * scsi_remove_host can trigger I/O operations especially
+@@ -8842,8 +8844,6 @@ static void hpsa_remove_one(struct pci_d
+ h->lockup_detected = NULL; /* init_one 2 */
+ /* (void) pci_disable_pcie_error_reporting(pdev); */ /* init_one 1 */
+
+- hpsa_delete_sas_host(h);
+-
+ kfree(h); /* init_one 1 */
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Don Brace <don.brace@microsemi.com>
+Date: Fri, 10 Mar 2017 14:35:17 -0600
+Subject: scsi: hpsa: limit outstanding rescans
+
+From: Don Brace <don.brace@microsemi.com>
+
+
+[ Upstream commit 87b9e6aa87d9411f1059aa245c0c79976bc557ac ]
+
+Avoid rescan storms. No need to queue another if one is pending.
+
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 16 +++++++++++++++-
+ drivers/scsi/hpsa.h | 1 +
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -5254,7 +5254,7 @@ static void hpsa_scan_complete(struct ct
+
+ spin_lock_irqsave(&h->scan_lock, flags);
+ h->scan_finished = 1;
+- wake_up_all(&h->scan_wait_queue);
++ wake_up(&h->scan_wait_queue);
+ spin_unlock_irqrestore(&h->scan_lock, flags);
+ }
+
+@@ -5272,11 +5272,23 @@ static void hpsa_scan_start(struct Scsi_
+ if (unlikely(lockup_detected(h)))
+ return hpsa_scan_complete(h);
+
++ /*
++ * If a scan is already waiting to run, no need to add another
++ */
++ spin_lock_irqsave(&h->scan_lock, flags);
++ if (h->scan_waiting) {
++ spin_unlock_irqrestore(&h->scan_lock, flags);
++ return;
++ }
++
++ spin_unlock_irqrestore(&h->scan_lock, flags);
++
+ /* wait until any scan already in progress is finished. */
+ while (1) {
+ spin_lock_irqsave(&h->scan_lock, flags);
+ if (h->scan_finished)
+ break;
++ h->scan_waiting = 1;
+ spin_unlock_irqrestore(&h->scan_lock, flags);
+ wait_event(h->scan_wait_queue, h->scan_finished);
+ /* Note: We don't need to worry about a race between this
+@@ -5286,6 +5298,7 @@ static void hpsa_scan_start(struct Scsi_
+ */
+ }
+ h->scan_finished = 0; /* mark scan as in progress */
++ h->scan_waiting = 0;
+ spin_unlock_irqrestore(&h->scan_lock, flags);
+
+ if (unlikely(lockup_detected(h)))
+@@ -8502,6 +8515,7 @@ reinit_after_soft_reset:
+ init_waitqueue_head(&h->event_sync_wait_queue);
+ mutex_init(&h->reset_mutex);
+ h->scan_finished = 1; /* no scan currently in progress */
++ h->scan_waiting = 0;
+
+ pci_set_drvdata(pdev, h);
+ h->ndevices = 0;
+--- a/drivers/scsi/hpsa.h
++++ b/drivers/scsi/hpsa.h
+@@ -200,6 +200,7 @@ struct ctlr_info {
+ dma_addr_t errinfo_pool_dhandle;
+ unsigned long *cmd_pool_bits;
+ int scan_finished;
++ u8 scan_waiting : 1;
+ spinlock_t scan_lock;
+ wait_queue_head_t scan_wait_queue;
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Don Brace <don.brace@microsemi.com>
+Date: Fri, 10 Mar 2017 14:35:11 -0600
+Subject: scsi: hpsa: update check for logical volume status
+
+From: Don Brace <don.brace@microsemi.com>
+
+
+[ Upstream commit 85b29008d8af6d94a0723aaa8d93cfb6e041158b ]
+
+ - Add in a new case for volume offline. Resolves internal testing bug
+ for multilun array management.
+ - Return correct status for failed TURs.
+
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 35 ++++++++++++++++-------------------
+ drivers/scsi/hpsa_cmd.h | 2 ++
+ 2 files changed, 18 insertions(+), 19 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -3466,7 +3466,7 @@ exit_failed:
+ * # (integer code indicating one of several NOT READY states
+ * describing why a volume is to be kept offline)
+ */
+-static int hpsa_volume_offline(struct ctlr_info *h,
++static unsigned char hpsa_volume_offline(struct ctlr_info *h,
+ unsigned char scsi3addr[])
+ {
+ struct CommandList *c;
+@@ -3486,7 +3486,7 @@ static int hpsa_volume_offline(struct ct
+ rc = hpsa_scsi_do_simple_cmd(h, c, DEFAULT_REPLY_QUEUE, NO_TIMEOUT);
+ if (rc) {
+ cmd_free(h, c);
+- return 0;
++ return HPSA_VPD_LV_STATUS_UNSUPPORTED;
+ }
+ sense = c->err_info->SenseInfo;
+ if (c->err_info->SenseLen > sizeof(c->err_info->SenseInfo))
+@@ -3497,19 +3497,13 @@ static int hpsa_volume_offline(struct ct
+ cmd_status = c->err_info->CommandStatus;
+ scsi_status = c->err_info->ScsiStatus;
+ cmd_free(h, c);
+- /* Is the volume 'not ready'? */
+- if (cmd_status != CMD_TARGET_STATUS ||
+- scsi_status != SAM_STAT_CHECK_CONDITION ||
+- sense_key != NOT_READY ||
+- asc != ASC_LUN_NOT_READY) {
+- return 0;
+- }
+
+ /* Determine the reason for not ready state */
+ ldstat = hpsa_get_volume_status(h, scsi3addr);
+
+ /* Keep volume offline in certain cases: */
+ switch (ldstat) {
++ case HPSA_LV_FAILED:
+ case HPSA_LV_UNDERGOING_ERASE:
+ case HPSA_LV_NOT_AVAILABLE:
+ case HPSA_LV_UNDERGOING_RPI:
+@@ -3531,7 +3525,7 @@ static int hpsa_volume_offline(struct ct
+ default:
+ break;
+ }
+- return 0;
++ return HPSA_LV_OK;
+ }
+
+ /*
+@@ -3615,10 +3609,10 @@ static int hpsa_update_device_info(struc
+ /* Do an inquiry to the device to see what it is. */
+ if (hpsa_scsi_do_inquiry(h, scsi3addr, 0, inq_buff,
+ (unsigned char) OBDR_TAPE_INQ_SIZE) != 0) {
+- /* Inquiry failed (msg printed already) */
+ dev_err(&h->pdev->dev,
+- "hpsa_update_device_info: inquiry failed\n");
+- rc = -EIO;
++ "%s: inquiry failed, device will be skipped.\n",
++ __func__);
++ rc = HPSA_INQUIRY_FAILED;
+ goto bail_out;
+ }
+
+@@ -3638,15 +3632,19 @@ static int hpsa_update_device_info(struc
+
+ if (this_device->devtype == TYPE_DISK &&
+ is_logical_dev_addr_mode(scsi3addr)) {
+- int volume_offline;
++ unsigned char volume_offline;
+
+ hpsa_get_raid_level(h, scsi3addr, &this_device->raid_level);
+ if (h->fw_support & MISC_FW_RAID_OFFLOAD_BASIC)
+ hpsa_get_ioaccel_status(h, scsi3addr, this_device);
+ volume_offline = hpsa_volume_offline(h, scsi3addr);
+- if (volume_offline < 0 || volume_offline > 0xff)
+- volume_offline = HPSA_VPD_LV_STATUS_UNSUPPORTED;
+- this_device->volume_offline = volume_offline & 0xff;
