--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 2 Nov 2017 15:27:48 +0000
+Subject: afs: Connect up the CB.ProbeUuid
+
+From: David Howells <dhowells@redhat.com>
+
+
+[ Upstream commit f4b3526d83c40dd8bf5948b9d7a1b2c340f0dcc8 ]
+
+The handler for the CB.ProbeUuid operation in the cache manager is
+implemented, but isn't listed in the switch-statement of operation
+selection, so won't be used. Fix this by adding it.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/afs/cmservice.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -106,6 +106,9 @@ bool afs_cm_incoming_call(struct afs_cal
+ case CBProbe:
+ call->type = &afs_SRXCBProbe;
+ return true;
++ case CBProbeUuid:
++ call->type = &afs_SRXCBProbeUuid;
++ return true;
+ case CBTellMeAboutYourself:
+ call->type = &afs_SRXCBTellMeAboutYourself;
+ return true;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 16 Feb 2017 01:43:58 +0100
+Subject: ARM: 8657/1: uaccess: consistently check object sizes
+
+From: Kees Cook <keescook@chromium.org>
+
+
+[ Upstream commit 32b143637e8180f5d5cea54320c769210dea4f19 ]
+
+In commit 76624175dcae ("arm64: uaccess: consistently check object sizes"),
+the object size checks are moved outside the access_ok() so that bad
+destinations are detected before hitting the "memset(dest, 0, size)" in the
+copy_from_user() failure path.
+
+This makes the same change for arm, with attention given to possibly
+extracting the uaccess routines into a common header file for all
+architectures in the future.
+
+Suggested-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/uaccess.h | 44 +++++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 12 deletions(-)
+
+--- a/arch/arm/include/asm/uaccess.h
++++ b/arch/arm/include/asm/uaccess.h
+@@ -478,11 +478,10 @@ extern unsigned long __must_check
+ arm_copy_from_user(void *to, const void __user *from, unsigned long n);
+
+ static inline unsigned long __must_check
+-__copy_from_user(void *to, const void __user *from, unsigned long n)
++__arch_copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+ unsigned int __ua_flags;
+
+- check_object_size(to, n, false);
+ __ua_flags = uaccess_save_and_enable();
+ n = arm_copy_from_user(to, from, n);
+ uaccess_restore(__ua_flags);
+@@ -495,18 +494,15 @@ extern unsigned long __must_check
+ __copy_to_user_std(void __user *to, const void *from, unsigned long n);
+
+ static inline unsigned long __must_check
+-__copy_to_user(void __user *to, const void *from, unsigned long n)
++__arch_copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
+ #ifndef CONFIG_UACCESS_WITH_MEMCPY
+ unsigned int __ua_flags;
+-
+- check_object_size(from, n, true);
+ __ua_flags = uaccess_save_and_enable();
+ n = arm_copy_to_user(to, from, n);
+ uaccess_restore(__ua_flags);
+ return n;
+ #else
+- check_object_size(from, n, true);
+ return arm_copy_to_user(to, from, n);
+ #endif
+ }
+@@ -526,25 +522,49 @@ __clear_user(void __user *addr, unsigned
+ }
+
+ #else
+-#define __copy_from_user(to, from, n) (memcpy(to, (void __force *)from, n), 0)
+-#define __copy_to_user(to, from, n) (memcpy((void __force *)to, from, n), 0)
++#define __arch_copy_from_user(to, from, n) \
++ (memcpy(to, (void __force *)from, n), 0)
++#define __arch_copy_to_user(to, from, n) \
++ (memcpy((void __force *)to, from, n), 0)
+ #define __clear_user(addr, n) (memset((void __force *)addr, 0, n), 0)
+ #endif
+
+-static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
++static inline unsigned long __must_check
++__copy_from_user(void *to, const void __user *from, unsigned long n)
++{
++ check_object_size(to, n, false);
++ return __arch_copy_from_user(to, from, n);
++}
++
++static inline unsigned long __must_check
++copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+ unsigned long res = n;
++
++ check_object_size(to, n, false);
++
+ if (likely(access_ok(VERIFY_READ, from, n)))
+- res = __copy_from_user(to, from, n);
++ res = __arch_copy_from_user(to, from, n);
+ if (unlikely(res))
+ memset(to + (n - res), 0, res);
+ return res;
+ }
+
+-static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
++static inline unsigned long __must_check
++__copy_to_user(void __user *to, const void *from, unsigned long n)
+ {
++ check_object_size(from, n, true);
++
++ return __arch_copy_to_user(to, from, n);
++}
++
++static inline unsigned long __must_check
++copy_to_user(void __user *to, const void *from, unsigned long n)
++{
++ check_object_size(from, n, true);
++
+ if (access_ok(VERIFY_WRITE, to, n))
+- n = __copy_to_user(to, from, n);
++ n = __arch_copy_to_user(to, from, n);
+ return n;
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 20 Feb 2017 12:30:11 +0000
+Subject: arm: KVM: Survive unknown traps from guests
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+
+[ Upstream commit f050fe7a9164945dd1c28be05bf00e8cfb082ccf ]
+
+Currently we BUG() if we see a HSR.EC value we don't recognise. As
+configurable disables/enables are added to the architecture (controlled
+by RES1/RES0 bits respectively), with associated synchronous exceptions,
+it may be possible for a guest to trigger exceptions with classes that
+we don't recognise.