++ if (volume_offline == HPSA_LV_FAILED) {
++ rc = HPSA_LV_FAILED;
++ dev_err(&h->pdev->dev,
++ "%s: LV failed, device will be skipped.\n",
++ __func__);
++ goto bail_out;
++ }
+ } else {
+ this_device->raid_level = RAID_UNKNOWN;
+ this_device->offload_config = 0;
+@@ -4115,8 +4113,7 @@ static void hpsa_update_scsi_devices(str
+ goto out;
+ }
+ if (rc) {
+- dev_warn(&h->pdev->dev,
+- "Inquiry failed, skipping device.\n");
++ h->drv_req_rescan = 1;
+ continue;
+ }
+
+--- a/drivers/scsi/hpsa_cmd.h
++++ b/drivers/scsi/hpsa_cmd.h
+@@ -155,6 +155,7 @@
+ #define CFGTBL_BusType_Fibre2G 0x00000200l
+
+ /* VPD Inquiry types */
++#define HPSA_INQUIRY_FAILED 0x02
+ #define HPSA_VPD_SUPPORTED_PAGES 0x00
+ #define HPSA_VPD_LV_DEVICE_GEOMETRY 0xC1
+ #define HPSA_VPD_LV_IOACCEL_STATUS 0xC2
+@@ -164,6 +165,7 @@
+ /* Logical volume states */
+ #define HPSA_VPD_LV_STATUS_UNSUPPORTED 0xff
+ #define HPSA_LV_OK 0x0
++#define HPSA_LV_FAILED 0x01
+ #define HPSA_LV_NOT_AVAILABLE 0x0b
+ #define HPSA_LV_UNDERGOING_ERASE 0x0F
+ #define HPSA_LV_UNDERGOING_RPI 0x12
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Kurt Garloff <garloff@suse.de>
+Date: Tue, 17 Oct 2017 09:10:45 +0200
+Subject: scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
+
+From: Kurt Garloff <garloff@suse.de>
+
+
+[ Upstream commit 909cf3e16a5274fe2127cf3cea5c8dba77b2c412 ]
+
+All EMC SYMMETRIX support REPORT_LUNS, even if configured to report
+SCSI-2 for whatever reason.
+
+Signed-off-by: Kurt Garloff <garloff@suse.de>
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_devinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_devinfo.c
++++ b/drivers/scsi/scsi_devinfo.c
+@@ -160,7 +160,7 @@ static struct {
+ {"DGC", "RAID", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, storage on LUN 0 */
+ {"DGC", "DISK", NULL, BLIST_SPARSELUN}, /* Dell PV 650F, no storage on LUN 0 */
+ {"EMC", "Invista", "*", BLIST_SPARSELUN | BLIST_LARGELUN},
+- {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_FORCELUN},
++ {"EMC", "SYMMETRIX", NULL, BLIST_SPARSELUN | BLIST_LARGELUN | BLIST_REPORTLUN2},
+ {"EMULEX", "MD21/S2 ESDI", NULL, BLIST_SINGLELUN},
+ {"easyRAID", "16P", NULL, BLIST_NOREPORTLUN},
+ {"easyRAID", "X6P", NULL, BLIST_NOREPORTLUN},
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: weiping zhang <zhangweiping@didichuxing.com>
+Date: Thu, 12 Oct 2017 14:56:44 +0800
+Subject: scsi: sd: change allow_restart to bool in sysfs interface
+
+From: weiping zhang <zhangweiping@didichuxing.com>
+
+
+[ Upstream commit 658e9a6dc1126f21fa417cd213e1cdbff8be0ba2 ]
+
+/sys/class/scsi_disk/0:2:0:0/allow_restart can be changed to 0
+unexpectedly by writing an invalid string such as the following:
+
+echo asdf > /sys/class/scsi_disk/0:2:0:0/allow_restart
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -259,6 +259,7 @@ static ssize_t
+ allow_restart_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
++ bool v;
+ struct scsi_disk *sdkp = to_scsi_disk(dev);
+ struct scsi_device *sdp = sdkp->device;
+
+@@ -268,7 +269,10 @@ allow_restart_store(struct device *dev,
+ if (sdp->type != TYPE_DISK)
+ return -EINVAL;
+
+- sdp->allow_restart = simple_strtoul(buf, NULL, 10);
++ if (kstrtobool(buf, &v))
++ return -EINVAL;
++
++ sdp->allow_restart = v;
+
+ return count;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: weiping zhang <zhangweiping@didichuxing.com>
+Date: Thu, 12 Oct 2017 14:57:06 +0800
+Subject: scsi: sd: change manage_start_stop to bool in sysfs interface
+
+From: weiping zhang <zhangweiping@didichuxing.com>
+
+
+[ Upstream commit 623401ee33e42cee64d333877892be8db02951eb ]
+
+/sys/class/scsi_disk/0:2:0:0/manage_start_stop can be changed to 0
+unexpectly by writing an invalid string.
+
+Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -233,11 +233,15 @@ manage_start_stop_store(struct device *d
+ {
+ struct scsi_disk *sdkp = to_scsi_disk(dev);
+ struct scsi_device *sdp = sdkp->device;
++ bool v;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
+- sdp->manage_start_stop = simple_strtoul(buf, NULL, 10);
++ if (kstrtobool(buf, &v))
++ return -EINVAL;
++
++ sdp->manage_start_stop = v;
+
+ return count;
+ }
ext4-fix-crash-when-a-directory-s-i_size-is-too-small.patch
keys-add-missing-permission-check-for-request_key-destination.patch
mac80211-fix-addition-of-mesh-configuration-element.patch
+usb-phy-isp1301-add-of-device-id-table.patch
+md-cluster-free-md_cluster_info-if-node-leave-cluster.patch
+userfaultfd-shmem-__do_fault-requires-vm_fault_nopage.patch
+userfaultfd-selftest-vm-allow-to-build-in-vm-directory.patch
+net-initialize-msg.msg_flags-in-recvfrom.patch
+net-bcmgenet-correct-the-rbuf_ovfl_cnt-and-rbuf_err_cnt-mib-values.patch
+net-bcmgenet-correct-mib-access-of-unimac-runt-counters.patch
+net-bcmgenet-reserved-phy-revisions-must-be-checked-first.patch
+net-bcmgenet-power-down-internal-phy-if-open-or-resume-fails.patch
+net-bcmgenet-power-up-the-internal-phy-before-probing-the-mii.patch
+nfsd-fix-nfsd_minorversion-..-nfsd_avail.patch
+nfsd-fix-nfsd_reset_versions-for-nfsv4.patch
+input-i8042-add-tuxedo-bu1406-n24_25bu-to-the-nomux-list.patch
+drm-omap-fix-dmabuf-mmap-for-dma_alloc-ed-buffers.patch
+netfilter-bridge-honor-frag_max_size-when-refragmenting.patch
+writeback-fix-memory-leak-in-wb_queue_work.patch
+net-wimax-i2400m-fix-null-deref-at-probe.patch
+dmaengine-fix-array-index-out-of-bounds-warning-in-__get_unmap_pool.patch
+net-resend-igmp-memberships-upon-peer-notification.patch
+mlxsw-reg-fix-spvm-max-record-count.patch
+mlxsw-reg-fix-spvmlr-max-record-count.patch
+intel_th-pci-add-gemini-lake-support.patch
+openrisc-fix-issue-handling-8-byte-get_user-calls.patch
+scsi-hpsa-update-check-for-logical-volume-status.patch
+scsi-hpsa-limit-outstanding-rescans.patch
+fjes-fix-wrong-netdevice-feature-flags.patch