+
+While we can't service these exceptions in a manner useful to the guest,
+we can avoid bringing down the host. Per ARM DDI 0406C.c, all currently
+unallocated HSR EC encodings are reserved, and per ARM DDI
+0487A.k_iss10775, page G6-4395, EC values within the range 0x00 - 0x2c
+are reserved for future use with synchronous exceptions, and EC values
+within the range 0x2d - 0x3f may be used for either synchronous or
+asynchronous exceptions.
+
+The patch makes KVM handle any unknown EC by injecting an UNDEFINED
+exception into the guest, with a corresponding (ratelimited) warning in
+the host dmesg. We could later improve on this with with a new (opt-in)
+exit to the host userspace.
+
+Cc: Dave Martin <dave.martin@arm.com>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/include/asm/kvm_arm.h | 1 +
+ arch/arm/kvm/handle_exit.c | 19 ++++++++++++-------
+ 2 files changed, 13 insertions(+), 7 deletions(-)
+
+--- a/arch/arm/include/asm/kvm_arm.h
++++ b/arch/arm/include/asm/kvm_arm.h
+@@ -208,6 +208,7 @@
+ #define HSR_EC_IABT_HYP (0x21)
+ #define HSR_EC_DABT (0x24)
+ #define HSR_EC_DABT_HYP (0x25)
++#define HSR_EC_MAX (0x3f)
+
+ #define HSR_WFI_IS_WFE (_AC(1, UL) << 0)
+
+--- a/arch/arm/kvm/handle_exit.c
++++ b/arch/arm/kvm/handle_exit.c
+@@ -79,7 +79,19 @@ static int kvm_handle_wfx(struct kvm_vcp
+ return 1;
+ }
+
++static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run)
++{
++ u32 hsr = kvm_vcpu_get_hsr(vcpu);
++
++ kvm_pr_unimpl("Unknown exception class: hsr: %#08x\n",
++ hsr);
++
++ kvm_inject_undefined(vcpu);
++ return 1;
++}
++
+ static exit_handle_fn arm_exit_handlers[] = {
++ [0 ... HSR_EC_MAX] = kvm_handle_unknown_ec,
+ [HSR_EC_WFI] = kvm_handle_wfx,
+ [HSR_EC_CP15_32] = kvm_handle_cp15_32,
+ [HSR_EC_CP15_64] = kvm_handle_cp15_64,
+@@ -98,13 +110,6 @@ static exit_handle_fn kvm_get_exit_handl
+ {
+ u8 hsr_ec = kvm_vcpu_trap_get_class(vcpu);
+
+- if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) ||
+- !arm_exit_handlers[hsr_ec]) {
+- kvm_err("Unknown exception class: hsr: %#08x\n",
+- (unsigned int)kvm_vcpu_get_hsr(vcpu));
+- BUG();
+- }
+-
+ return arm_exit_handlers[hsr_ec];
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 4 Mar 2017 07:02:10 -0800
+Subject: ARM: OMAP2+: Fix device node reference counts
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+
+[ Upstream commit 10e5778f54765c96fe0c8f104b7a030e5b35bc72 ]
+
+After commit 0549bde0fcb1 ("of: fix of_node leak caused in
+of_find_node_opts_by_path"), the following error may be
+reported when running omap images.
+
+OF: ERROR: Bad of_node_put() on /ocp@68000000
+CPU: 0 PID: 0 Comm: swapper Not tainted 4.10.0-rc7-next-20170210 #1
+Hardware name: Generic OMAP3-GP (Flattened Device Tree)
+[<c0310604>] (unwind_backtrace) from [<c030bbf4>] (show_stack+0x10/0x14)
+[<c030bbf4>] (show_stack) from [<c05add8c>] (dump_stack+0x98/0xac)
+[<c05add8c>] (dump_stack) from [<c05af1b0>] (kobject_release+0x48/0x7c)
+[<c05af1b0>] (kobject_release)
+ from [<c0ad1aa4>] (of_find_node_by_name+0x74/0x94)
+[<c0ad1aa4>] (of_find_node_by_name)
+ from [<c1215bd4>] (omap3xxx_hwmod_is_hs_ip_block_usable+0x24/0x2c)
+[<c1215bd4>] (omap3xxx_hwmod_is_hs_ip_block_usable) from
+[<c1215d5c>] (omap3xxx_hwmod_init+0x180/0x274)
+[<c1215d5c>] (omap3xxx_hwmod_init)
+ from [<c120faa8>] (omap3_init_early+0xa0/0x11c)
+[<c120faa8>] (omap3_init_early)
+ from [<c120fb2c>] (omap3430_init_early+0x8/0x30)
+[<c120fb2c>] (omap3430_init_early)
+ from [<c1204710>] (setup_arch+0xc04/0xc34)
+[<c1204710>] (setup_arch) from [<c1200948>] (start_kernel+0x68/0x38c)
+[<c1200948>] (start_kernel) from [<8020807c>] (0x8020807c)
+
+of_find_node_by_name() drops the reference to the passed device node.
+The commit referenced above exposes this problem.
+
+To fix the problem, use of_get_child_by_name() instead of
+of_find_node_by_name(); of_get_child_by_name() does not drop
+the reference count of passed device nodes. While semantically
+different, we only look for immediate children of the passed
+device node, so of_get_child_by_name() is a more appropriate
+function to use anyway.
+
+Release the reference to the device node obtained with
+of_get_child_by_name() after it is no longer needed to avoid
+another device node leak.
+
+While at it, clean up the code and change the return type of
+omap3xxx_hwmod_is_hs_ip_block_usable() to bool to match its use
+and the return type of of_device_is_available().
+
+Cc: Qi Hou <qi.hou@windriver.com>
+Cc: Peter Rosin <peda@axentia.se>
+Cc: Rob Herring <robh@kernel.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -3828,16 +3828,20 @@ static struct omap_hwmod_ocp_if *omap3xx
+ * Return: 0 if device named @dev_name is not likely to be accessible,
+ * or 1 if it is likely to be accessible.
+ */
+-static int __init omap3xxx_hwmod_is_hs_ip_block_usable(struct device_node *bus,
+- const char *dev_name)
++static bool __init omap3xxx_hwmod_is_hs_ip_block_usable(struct device_node *bus,
++ const char *dev_name)
+ {
++ struct device_node *node;
++ bool available;
++
+ if (!bus)
+- return (omap_type() == OMAP2_DEVICE_TYPE_GP) ? 1 : 0;
++ return omap_type() == OMAP2_DEVICE_TYPE_GP;
+
+- if (of_device_is_available(of_find_node_by_name(bus, dev_name)))
+- return 1;
++ node = of_get_child_by_name(bus, dev_name);
++ available = of_device_is_available(node);
++ of_node_put(node);
+
+- return 0;
++ return available;
+ }
+
+ int __init omap3xxx_hwmod_init(void)
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Ladislav Michl <ladis@linux-mips.org>
+Date: Sat, 11 Feb 2017 14:02:49 +0100
+Subject: ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure
+
+From: Ladislav Michl <ladis@linux-mips.org>
+
+
+[ Upstream commit 7807e086a2d1f69cc1a57958cac04fea79fc2112 ]
+
+gpmc_probe_onenand_child returns success even on gpmc_onenand_init
+failure. Fix that.
+
+Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/gpmc-onenand.c | 10 ++++++----
+ drivers/memory/omap-gpmc.c | 4 +---
+ include/linux/omap-gpmc.h | 5 +++--
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/arch/arm/mach-omap2/gpmc-onenand.c
++++ b/arch/arm/mach-omap2/gpmc-onenand.c
+@@ -367,7 +367,7 @@ static int gpmc_onenand_setup(void __iom
+ return ret;
+ }
+
+-void gpmc_onenand_init(struct omap_onenand_platform_data *_onenand_data)
++int gpmc_onenand_init(struct omap_onenand_platform_data *_onenand_data)
+ {
+ int err;
+ struct device *dev = &gpmc_onenand_device.dev;
+@@ -393,15 +393,17 @@ void gpmc_onenand_init(struct omap_onena
+ if (err < 0) {
+ dev_err(dev, "Cannot request GPMC CS %d, error %d\n",
+ gpmc_onenand_data->cs, err);
+- return;
++ return err;
+ }
+
+ gpmc_onenand_resource.end = gpmc_onenand_resource.start +
+ ONENAND_IO_SIZE - 1;
+
+- if (platform_device_register(&gpmc_onenand_device) < 0) {
++ err = platform_device_register(&gpmc_onenand_device);
++ if (err) {
+ dev_err(dev, "Unable to register OneNAND device\n");
+ gpmc_cs_free(gpmc_onenand_data->cs);
+- return;
+ }
++
++ return err;
+ }
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -1947,9 +1947,7 @@ static int gpmc_probe_onenand_child(stru
+ if (!of_property_read_u32(child, "dma-channel", &val))
+ gpmc_onenand_data->dma_channel = val;
+
+- gpmc_onenand_init(gpmc_onenand_data);
+-
+- return 0;
++ return gpmc_onenand_init(gpmc_onenand_data);
+ }
+ #else
+ static int gpmc_probe_onenand_child(struct platform_device *pdev,
+--- a/include/linux/omap-gpmc.h
++++ b/include/linux/omap-gpmc.h
+@@ -88,10 +88,11 @@ static inline int gpmc_nand_init(struct
+ #endif
+
+ #if IS_ENABLED(CONFIG_MTD_ONENAND_OMAP2)
+-extern void gpmc_onenand_init(struct omap_onenand_platform_data *d);
++extern int gpmc_onenand_init(struct omap_onenand_platform_data *d);
+ #else
+ #define board_onenand_data NULL
+-static inline void gpmc_onenand_init(struct omap_onenand_platform_data *d)
++static inline int gpmc_onenand_init(struct omap_onenand_platform_data *d)
+ {
++ return 0;
+ }
+ #endif
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 4 Mar 2017 07:02:11 -0800
+Subject: ARM: OMAP2+: Release device node after it is no longer needed.