+drm-radeon-si-add-dpm-quirk-for-oland.patch
+sched-deadline-make-sure-the-replenishment-timer-fires-in-the-next-period.patch
+sched-deadline-throttle-a-constrained-deadline-task-activated-after-the-deadline.patch
+sched-deadline-use-deadline-instead-of-period-when-calculating-overflow.patch
+mmc-mediatek-fixed-bug-where-clock-frequency-could-be-set-wrong.patch
+drm-radeon-reinstate-oland-workaround-for-sclk.patch
+afs-fix-missing-put_page.patch
+afs-populate-group-id-from-vnode-status.patch
+afs-adjust-mode-bits-processing.patch
+afs-flush-outstanding-writes-when-an-fd-is-closed.patch
+afs-migrate-vlocation-fields-to-64-bit.patch
+afs-prevent-callback-expiry-timer-overflow.patch
+afs-fix-the-maths-in-afs_fs_store_data.patch
+afs-populate-and-use-client-modification-time.patch
+afs-fix-page-leak-in-afs_write_begin.patch
+afs-fix-afs_kill_pages.patch
+net-mlx4_core-avoid-delays-during-vf-driver-device-shutdown.patch
+perf-symbols-fix-symbols__fixup_end-heuristic-for-corner-cases.patch
+efi-esrt-cleanup-bad-memory-map-log-messages.patch
+nfsv4.1-respect-server-s-max-size-in-create_session.patch
+btrfs-add-missing-memset-while-reading-compressed-inline-extents.patch
+target-use-system-workqueue-for-alua-transitions.patch
+target-fix-alua-transition-timeout-handling.patch
+target-fix-race-during-implicit-transition-work-flushes.patch
+sfc-don-t-warn-on-successful-change-of-mac.patch
+fbdev-controlfb-add-missing-modes-to-fix-out-of-bounds-access.patch
+video-udlfb-fix-read-edid-timeout.patch
+video-fbdev-au1200fb-release-some-resources-if-a-memory-allocation-fails.patch
+video-fbdev-au1200fb-return-an-error-code-if-a-memory-allocation-fails.patch
+rtc-pcf8563-fix-output-clock-rate.patch
+dmaengine-ti-dma-crossbar-correct-am335x-am43xx-mux-value-type.patch
+pci-pme-handle-invalid-data-when-reading-root-status.patch
+powerpc-powernv-cpufreq-fix-the-frequency-read-by-proc-cpuinfo.patch
+netfilter-ipvs-fix-inappropriate-output-of-procfs.patch
+powerpc-opal-fix-ebusy-bug-in-acquiring-tokens.patch
+powerpc-ipic-fix-status-get-and-status-clear.patch
+platform-x86-sony-laptop-fix-error-handling-in-sony_nc_setup_rfkill.patch
+target-iscsi-fix-a-race-condition-in-iscsit_add_reject_from_cmd.patch
+iscsi-target-fix-memory-leak-in-lio_target_tiqn_addtpg.patch
+target-fix-condition-return-in-core_pr_dump_initiator_port.patch
+target-file-do-not-return-error-for-unmap-if-length-is-zero.patch
+arm-ccn-perf-prevent-module-unload-while-pmu-is-in-use.patch
+crypto-tcrypt-fix-buffer-lengths-in-test_aead_speed.patch
+mm-handle-0-flags-in-_calc_vm_trans-macro.patch
+clk-mediatek-add-the-option-for-determining-pll-source-clock.patch
+clk-imx6-refine-hdmi_isfr-s-parent-to-make-hdmi-work-on-i.mx6-socs-w-o-vpu.patch
+clk-tegra-fix-cclk_lp-divisor-register.patch
+ppp-destroy-the-mutex-when-cleanup.patch
+thermal-drivers-step_wise-fix-temperature-regulation-misbehavior.patch
+gfs2-take-inode-off-order_write-list-when-setting-jdata-flag.patch
+bcache-explicitly-destroy-mutex-while-exiting.patch
+bcache-fix-wrong-cache_misses-statistics.patch
+l2tp-cleanup-l2tp_tunnel_delete-calls.patch
+xfs-fix-log-block-underflow-during-recovery-cycle-verification.patch
+xfs-fix-incorrect-extent-state-in-xfs_bmap_add_extent_unwritten_real.patch
+pci-detach-driver-before-procfs-sysfs-teardown-on-device-remove.patch
+scsi-hpsa-cleanup-sas_phy-structures-in-sysfs-when-unloading.patch
+scsi-hpsa-destroy-sas-transport-properties-before-scsi_host.patch
+powerpc-perf-hv-24x7-fix-incorrect-comparison-in-memord.patch
+tty-fix-oops-when-rmmod-8250.patch
+dmaengine-rcar-dmac-use-tcrb-instead-of-tcr-for-residue.patch
+pinctrl-adi2-fix-kconfig-build-problem.patch
+raid5-set-r5_expanded-on-parity-devices-as-well-as-data.patch
+scsi-scsi_devinfo-add-reportlun2-to-emc-symmetrix-blacklist-entry.patch
+vt6655-fix-a-possible-sleep-in-atomic-bug-in-vt6655_suspend.patch
+scsi-sd-change-manage_start_stop-to-bool-in-sysfs-interface.patch
+scsi-sd-change-allow_restart-to-bool-in-sysfs-interface.patch
+scsi-bfa-integer-overflow-in-debugfs.patch
+udf-avoid-overflow-when-session-starts-at-large-offset.patch
+macvlan-only-deliver-one-copy-of-the-frame-to-the-macvlan-interface.patch
+rdma-cma-avoid-triggering-undefined-behavior.patch
+ib-ipoib-grab-rtnl-lock-on-heavy-flush-when-calling-ndo_open-stop.patch
+ath9k-fix-tx99-potential-info-leak.patch
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Robert Stonehouse <rstonehouse@solarflare.com>
+Date: Tue, 7 Nov 2017 17:30:30 +0000
+Subject: sfc: don't warn on successful change of MAC
+
+From: Robert Stonehouse <rstonehouse@solarflare.com>
+
+
+[ Upstream commit cbad52e92ad7f01f0be4ca58bde59462dc1afe3a ]
+
+Fixes: 535a61777f44e ("sfc: suppress handled MCDI failures when changing the MAC address")
+Signed-off-by: Bert Kenward <bkenward@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/ef10.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -4307,7 +4307,7 @@ static int efx_ef10_set_mac_address(stru
+ * MCFW do not support VFs.
+ */
+ rc = efx_ef10_vport_set_mac_address(efx);
+- } else {
++ } else if (rc) {
+ efx_mcdi_display_error(efx, MC_CMD_VADAPTOR_SET_MAC,
+ sizeof(inbuf), NULL, 0, rc);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jiang Yi <jiangyilism@gmail.com>
+Date: Fri, 11 Aug 2017 11:29:44 +0800
+Subject: target/file: Do not return error for UNMAP if length is zero
+
+From: Jiang Yi <jiangyilism@gmail.com>
+
+
+[ Upstream commit 594e25e73440863981032d76c9b1e33409ceff6e ]
+
+The function fd_execute_unmap() in target_core_file.c calles
+
+ret = file->f_op->fallocate(file, mode, pos, len);
+
+Some filesystems implement fallocate() to return error if
+length is zero (e.g. btrfs) but according to SCSI Block
+Commands spec UNMAP should return success for zero length.