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+
+[ Upstream commit b92675d998a9fa37fe9e0e35053a95b4a23c158b ]
+
+The device node returned by of_find_node_by_name() needs to be released
+after it is no longer needed to avoid a device node leak.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -3910,15 +3910,20 @@ int __init omap3xxx_hwmod_init(void)
+
+ if (h_sham && omap3xxx_hwmod_is_hs_ip_block_usable(bus, "sham")) {
+ r = omap_hwmod_register_links(h_sham);
+- if (r < 0)
++ if (r < 0) {
++ of_node_put(bus);
+ return r;
++ }
+ }
+
+ if (h_aes && omap3xxx_hwmod_is_hs_ip_block_usable(bus, "aes")) {
+ r = omap_hwmod_register_links(h_aes);
+- if (r < 0)
++ if (r < 0) {
++ of_node_put(bus);
+ return r;
++ }
+ }
++ of_node_put(bus);
+
+ /*
+ * Register hwmod links specific to certain ES levels of a
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 20 Feb 2017 12:30:12 +0000
+Subject: arm64: KVM: Survive unknown traps from guests
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+
+[ Upstream commit ba4dd156eabdca93501d92a980ba27fa5f4bbd27 ]
+
+Currently we BUG() if we see an ESR_EL2.EC value we don't recognise. As
+configurable disables/enables are added to the architecture (controlled
+by RES1/RES0 bits respectively), with associated synchronous exceptions,
+it may be possible for a guest to trigger exceptions with classes that
+we don't recognise.
+
+While we can't service these exceptions in a manner useful to the guest,
+we can avoid bringing down the host. Per ARM DDI 0487A.k_iss10775, page
+D7-1937, EC values within the range 0x00 - 0x2c are reserved for future
+use with synchronous exceptions, and EC values within the range 0x2d -
+0x3f may be used for either synchronous or asynchronous exceptions.
+
+The patch makes KVM handle any unknown EC by injecting an UNDEFINED
+exception into the guest, with a corresponding (ratelimited) warning in
+the host dmesg. We could later improve on this with with a new (opt-in)
+exit to the host userspace.
+
+Cc: Dave Martin <dave.martin@arm.com>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/handle_exit.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/kvm/handle_exit.c
++++ b/arch/arm64/kvm/handle_exit.c
+@@ -125,7 +125,19 @@ static int kvm_handle_guest_debug(struct
+ return ret;
+ }
+
++static int kvm_handle_unknown_ec(struct kvm_vcpu *vcpu, struct kvm_run *run)
++{
++ u32 hsr = kvm_vcpu_get_hsr(vcpu);
++
++ kvm_pr_unimpl("Unknown exception class: hsr: %#08x -- %s\n",
++ hsr, esr_get_class_string(hsr));
++
++ kvm_inject_undefined(vcpu);
++ return 1;
++}
++
+ static exit_handle_fn arm_exit_handlers[] = {
++ [0 ... ESR_ELx_EC_MAX] = kvm_handle_unknown_ec,
+ [ESR_ELx_EC_WFx] = kvm_handle_wfx,
+ [ESR_ELx_EC_CP15_32] = kvm_handle_cp15_32,
+ [ESR_ELx_EC_CP15_64] = kvm_handle_cp15_64,
+@@ -151,13 +163,6 @@ static exit_handle_fn kvm_get_exit_handl
+ u32 hsr = kvm_vcpu_get_hsr(vcpu);
+ u8 hsr_ec = ESR_ELx_EC(hsr);
+
+- if (hsr_ec >= ARRAY_SIZE(arm_exit_handlers) ||
+- !arm_exit_handlers[hsr_ec]) {
+- kvm_err("Unknown exception class: hsr: %#08x -- %s\n",
+- hsr, esr_get_class_string(hsr));
+- BUG();
+- }
+-
+ return arm_exit_handlers[hsr_ec];
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Fri, 3 Mar 2017 04:25:09 +0000
+Subject: ASoC: rcar: avoid SSI_MODEx settings for SSI8
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+
+[ Upstream commit 4b30eebfc35c67771b5f58d9274d3e321b72d7a8 ]
+
+SSI8 is is sharing pin with SSI7, and nothing to do for SSI_MODEx.
+It is special pin and it needs special settings whole system,
+but we can't confirm it, because we never have SSI8 available board.
+
+This patch fixup SSI_MODEx settings error for SSI8 on connection test,
+but should be confirmed behavior on real board in the future.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sh/rcar/ssiu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/sh/rcar/ssiu.c
++++ b/sound/soc/sh/rcar/ssiu.c
+@@ -44,7 +44,11 @@ static int rsnd_ssiu_init(struct rsnd_mo
+ mask1 = (1 << 4) | (1 << 20); /* mask sync bit */
+ mask2 = (1 << 4); /* mask sync bit */
+ val1 = val2 = 0;
+- if (rsnd_ssi_is_pin_sharing(io)) {
++ if (id == 8) {
++ /*
++ * SSI8 pin is sharing with SSI7, nothing to do.
++ */
++ } else if (rsnd_ssi_is_pin_sharing(io)) {
+ int shift = -1;
+
+ switch (id) {
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 14 Nov 2017 13:42:38 +0530
+Subject: atm: horizon: Fix irq release error
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit bde533f2ea607cbbbe76ef8738b36243939a7bc2 ]
+
+atm_dev_register() can fail here and passed parameters to free irq
+which is not initialised. Initialization of 'dev->irq' happened after
+the 'goto out_free_irq'. So using 'irq' insted of 'dev->irq' in
+free_irq().
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/horizon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/atm/horizon.c
++++ b/drivers/atm/horizon.c
+@@ -2802,7 +2802,7 @@ out:
+ return err;
+
+ out_free_irq:
+- free_irq(dev->irq, dev);
++ free_irq(irq, dev);
+ out_free:
+ kfree(dev);
+ out_release:
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Paul Moore <paul@paul-moore.com>
+Date: Fri, 1 Sep 2017 09:44:34 -0400
+Subject: audit: ensure that 'audit=1' actually enables audit for PID 1
+
+From: Paul Moore <paul@paul-moore.com>
+
+
+[ Upstream commit 173743dd99a49c956b124a74c8aacb0384739a4c ]
+
+Prior to this patch we enabled audit in audit_init(), which is too
+late for PID 1 as the standard initcalls are run after the PID 1 task
+is forked. This means that we never allocate an audit_context (see
+audit_alloc()) for PID 1 and therefore miss a lot of audit events
+generated by PID 1.
+
+This patch enables audit as early as possible to help ensure that when
+PID 1 is forked it can allocate an audit_context if required.
+
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -79,13 +79,13 @@ static int audit_initialized;
+ #define AUDIT_OFF 0
+ #define AUDIT_ON 1
+ #define AUDIT_LOCKED 2
+-u32 audit_enabled;
+-u32 audit_ever_enabled;
++u32 audit_enabled = AUDIT_OFF;
++u32 audit_ever_enabled = !!AUDIT_OFF;
+
+ EXPORT_SYMBOL_GPL(audit_enabled);
+
+ /* Default state when kernel boots without any parameters. */
+-static u32 audit_default;
++static u32 audit_default = AUDIT_OFF;
+
+ /* If auditing cannot proceed, audit_failure selects what happens. */
+ static u32 audit_failure = AUDIT_FAIL_PRINTK;
+@@ -1199,8 +1199,6 @@ static int __init audit_init(void)
+ skb_queue_head_init(&audit_skb_queue);
+ skb_queue_head_init(&audit_skb_hold_queue);
+ audit_initialized = AUDIT_INITIALIZED;
+- audit_enabled = audit_default;
+- audit_ever_enabled |= !!audit_default;
+
+ audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, "initialized");
+
+@@ -1217,6 +1215,8 @@ static int __init audit_enable(char *str
+ audit_default = !!simple_strtol(str, NULL, 0);
+ if (!audit_default)
+ audit_initialized = AUDIT_DISABLED;
++ audit_enabled = audit_default;
++ audit_ever_enabled = !!audit_enabled;
+
+ pr_info("%s\n", audit_default ?
+ "enabled (after initialization)" : "disabled (until reboot)");
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 8 Mar 2017 14:56:05 +0100
+Subject: axonram: Fix gendisk handling
+
+From: Jan Kara <jack@suse.cz>
+
+
+[ Upstream commit 672a2c87c83649fb0167202342ce85af9a3b4f1c ]
+
+It is invalid to call del_gendisk() when disk->queue is NULL. Fix error
+handling in axon_ram_probe() to avoid doing that.
+
+Also del_gendisk() does not drop a reference to gendisk allocated by
+alloc_disk(). That has to be done by put_disk(). Add that call where
+needed.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/sysdev/axonram.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/sysdev/axonram.c
++++ b/arch/powerpc/sysdev/axonram.c
+@@ -274,7 +274,9 @@ failed:
+ if (bank->disk->major > 0)
+ unregister_blkdev(bank->disk->major,
+ bank->disk->disk_name);
+- del_gendisk(bank->disk);
++ if (bank->disk->flags & GENHD_FL_UP)
++ del_gendisk(bank->disk);
++ put_disk(bank->disk);
+ }
+ device->dev.platform_data = NULL;
+ if (bank->io_addr != 0)
+@@ -299,6 +301,7 @@ axon_ram_remove(struct platform_device *
+ device_remove_file(&device->dev, &dev_attr_ecc);
+ free_irq(bank->irq_id, device);
+ del_gendisk(bank->disk);
++ put_disk(bank->disk);
+ iounmap((void __iomem *) bank->io_addr);
+ kfree(bank);
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Ming Lei <tom.leiming@gmail.com>
+Date: Wed, 22 Feb 2017 18:13:59 +0800
+Subject: blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue()
+
+From: Ming Lei <tom.leiming@gmail.com>
+
+
+[ Upstream commit 737f98cfe7de8df7433a4d846850aa8efa44bd48 ]
+
+Both q->mq_kobj and sw queues' kobjects should have been initialized
+once, instead of doing that each add_disk context.