+
+Signed-off-by: Jiang Yi <jiangyilism@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -466,6 +466,10 @@ fd_execute_unmap(struct se_cmd *cmd, sec
+ struct inode *inode = file->f_mapping->host;
+ int ret;
+
++ if (!nolb) {
++ return 0;
++ }
++
+ if (cmd->se_dev->dev_attrib.pi_prot_type) {
+ ret = fd_do_prot_unmap(cmd, lba, nolb);
+ if (ret)
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Mike Christie <mchristi@redhat.com>
+Date: Thu, 2 Mar 2017 04:59:48 -0600
+Subject: target: fix ALUA transition timeout handling
+
+From: Mike Christie <mchristi@redhat.com>
+
+
+[ Upstream commit d7175373f2745ed4abe5b388d5aabd06304f801e ]
+
+The implicit transition time tells initiators the min time
+to wait before timing out a transition. We currently schedule
+the transition to occur in tg_pt_gp_implicit_trans_secs
+seconds so there is no room for delays. If
+core_alua_do_transition_tg_pt_work->core_alua_update_tpg_primary_metadata
+needs to write out info to a remote file, then the initiator can
+easily time out the operation.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_alua.c | 23 ++++++++---------------
+ include/target/target_core_base.h | 2 +-
+ 2 files changed, 9 insertions(+), 16 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -1010,7 +1010,7 @@ static void core_alua_queue_state_change
+ static void core_alua_do_transition_tg_pt_work(struct work_struct *work)
+ {
+ struct t10_alua_tg_pt_gp *tg_pt_gp = container_of(work,
+- struct t10_alua_tg_pt_gp, tg_pt_gp_transition_work.work);
++ struct t10_alua_tg_pt_gp, tg_pt_gp_transition_work);
+ struct se_device *dev = tg_pt_gp->tg_pt_gp_dev;
+ bool explicit = (tg_pt_gp->tg_pt_gp_alua_access_status ==
+ ALUA_STATUS_ALTERED_BY_EXPLICIT_STPG);
+@@ -1073,13 +1073,12 @@ static int core_alua_do_transition_tg_pt
+ /*
+ * Flush any pending transitions
+ */
+- if (!explicit && tg_pt_gp->tg_pt_gp_implicit_trans_secs &&
+- atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
++ if (!explicit && atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
+ ALUA_ACCESS_STATE_TRANSITION) {
+ /* Just in case */
+ tg_pt_gp->tg_pt_gp_alua_pending_state = new_state;
+ tg_pt_gp->tg_pt_gp_transition_complete = &wait;
+- flush_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work);
++ flush_work(&tg_pt_gp->tg_pt_gp_transition_work);
+ wait_for_completion(&wait);
+ tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+ return 0;
+@@ -1114,15 +1113,9 @@ static int core_alua_do_transition_tg_pt
+ atomic_inc(&tg_pt_gp->tg_pt_gp_ref_cnt);
+ spin_unlock(&dev->t10_alua.tg_pt_gps_lock);
+
+- if (!explicit && tg_pt_gp->tg_pt_gp_implicit_trans_secs) {
+- unsigned long transition_tmo;
+-
+- transition_tmo = tg_pt_gp->tg_pt_gp_implicit_trans_secs * HZ;
+- schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work,
+- transition_tmo);
+- } else {
++ schedule_work(&tg_pt_gp->tg_pt_gp_transition_work);
++ if (explicit) {
+ tg_pt_gp->tg_pt_gp_transition_complete = &wait;
+- schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, 0);
+ wait_for_completion(&wait);
+ tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+ }
+@@ -1690,8 +1683,8 @@ struct t10_alua_tg_pt_gp *core_alua_allo
+ mutex_init(&tg_pt_gp->tg_pt_gp_md_mutex);
+ spin_lock_init(&tg_pt_gp->tg_pt_gp_lock);
+ atomic_set(&tg_pt_gp->tg_pt_gp_ref_cnt, 0);
+- INIT_DELAYED_WORK(&tg_pt_gp->tg_pt_gp_transition_work,
+- core_alua_do_transition_tg_pt_work);
++ INIT_WORK(&tg_pt_gp->tg_pt_gp_transition_work,
++ core_alua_do_transition_tg_pt_work);
+ tg_pt_gp->tg_pt_gp_dev = dev;
+ atomic_set(&tg_pt_gp->tg_pt_gp_alua_access_state,
+ ALUA_ACCESS_STATE_ACTIVE_OPTIMIZED);
+@@ -1799,7 +1792,7 @@ void core_alua_free_tg_pt_gp(
+ dev->t10_alua.alua_tg_pt_gps_counter--;
+ spin_unlock(&dev->t10_alua.tg_pt_gps_lock);
+
+- flush_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work);
++ flush_work(&tg_pt_gp->tg_pt_gp_transition_work);
+
+ /*
+ * Allow a struct t10_alua_tg_pt_gp_member * referenced by
+--- a/include/target/target_core_base.h
++++ b/include/target/target_core_base.h
+@@ -299,7 +299,7 @@ struct t10_alua_tg_pt_gp {
+ struct list_head tg_pt_gp_lun_list;
+ struct se_lun *tg_pt_gp_alua_lun;
+ struct se_node_acl *tg_pt_gp_alua_nacl;
+- struct delayed_work tg_pt_gp_transition_work;
++ struct work_struct tg_pt_gp_transition_work;
+ struct completion *tg_pt_gp_transition_complete;
+ };
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: tangwenji <tang.wenji@zte.com.cn>
+Date: Thu, 24 Aug 2017 19:59:37 +0800
+Subject: target:fix condition return in core_pr_dump_initiator_port()
+
+From: tangwenji <tang.wenji@zte.com.cn>
+
+
+[ Upstream commit 24528f089d0a444070aa4f715ace537e8d6bf168 ]
+
+When is pr_reg->isid_present_at_reg is false,this function should return.
+
+This fixes a regression originally introduced by:
+
+ commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5
+ Author: Andy Grover <agrover@redhat.com>
+ Date: Thu May 16 10:40:55 2013 -0700
+
+ target: Alter core_pr_dump_initiator_port for ease of use
+
+Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -56,8 +56,10 @@ void core_pr_dump_initiator_port(
+ char *buf,
+ u32 size)
+ {
+- if (!pr_reg->isid_present_at_reg)
++ if (!pr_reg->isid_present_at_reg) {
+ buf[0] = '\0';
++ return;
++ }
+
+ snprintf(buf, size, ",i,0x%s", pr_reg->pr_reg_isid);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Mike Christie <mchristi@redhat.com>
+Date: Thu, 2 Mar 2017 04:59:50 -0600
+Subject: target: fix race during implicit transition work flushes
+
+From: Mike Christie <mchristi@redhat.com>
+
+
+[ Upstream commit 760bf578edf8122f2503a3a6a3f4b0de3b6ce0bb ]
+
+This fixes the following races:
+
+1. core_alua_do_transition_tg_pt could have read
+tg_pt_gp_alua_access_state and gone into this if chunk:
+
+if (!explicit &&
+ atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
+ ALUA_ACCESS_STATE_TRANSITION) {
+
+and then core_alua_do_transition_tg_pt_work could update the
+state. core_alua_do_transition_tg_pt would then only set
+tg_pt_gp_alua_pending_state and the tg_pt_gp_alua_access_state would
+not get updated with the second calls state.