+
+Also this patch removes clearing of ctx in blk_mq_init_cpu_queues()
+because percpu allocator fills zero to allocated variable.
+
+This patch fixes one issue[1] reported from Omar.
+
+[1] kernel wearning when doing unbind/bind on one scsi-mq device
+
+[ 19.347924] kobject (ffff8800791ea0b8): tried to init an initialized object, something is seriously wrong.
+[ 19.349781] CPU: 1 PID: 84 Comm: kworker/u8:1 Not tainted 4.10.0-rc7-00210-g53f39eeaa263 #34
+[ 19.350686] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-20161122_114906-anatol 04/01/2014
+[ 19.350920] Workqueue: events_unbound async_run_entry_fn
+[ 19.350920] Call Trace:
+[ 19.350920] dump_stack+0x63/0x83
+[ 19.350920] kobject_init+0x77/0x90
+[ 19.350920] blk_mq_register_dev+0x40/0x130
+[ 19.350920] blk_register_queue+0xb6/0x190
+[ 19.350920] device_add_disk+0x1ec/0x4b0
+[ 19.350920] sd_probe_async+0x10d/0x1c0 [sd_mod]
+[ 19.350920] async_run_entry_fn+0x48/0x150
+[ 19.350920] process_one_work+0x1d0/0x480
+[ 19.350920] worker_thread+0x48/0x4e0
+[ 19.350920] kthread+0x101/0x140
+[ 19.350920] ? process_one_work+0x480/0x480
+[ 19.350920] ? kthread_create_on_node+0x60/0x60
+[ 19.350920] ret_from_fork+0x2c/0x40
+
+Cc: Omar Sandoval <osandov@osandov.com>
+Signed-off-by: Ming Lei <tom.leiming@gmail.com>
+Tested-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq-sysfs.c | 4 +---
+ block/blk-mq.c | 4 +++-
+ block/blk-mq.h | 1 +
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -429,7 +429,7 @@ void blk_mq_hctx_kobj_init(struct blk_mq
+ kobject_init(&hctx->kobj, &blk_mq_hw_ktype);
+ }
+
+-static void blk_mq_sysfs_init(struct request_queue *q)
++void blk_mq_sysfs_init(struct request_queue *q)
+ {
+ struct blk_mq_ctx *ctx;
+ int cpu;
+@@ -449,8 +449,6 @@ int blk_mq_register_dev(struct device *d
+
+ blk_mq_disable_hotplug();
+
+- blk_mq_sysfs_init(q);
+-
+ ret = kobject_add(&q->mq_kobj, kobject_get(&dev->kobj), "%s", "mq");
+ if (ret < 0)
+ goto out;
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -1707,7 +1707,6 @@ static void blk_mq_init_cpu_queues(struc
+ struct blk_mq_ctx *__ctx = per_cpu_ptr(q->queue_ctx, i);
+ struct blk_mq_hw_ctx *hctx;
+
+- memset(__ctx, 0, sizeof(*__ctx));
+ __ctx->cpu = i;
+ spin_lock_init(&__ctx->lock);
+ INIT_LIST_HEAD(&__ctx->rq_list);
+@@ -1970,6 +1969,9 @@ struct request_queue *blk_mq_init_alloca
+ if (!q->queue_ctx)
+ goto err_exit;
+
++ /* init q->mq_kobj and sw queues' kobjects */
++ blk_mq_sysfs_init(q);
++
+ q->queue_hw_ctx = kzalloc_node(nr_cpu_ids * sizeof(*(q->queue_hw_ctx)),
+ GFP_KERNEL, set->numa_node);
+ if (!q->queue_hw_ctx)
+--- a/block/blk-mq.h
++++ b/block/blk-mq.h
+@@ -50,6 +50,7 @@ static inline struct blk_mq_hw_ctx *blk_
+ /*
+ * sysfs helpers
+ */
++extern void blk_mq_sysfs_init(struct request_queue *q);
+ extern int blk_mq_sysfs_register(struct request_queue *q);
+ extern void blk_mq_sysfs_unregister(struct request_queue *q);
+ extern void blk_mq_hctx_kobj_init(struct blk_mq_hw_ctx *hctx);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 16 Nov 2017 08:08:44 +0800
+Subject: block: wake up all tasks blocked in get_request()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+
+[ Upstream commit 34d9715ac1edd50285168dd8d80c972739a4f6a4 ]
+
+Once blk_set_queue_dying() is done in blk_cleanup_queue(), we call
+blk_freeze_queue() and wait for q->q_usage_counter becoming zero. But
+if there are tasks blocked in get_request(), q->q_usage_counter can
+never become zero. So we have to wake up all these tasks in
+blk_set_queue_dying() first.
+
+Fixes: 3ef28e83ab157997 ("block: generic request_queue reference counting")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -527,8 +527,8 @@ void blk_set_queue_dying(struct request_
+
+ blk_queue_for_each_rl(rl, q) {
+ if (rl->rq_pool) {
+- wake_up(&rl->wait[BLK_RW_SYNC]);
+- wake_up(&rl->wait[BLK_RW_ASYNC]);
++ wake_up_all(&rl->wait[BLK_RW_SYNC]);
++ wake_up_all(&rl->wait[BLK_RW_ASYNC]);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:32 +0100
+Subject: bnx2x: do not rollback VF MAC/VLAN filters we did not configure
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 78d5505432436516456c12abbe705ec8dee7ee2b ]
+
+On failure to configure a VF MAC/VLAN filter we should not attempt to
+rollback filters that we failed to configure with -EEXIST.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 8 +++++++-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+@@ -434,7 +434,9 @@ static int bnx2x_vf_mac_vlan_config(stru
+
+ /* Add/Remove the filter */
+ rc = bnx2x_config_vlan_mac(bp, &ramrod);
+- if (rc && rc != -EEXIST) {
++ if (rc == -EEXIST)
++ return 0;
++ if (rc) {
+ BNX2X_ERR("Failed to %s %s\n",
+ filter->add ? "add" : "delete",
+ (filter->type == BNX2X_VF_FILTER_VLAN_MAC) ?
+@@ -444,6 +446,8 @@ static int bnx2x_vf_mac_vlan_config(stru
+ return rc;
+ }
+
++ filter->applied = true;
++
+ return 0;
+ }
+
+@@ -471,6 +475,8 @@ int bnx2x_vf_mac_vlan_config_list(struct
+ BNX2X_ERR("Managed only %d/%d filters - rolling back\n",
+ i, filters->count + 1);
+ while (--i >= 0) {
++ if (!filters->filters[i].applied)
++ continue;
+ filters->filters[i].add = !filters->filters[i].add;
+ bnx2x_vf_mac_vlan_config(bp, vf, qid,
+ &filters->filters[i],
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h
+@@ -114,6 +114,7 @@ struct bnx2x_vf_mac_vlan_filter {
+ (BNX2X_VF_FILTER_MAC | BNX2X_VF_FILTER_VLAN) /*shortcut*/
+
+ bool add;
++ bool applied;
+ u8 *mac;
+ u16 vid;
+ };
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:31 +0100
+Subject: bnx2x: fix detection of VLAN filtering feature for VF
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 83bd9eb8fc69cdd5135ed6e1f066adc8841800fd ]
+
+VFs are currently missing the VLAN filtering feature, because we were
+checking the PF's acquire response before actually performing the acquire.
+
+Fix it by setting the feature flag later when we have the PF response.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -13293,17 +13293,15 @@ static int bnx2x_init_dev(struct bnx2x *
+ dev->vlan_features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM |
+ NETIF_F_TSO | NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_HIGHDMA;
+
+- /* VF with OLD Hypervisor or old PF do not support filtering */
+ if (IS_PF(bp)) {
+ if (chip_is_e1x)
+ bp->accept_any_vlan = true;
+ else
+ dev->hw_features |= NETIF_F_HW_VLAN_CTAG_FILTER;
+-#ifdef CONFIG_BNX2X_SRIOV
+- } else if (bp->acquire_resp.pfdev_info.pf_cap & PFVF_CAP_VLAN_FILTER) {
+- dev->hw_features |= NETIF_F_HW_VLAN_CTAG_FILTER;
+-#endif
+ }
++ /* For VF we'll know whether to enable VLAN filtering after
++ * getting a response to CHANNEL_TLV_ACQUIRE from PF.
++ */
+
+ dev->features |= dev->hw_features | NETIF_F_HW_VLAN_CTAG_RX;
+ dev->features |= NETIF_F_HIGHDMA;
+@@ -14006,6 +14004,14 @@ static int bnx2x_init_one(struct pci_dev
+ rc = bnx2x_vfpf_acquire(bp, tx_count, rx_count);
+ if (rc)
+ goto init_one_freemem;
++
++#ifdef CONFIG_BNX2X_SRIOV
++ /* VF with OLD Hypervisor or old PF do not support filtering */
++ if (bp->acquire_resp.pfdev_info.pf_cap & PFVF_CAP_VLAN_FILTER) {
++ dev->hw_features |= NETIF_F_HW_VLAN_CTAG_FILTER;
++ dev->features |= NETIF_F_HW_VLAN_CTAG_FILTER;
++ }
++#endif
+ }
+
+ /* Enable SRIOV if capability found in configuration space */
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:30 +0100
+Subject: bnx2x: fix possible overrun of VFPF multicast addresses array
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 22118d861cec5da6ed525aaf12a3de9bfeffc58f ]
+
+It is too late to check for the limit of the number of VF multicast
+addresses after they have already been copied to the req->multicast[]
+array, possibly overflowing it.