+
+2. core_alua_do_transition_tg_pt could be setting
+tg_pt_gp_transition_complete while the tg_pt_gp_transition_work
+is already completing. core_alua_do_transition_tg_pt then waits on the
+completion that will never be called.
+
+To handle these issues, we just call flush_work which will return when
+core_alua_do_transition_tg_pt_work has completed so there is no need
+to do the complete/wait. And, if core_alua_do_transition_tg_pt_work
+was running, instead of trying to sneak in the state change, we just
+schedule up another core_alua_do_transition_tg_pt_work call.
+
+Note that this does not handle a possible race where there are multiple
+threads call core_alua_do_transition_tg_pt at the same time. I think
+we need a mutex in target_tg_pt_gp_alua_access_state_store.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_alua.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -1073,16 +1073,8 @@ static int core_alua_do_transition_tg_pt
+ /*
+ * Flush any pending transitions
+ */
+- if (!explicit && atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
+- ALUA_ACCESS_STATE_TRANSITION) {
+- /* Just in case */
+- tg_pt_gp->tg_pt_gp_alua_pending_state = new_state;
+- tg_pt_gp->tg_pt_gp_transition_complete = &wait;
++ if (!explicit)
+ flush_work(&tg_pt_gp->tg_pt_gp_transition_work);
+- wait_for_completion(&wait);
+- tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+- return 0;
+- }
+
+ /*
+ * Save the old primary ALUA access state, and set the current state
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Bart Van Assche <bart.vanassche@wdc.com>
+Date: Tue, 31 Oct 2017 11:03:17 -0700
+Subject: target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
+
+From: Bart Van Assche <bart.vanassche@wdc.com>
+
+
+[ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ]
+
+Avoid that cmd->se_cmd.se_tfo is read after a command has already been
+freed.
+
+Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Mike Christie <mchristi@redhat.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/iscsi/iscsi_target.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -674,6 +674,7 @@ static int iscsit_add_reject_from_cmd(
+ unsigned char *buf)
+ {
+ struct iscsi_conn *conn;
++ const bool do_put = cmd->se_cmd.se_tfo != NULL;
+
+ if (!cmd->conn) {
+ pr_err("cmd->conn is NULL for ITT: 0x%08x\n",
+@@ -704,7 +705,7 @@ static int iscsit_add_reject_from_cmd(
+ * Perform the kref_put now if se_cmd has already been setup by
+ * scsit_setup_scsi_cmd()
+ */
+- if (cmd->se_cmd.se_tfo != NULL) {
++ if (do_put) {
+ pr_debug("iscsi reject: calling target_put_sess_cmd >>>>>>\n");
+ target_put_sess_cmd(&cmd->se_cmd);
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Mike Christie <mchristi@redhat.com>
+Date: Wed, 1 Mar 2017 23:13:26 -0600
+Subject: target: Use system workqueue for ALUA transitions
+
+From: Mike Christie <mchristi@redhat.com>
+
+
+[ Upstream commit 207ee84133c00a8a2a5bdec94df4a5b37d78881c ]
+
+If tcmu-runner is processing a STPG and needs to change the kernel's
+ALUA state then we cannot use the same work queue for task management
+requests and ALUA transitions, because we could deadlock. The problem
+occurs when a STPG times out before tcmu-runner is able to
+call into target_tg_pt_gp_alua_access_state_store->
+core_alua_do_port_transition -> core_alua_do_transition_tg_pt ->
+queue_work. In this case, the tmr is on the work queue waiting for
+the STPG to complete, but the STPG transition is now queued behind
+the waiting tmr.
+
+Note:
+This bug will also be fixed by this patch:
+http://www.spinics.net/lists/target-devel/msg14560.html
+which switches the tmr code to use the system workqueues.
+
+For both, I am not sure if we need a dedicated workqueue since
+it is not a performance path and I do not think we need WQ_MEM_RECLAIM
+to make forward progress to free up memory like the block layer does.
+
+Signed-off-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/target/target_core_alua.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/target/target_core_alua.c
++++ b/drivers/target/target_core_alua.c
+@@ -1118,13 +1118,11 @@ static int core_alua_do_transition_tg_pt
+ unsigned long transition_tmo;
+
+ transition_tmo = tg_pt_gp->tg_pt_gp_implicit_trans_secs * HZ;
+- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq,
+- &tg_pt_gp->tg_pt_gp_transition_work,
+- transition_tmo);
++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work,
++ transition_tmo);
+ } else {
+ tg_pt_gp->tg_pt_gp_transition_complete = &wait;
+- queue_delayed_work(tg_pt_gp->tg_pt_gp_dev->tmr_wq,
+- &tg_pt_gp->tg_pt_gp_transition_work, 0);
++ schedule_delayed_work(&tg_pt_gp->tg_pt_gp_transition_work, 0);
+ wait_for_completion(&wait);
+ tg_pt_gp->tg_pt_gp_transition_complete = NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+Date: Thu, 19 Oct 2017 19:05:58 +0200
+Subject: thermal/drivers/step_wise: Fix temperature regulation misbehavior
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+
+[ Upstream commit 07209fcf33542c1ff1e29df2dbdf8f29cdaacb10 ]
+
+There is a particular situation when the cooling device is cpufreq and the heat
+dissipation is not efficient enough where the temperature increases little by
+little until reaching the critical threshold and leading to a SoC reset.
+
+The behavior is reproducible on a hikey6220 with bad heat dissipation (eg.
+stacked with other boards).
+
+Running a simple C program doing while(1); for each CPU of the SoC makes the
+temperature to reach the passive regulation trip point and ends up to the
+maximum allowed temperature followed by a reset.
+
+This issue has been also reported by running the libhugetlbfs test suite.
+
+What is observed is a ping pong between two cpu frequencies, 1.2GHz and 900MHz
+while the temperature continues to grow.
+
+It appears the step wise governor calls get_target_state() the first time with
+the throttle set to true and the trend to 'raising'. The code selects logically
+the next state, so the cpu frequency decreases from 1.2GHz to 900MHz, so far so
+good. The temperature decreases immediately but still stays greater than the
+trip point, then get_target_state() is called again, this time with the
+throttle set to true *and* the trend to 'dropping'. From there the algorithm
+assumes we have to step down the state and the cpu frequency jumps back to
+1.2GHz. But the temperature is still higher than the trip point, so
+get_target_state() is called with throttle=1 and trend='raising' again, we jump
+to 900MHz, then get_target_state() is called with throttle=1 and
+trend='dropping', we jump to 1.2GHz, etc ... but the temperature does not
+stabilizes and continues to increase.
+
+[ 237.922654] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 237.922678] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 237.922690] thermal cooling_device0: cur_state=0
+[ 237.922701] thermal cooling_device0: old_target=0, target=1
+[ 238.026656] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 238.026680] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
+[ 238.026694] thermal cooling_device0: cur_state=1
+[ 238.026707] thermal cooling_device0: old_target=1, target=0
+[ 238.134647] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 238.134667] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 238.134679] thermal cooling_device0: cur_state=0
+[ 238.134690] thermal cooling_device0: old_target=0, target=1
+
+In this situation the temperature continues to increase while the trend is
+oscillating between 'dropping' and 'raising'. We need to keep the current state
+untouched if the throttle is set, so the temperature can decrease or a higher
+state could be selected, thus preventing this oscillation.
+
+Keeping the next_target untouched when 'throttle' is true at 'dropping' time
+fixes the issue.
+
+The following traces show the governor does not change the next state if
+trend==2 (dropping) and throttle==1.
+
+[ 2306.127987] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2306.128009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 2306.128021] thermal cooling_device0: cur_state=0
+[ 2306.128031] thermal cooling_device0: old_target=0, target=1
+[ 2306.231991] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2306.232016] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
+[ 2306.232030] thermal cooling_device0: cur_state=1
+[ 2306.232042] thermal cooling_device0: old_target=1, target=1
+[ 2306.335982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2306.336006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=1
+[ 2306.336021] thermal cooling_device0: cur_state=1
+[ 2306.336034] thermal cooling_device0: old_target=1, target=1
+[ 2306.439984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2306.440008] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
+[ 2306.440022] thermal cooling_device0: cur_state=1
+[ 2306.440034] thermal cooling_device0: old_target=1, target=0
+
+[ ... ]
+
+After a while, if the temperature continues to increase, the next state becomes
+2 which is 720MHz on the hikey. That results in the temperature stabilizing
+around the trip point.
+
+[ 2455.831982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2455.832006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=0
+[ 2455.832019] thermal cooling_device0: cur_state=1
+[ 2455.832032] thermal cooling_device0: old_target=1, target=1
+[ 2455.935985] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2455.936013] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
+[ 2455.936027] thermal cooling_device0: cur_state=1
+[ 2455.936040] thermal cooling_device0: old_target=1, target=1
+[ 2456.043984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
+[ 2456.044009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
+[ 2456.044023] thermal cooling_device0: cur_state=1
+[ 2456.044036] thermal cooling_device0: old_target=1, target=1
+[ 2456.148001] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
+[ 2456.148028] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
+[ 2456.148042] thermal cooling_device0: cur_state=1
+[ 2456.148055] thermal cooling_device0: old_target=1, target=2
+[ 2456.252009] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
+[ 2456.252041] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
+[ 2456.252058] thermal cooling_device0: cur_state=2
+[ 2456.252075] thermal cooling_device0: old_target=2, target=1
+
+IOW, this change is needed to keep the state for a cooling device if the
+temperature trend is oscillating while the temperature increases slightly.
+
+Without this change, the situation above leads to a catastrophic crash by a
+hardware reset on hikey. This issue has been reported to happen on an OMAP
+dra7xx also.
+
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Cc: Keerthy <j-keerthy@ti.com>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Tested-by: Keerthy <j-keerthy@ti.com>
+Reviewed-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/step_wise.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/thermal/step_wise.c
++++ b/drivers/thermal/step_wise.c
+@@ -31,8 +31,7 @@
+ * If the temperature is higher than a trip point,
+ * a. if the trend is THERMAL_TREND_RAISING, use higher cooling
+ * state for this trip point
+- * b. if the trend is THERMAL_TREND_DROPPING, use lower cooling
+- * state for this trip point
++ * b. if the trend is THERMAL_TREND_DROPPING, do nothing
+ * c. if the trend is THERMAL_TREND_RAISE_FULL, use upper limit
+ * for this trip point
+ * d. if the trend is THERMAL_TREND_DROP_FULL, use lower limit
+@@ -94,9 +93,11 @@ static unsigned long get_target_state(st
+ if (!throttle)
+ next_target = THERMAL_NO_TARGET;
+ } else {
+- next_target = cur_state - 1;
+- if (next_target > instance->upper)
+- next_target = instance->upper;
++ if (!throttle) {
++ next_target = cur_state - 1;
++ if (next_target > instance->upper)
++ next_target = instance->upper;
++ }
+ }
+ break;
+ case THERMAL_TREND_DROP_FULL:
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: nixiaoming <nixiaoming@huawei.com>
+Date: Fri, 15 Sep 2017 17:45:56 +0800
+Subject: tty fix oops when rmmod 8250
+
+From: nixiaoming <nixiaoming@huawei.com>
+
+
+[ Upstream commit c79dde629d2027ca80329c62854a7635e623d527 ]
+
+After rmmod 8250.ko
+tty_kref_put starts kwork (release_one_tty) to release proc interface
+oops when accessing driver->driver_name in proc_tty_unregister_driver
+
+Use jprobe, found driver->driver_name point to 8250.ko
+static static struct uart_driver serial8250_reg
+.driver_name= serial,
+
+Use name in proc_dir_entry instead of driver->driver_name to fix oops
+
+test on linux 4.1.12:
+
+BUG: unable to handle kernel paging request at ffffffffa01979de
+IP: [<ffffffff81310f40>] strchr+0x0/0x30
+PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0
+Oops: 0000 [#1] PREEMPT SMP
+Modules linked in: ... ... [last unloaded: 8250]
+CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G O 4.1.12 #1
+Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015
+Workqueue: events release_one_tty
+task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000
+RIP: 0010:[<ffffffff81310f40>] [<ffffffff81310f40>] strchr+0x0/0x30
+RSP: 0018:ffff880852887c90 EFLAGS: 00010282
+RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004
+RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de
+RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0
+R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de
+R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840
+FS: 0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0
+Stack:
+ ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2
+ ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010
+ ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08
+Call Trace:
+ [<ffffffff812349b1>] ? __xlate_proc_name+0x71/0xd0
+ [<ffffffff812354f0>] remove_proc_entry+0x40/0x180
+ [<ffffffff815f6811>] ? _raw_spin_lock_irqsave+0x41/0x60
+ [<ffffffff813be520>] ? destruct_tty_driver+0x60/0xe0
+ [<ffffffff81237c68>] proc_tty_unregister_driver+0x28/0x40
+ [<ffffffff813be548>] destruct_tty_driver+0x88/0xe0
+ [<ffffffff813be5bd>] tty_driver_kref_put+0x1d/0x20
+ [<ffffffff813becca>] release_one_tty+0x5a/0xd0
+ [<ffffffff81074159>] process_one_work+0x139/0x420
+ [<ffffffff810745a1>] worker_thread+0x121/0x450
+ [<ffffffff81074480>] ? process_scheduled_works+0x40/0x40
+ [<ffffffff8107a16c>] kthread+0xec/0x110
+ [<ffffffff81080000>] ? tg_rt_schedulable+0x210/0x220
+ [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
+ [<ffffffff815f7292>] ret_from_fork+0x42/0x70
+ [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
+
+Signed-off-by: nixiaoming <nixiaoming@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_tty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/proc_tty.c
++++ b/fs/proc/proc_tty.c
+@@ -14,6 +14,7 @@
+ #include <linux/tty.h>
+ #include <linux/seq_file.h>
+ #include <linux/bitops.h>
++#include "internal.h"
+
+ /*
+ * The /proc/tty directory inodes...
+@@ -164,7 +165,7 @@ void proc_tty_unregister_driver(struct t
+ if (!ent)
+ return;
+
+- remove_proc_entry(driver->driver_name, proc_tty_driver);
++ remove_proc_entry(ent->name, proc_tty_driver);
+
+ driver->proc_entry = NULL;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 16 Oct 2017 11:38:11 +0200
+Subject: udf: Avoid overflow when session starts at large offset
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit abdc0eb06964fe1d2fea6dd1391b734d0590365d ]
+
+When session starts beyond offset 2^31 the arithmetics in
+udf_check_vsd() would overflow. Make sure the computation is done in
+large enough type.
+
+Reported-by: Cezary Sliwa <sliwa@ifpan.edu.pl>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -705,7 +705,7 @@ static loff_t udf_check_vsd(struct super
+ else
+ sectorsize = sb->s_blocksize;
+
+- sector += (sbi->s_session << sb->s_blocksize_bits);
++ sector += (((loff_t)sbi->s_session) << sb->s_blocksize_bits);
+
+ udf_debug("Starting at sector %u (%ld byte sectors)\n",
+ (unsigned int)(sector >> sb->s_blocksize_bits),
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+Date: Wed, 22 Feb 2017 15:23:22 -0300
+Subject: usb: phy: isp1301: Add OF device ID table
+
+From: Javier Martinez Canillas <javier@osg.samsung.com>
+
+
+[ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ]
+
+The driver doesn't have a struct of_device_id table but supported devices
+are registered via Device Trees. This is working on the assumption that a
+I2C device registered via OF will always match a legacy I2C device ID and
+that the MODALIAS reported will always be of the form i2c:<device>.
+
+But this could change in the future so the correct approach is to have an
+OF device ID table if the devices are registered via OF.
+
+Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/phy/phy-isp1301.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/phy/phy-isp1301.c
++++ b/drivers/usb/phy/phy-isp1301.c
+@@ -33,6 +33,12 @@ static const struct i2c_device_id isp130
+ };
+ MODULE_DEVICE_TABLE(i2c, isp1301_id);
+
++static const struct of_device_id isp1301_of_match[] = {
++ {.compatible = "nxp,isp1301" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, isp1301_of_match);
++
+ static struct i2c_client *isp1301_i2c_client;
+
+ static int __isp1301_write(struct isp1301 *isp, u8 reg, u8 value, u8 clear)
+@@ -130,6 +136,7 @@ static int isp1301_remove(struct i2c_cli
+ static struct i2c_driver isp1301_driver = {
+ .driver = {
+ .name = DRV_NAME,
++ .of_match_table = of_match_ptr(isp1301_of_match),
+ },
+ .probe = isp1301_probe,
+ .remove = isp1301_remove,
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Thu, 9 Mar 2017 16:17:14 -0800
+Subject: userfaultfd: selftest: vm: allow to build in vm/ directory
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+
+[ Upstream commit 46aa6a302b53f543f8e8b8e1714dc5e449ad36a6 ]
+
+linux/tools/testing/selftests/vm $ make
+
+ gcc -Wall -I ../../../../usr/include compaction_test.c -lrt -o /compaction_test
+ /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/../../../../x86_64-pc-linux-gnu/bin/ld: cannot open output file /compaction_test: Permission denied
+ collect2: error: ld returned 1 exit status
+ make: *** [../lib.mk:54: /compaction_test] Error 1
+
+Since commit a8ba798bc8ec ("selftests: enable O and KBUILD_OUTPUT")
+selftests/vm build fails if run from the "selftests/vm" directory, but
+it works in the selftests/ directory. It's quicker to be able to do a
+local vm-only build after a tree wipe and this patch allows for it
+again.
+
+Link: http://lkml.kernel.org/r/20170302173738.18994-4-aarcange@redhat.com
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
+Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/vm/Makefile | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/vm/Makefile
++++ b/tools/testing/selftests/vm/Makefile
+@@ -1,5 +1,9 @@
+ # Makefile for vm selftests
+
++ifndef OUTPUT
++ OUTPUT := $(shell pwd)
++endif
++
+ CFLAGS = -Wall -I ../../../../usr/include $(EXTRA_CFLAGS)
+ BINARIES = compaction_test
+ BINARIES += hugepage-mmap
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Thu, 9 Mar 2017 16:16:28 -0800
+Subject: userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE
+
+From: Andrea Arcangeli <aarcange@redhat.com>
+
+
+[ Upstream commit 6bbc4a4144b1a69743022ac68dfaf6e7d993abb9 ]
+
+__do_fault assumes vmf->page has been initialized and is valid if
+VM_FAULT_NOPAGE is not returned by vma->vm_ops->fault(vma, vmf).
+
+handle_userfault() in turn should return VM_FAULT_NOPAGE if it doesn't
+return VM_FAULT_SIGBUS or VM_FAULT_RETRY (the other two possibilities).
+
+This VM_FAULT_NOPAGE case is only invoked when signal are pending and it
+didn't matter for anonymous memory before. It only started to matter
+since shmem was introduced. hugetlbfs also takes a different path and
+doesn't exercise __do_fault.
+
+Link: http://lkml.kernel.org/r/20170228154201.GH5816@redhat.com
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/userfaultfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -386,7 +386,7 @@ int handle_userfault(struct vm_area_stru
+ * in such case.
+ */
+ down_read(&mm->mmap_sem);
+- ret = 0;
++ ret = VM_FAULT_NOPAGE;
+ }
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 9 Nov 2017 18:09:28 +0100
+Subject: video: fbdev: au1200fb: Release some resources if a memory allocation fails
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 451f130602619a17c8883dd0b71b11624faffd51 ]
+
+We should go through the error handling code instead of returning -ENOMEM
+directly.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/au1200fb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1699,7 +1699,8 @@ static int au1200fb_drv_probe(struct pla
+ if (!fbdev->fb_mem) {
+ print_err("fail to allocate frambuffer (size: %dK))",
+ fbdev->fb_len / 1024);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto failed;
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Thu, 9 Nov 2017 18:09:28 +0100
+Subject: video: fbdev: au1200fb: Return an error code if a memory allocation fails
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 8cae353e6b01ac3f18097f631cdbceb5ff28c7f3 ]
+
+'ret' is known to be 0 at this point.
+In case of memory allocation error in 'framebuffer_alloc()', return
+-ENOMEM instead.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/au1200fb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/au1200fb.c
++++ b/drivers/video/fbdev/au1200fb.c
+@@ -1680,8 +1680,10 @@ static int au1200fb_drv_probe(struct pla
+
+ fbi = framebuffer_alloc(sizeof(struct au1200fb_device),
+ &dev->dev);
+- if (!fbi)
++ if (!fbi) {
++ ret = -ENOMEM;
+ goto failed;
++ }
+
+ _au1200fb_infos[plane] = fbi;
+ fbdev = fbi->par;
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Thu, 9 Nov 2017 18:09:30 +0100
+Subject: video: udlfb: Fix read EDID timeout
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+
+[ Upstream commit c98769475575c8a585f5b3952f4b5f90266f699b ]
+
+While usb_control_msg function expects timeout in miliseconds, a value
+of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error
+message which looks like:
+udlfb: Read EDID byte 78 failed err ffffff92
+as error is either negative errno or number of bytes transferred use %d
+format specifier.
+
+Returned EDID is in second byte, so return error when less than two bytes
+are received.
+
+Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support")
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Cc: Bernie Thompson <bernie@plugable.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/udlfb.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/video/fbdev/udlfb.c
++++ b/drivers/video/fbdev/udlfb.c
+@@ -769,11 +769,11 @@ static int dlfb_get_edid(struct dlfb_dat
+
+ for (i = 0; i < len; i++) {
+ ret = usb_control_msg(dev->udev,
+- usb_rcvctrlpipe(dev->udev, 0), (0x02),
+- (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2,
+- HZ);
+- if (ret < 1) {
+- pr_err("Read EDID byte %d failed err %x\n", i, ret);
++ usb_rcvctrlpipe(dev->udev, 0), 0x02,
++ (0x80 | (0x02 << 5)), i << 8, 0xA1,
++ rbuf, 2, USB_CTRL_GET_TIMEOUT);
++ if (ret < 2) {
++ pr_err("Read EDID byte %d failed: %d\n", i, ret);
+ i--;
+ break;
+ }
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Mon, 9 Oct 2017 16:45:55 +0800
+Subject: vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+
+[ Upstream commit 42c8eb3f6e15367981b274cb79ee4657e2c6949d ]
+
+The driver may sleep under a spinlock, and the function call path is:
+vt6655_suspend (acquire the spinlock)
+ pci_set_power_state
+ __pci_start_power_transition (drivers/pci/pci.c)
+ msleep --> may sleep
+
+To fix it, pci_set_power_state is called without having a spinlock.
+
+This bug is found by my static analysis tool and my code review.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vt6655/device_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -1693,10 +1693,11 @@ static int vt6655_suspend(struct pci_dev
+ MACbShutdown(priv->PortOffset);
+
+ pci_disable_device(pcid);
+- pci_set_power_state(pcid, pci_choose_state(pcid, state));
+
+ spin_unlock_irqrestore(&priv->lock, flags);
+
++ pci_set_power_state(pcid, pci_choose_state(pcid, state));
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Tahsin Erdogan <tahsin@google.com>
+Date: Fri, 10 Mar 2017 12:09:49 -0800
+Subject: writeback: fix memory leak in wb_queue_work()
+
+From: Tahsin Erdogan <tahsin@google.com>
+
+
+[ Upstream commit 4a3a485b1ed0e109718cc8c9d094fa0f552de9b2 ]
+
+When WB_registered flag is not set, wb_queue_work() skips queuing the
+work, but does not perform the necessary clean up. In particular, if
+work->auto_free is true, it should free the memory.
+
+The leak condition can be reprouced by following these steps:
+
+ mount /dev/sdb /mnt/sdb
+ /* In qemu console: device_del sdb */
+ umount /dev/sdb
+
+Above will result in a wb_queue_work() call on an unregistered wb and
+thus leak memory.
+
+Reported-by: John Sperbeck <jsperbeck@google.com>
+Signed-off-by: Tahsin Erdogan <tahsin@google.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fs-writeback.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -173,19 +173,33 @@ static void wb_wakeup(struct bdi_writeba
+ spin_unlock_bh(&wb->work_lock);
+ }
+
++static void finish_writeback_work(struct bdi_writeback *wb,
++ struct wb_writeback_work *work)
++{
++ struct wb_completion *done = work->done;
++
++ if (work->auto_free)
++ kfree(work);
++ if (done && atomic_dec_and_test(&done->cnt))
++ wake_up_all(&wb->bdi->wb_waitq);
++}
++
+ static void wb_queue_work(struct bdi_writeback *wb,
+ struct wb_writeback_work *work)
+ {
+ trace_writeback_queue(wb, work);
+
+- spin_lock_bh(&wb->work_lock);
+- if (!test_bit(WB_registered, &wb->state))
+- goto out_unlock;
+ if (work->done)
+ atomic_inc(&work->done->cnt);
+- list_add_tail(&work->list, &wb->work_list);
+- mod_delayed_work(bdi_wq, &wb->dwork, 0);
+-out_unlock:
++
++ spin_lock_bh(&wb->work_lock);
++
++ if (test_bit(WB_registered, &wb->state)) {
++ list_add_tail(&work->list, &wb->work_list);
++ mod_delayed_work(bdi_wq, &wb->dwork, 0);
++ } else
++ finish_writeback_work(wb, work);
++
+ spin_unlock_bh(&wb->work_lock);
+ }
+
+@@ -1839,16 +1853,9 @@ static long wb_do_writeback(struct bdi_w
+
+ set_bit(WB_writeback_running, &wb->state);
+ while ((work = get_next_work_item(wb)) != NULL) {
+- struct wb_completion *done = work->done;
+-
+ trace_writeback_exec(wb, work);
+-
+ wrote += wb_writeback(wb, work);
+-
+- if (work->auto_free)
+- kfree(work);
+- if (done && atomic_dec_and_test(&done->cnt))
+- wake_up_all(&wb->bdi->wb_waitq);
++ finish_writeback_work(wb, work);
+ }
+
+ /*
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Christoph Hellwig <hch@lst.de>
+Date: Tue, 17 Oct 2017 14:16:19 -0700
+Subject: xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real
+
+From: Christoph Hellwig <hch@lst.de>
+
+
+[ Upstream commit 5e422f5e4fd71d18bc6b851eeb3864477b3d842e ]
+
+There was one spot in xfs_bmap_add_extent_unwritten_real that didn't use the
+passed in new extent state but always converted to normal, leading to wrong
+behavior when converting from normal to unwritten.
+
+Only found by code inspection, it seems like this code path to move partial
+extent from written to unwritten while merging it with the next extent is
+rarely exercised.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/libxfs/xfs_bmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/libxfs/xfs_bmap.c
++++ b/fs/xfs/libxfs/xfs_bmap.c
+@@ -2670,7 +2670,7 @@ xfs_bmap_add_extent_unwritten_real(
+ &i)))
+ goto done;
+ XFS_WANT_CORRUPTED_GOTO(mp, i == 0, done);
+- cur->bc_rec.b.br_state = XFS_EXT_NORM;
++ cur->bc_rec.b.br_state = new->br_state;
+ if ((error = xfs_btree_insert(cur, &i)))
+ goto done;
+ XFS_WANT_CORRUPTED_GOTO(mp, i == 1, done);
--- /dev/null
+From foo@baz Mon Dec 18 14:47:43 CET 2017
+From: Brian Foster <bfoster@redhat.com>
+Date: Thu, 26 Oct 2017 09:31:16 -0700
+Subject: xfs: fix log block underflow during recovery cycle verification
+
+From: Brian Foster <bfoster@redhat.com>
+
+
+[ Upstream commit 9f2a4505800607e537e9dd9dea4f55c4b0c30c7a ]
+
+It is possible for mkfs to format very small filesystems with too
+small of an internal log with respect to the various minimum size
+and block count requirements. If this occurs when the log happens to
+be smaller than the scan window used for cycle verification and the
+scan wraps the end of the log, the start_blk calculation in
+xlog_find_head() underflows and leads to an attempt to scan an
+invalid range of log blocks. This results in log recovery failure
+and a failed mount.
+
+Since there may be filesystems out in the wild with this kind of
+geometry, we cannot simply refuse to mount. Instead, cap the scan
+window for cycle verification to the size of the physical log. This
+ensures that the cycle verification proceeds as expected when the
+scan wraps the end of the log.
+
+Reported-by: Zorro Lang <zlang@redhat.com>
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_log_recover.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_log_recover.c
++++ b/fs/xfs/xfs_log_recover.c
+@@ -738,7 +738,7 @@ xlog_find_head(
+ * in the in-core log. The following number can be made tighter if
+ * we actually look at the block size of the filesystem.
+ */
+- num_scan_bblks = XLOG_TOTAL_REC_SHIFT(log);
++ num_scan_bblks = min_t(int, log_bbnum, XLOG_TOTAL_REC_SHIFT(log));
+ if (head_blk >= num_scan_bblks) {
+ /*
+ * We are guaranteed that the entire check can be performed
projects / thirdparty / kernel / stable-queue.git / commitdiff