+
+Do the check before copying.
+
+Also fix the error path to not skip unlocking vf2pf_mutex.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c
+@@ -868,7 +868,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ struct bnx2x *bp = netdev_priv(dev);
+ struct vfpf_set_q_filters_tlv *req = &bp->vf2pf_mbox->req.set_q_filters;
+ struct pfvf_general_resp_tlv *resp = &bp->vf2pf_mbox->resp.general_resp;
+- int rc, i = 0;
++ int rc = 0, i = 0;
+ struct netdev_hw_addr *ha;
+
+ if (bp->state != BNX2X_STATE_OPEN) {
+@@ -883,6 +883,15 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ /* Get Rx mode requested */
+ DP(NETIF_MSG_IFUP, "dev->flags = %x\n", dev->flags);
+
++ /* We support PFVF_MAX_MULTICAST_PER_VF mcast addresses tops */
++ if (netdev_mc_count(dev) > PFVF_MAX_MULTICAST_PER_VF) {
++ DP(NETIF_MSG_IFUP,
++ "VF supports not more than %d multicast MAC addresses\n",
++ PFVF_MAX_MULTICAST_PER_VF);
++ rc = -EINVAL;
++ goto out;
++ }
++
+ netdev_for_each_mc_addr(ha, dev) {
+ DP(NETIF_MSG_IFUP, "Adding mcast MAC: %pM\n",
+ bnx2x_mc_addr(ha));
+@@ -890,16 +899,6 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ i++;
+ }
+
+- /* We support four PFVF_MAX_MULTICAST_PER_VF mcast
+- * addresses tops
+- */
+- if (i >= PFVF_MAX_MULTICAST_PER_VF) {
+- DP(NETIF_MSG_IFUP,
+- "VF supports not more than %d multicast MAC addresses\n",
+- PFVF_MAX_MULTICAST_PER_VF);
+- return -EINVAL;
+- }
+-
+ req->n_multicast = i;
+ req->flags |= VFPF_SET_Q_FILTERS_MULTICAST_CHANGED;
+ req->vf_qid = 0;
+@@ -924,7 +923,7 @@ int bnx2x_vfpf_set_mcast(struct net_devi
+ out:
+ bnx2x_vfpf_finalize(bp, &req->first_tlv);
+
+- return 0;
++ return rc;
+ }
+
+ /* request pf to add a vlan for the vf */
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Fri, 3 Mar 2017 17:08:28 +0100
+Subject: bnx2x: prevent crash when accessing PTP with interface down
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+
+[ Upstream commit 466e8bf10ac104d96e1ea813e8126e11cb72ea20 ]
+
+It is possible to crash the kernel by accessing a PTP device while its
+associated bnx2x interface is down. Before the interface is brought up,
+the timecounter is not initialized, so accessing it results in NULL
+dereference.
+
+Fix it by checking if the interface is up.
+
+Use -ENETDOWN as the error code when the interface is down.
+ -EFAULT in bnx2x_ptp_adjfreq() did not seem right.
+
+Tested using phc_ctl get/set/adj/freq commands.
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -13735,7 +13735,7 @@ static int bnx2x_ptp_adjfreq(struct ptp_
+ if (!netif_running(bp->dev)) {
+ DP(BNX2X_MSG_PTP,
+ "PTP adjfreq called while the interface is down\n");
+- return -EFAULT;
++ return -ENETDOWN;
+ }
+
+ if (ppb < 0) {
+@@ -13794,6 +13794,12 @@ static int bnx2x_ptp_adjtime(struct ptp_
+ {
+ struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
+
++ if (!netif_running(bp->dev)) {
++ DP(BNX2X_MSG_PTP,
++ "PTP adjtime called while the interface is down\n");
++ return -ENETDOWN;
++ }
++
+ DP(BNX2X_MSG_PTP, "PTP adjtime called, delta = %llx\n", delta);
+
+ timecounter_adjtime(&bp->timecounter, delta);
+@@ -13806,6 +13812,12 @@ static int bnx2x_ptp_gettime(struct ptp_
+ struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
+ u64 ns;
+
++ if (!netif_running(bp->dev)) {
++ DP(BNX2X_MSG_PTP,
++ "PTP gettime called while the interface is down\n");
++ return -ENETDOWN;
++ }
++
+ ns = timecounter_read(&bp->timecounter);
+
+ DP(BNX2X_MSG_PTP, "PTP gettime called, ns = %llu\n", ns);
+@@ -13821,6 +13833,12 @@ static int bnx2x_ptp_settime(struct ptp_
+ struct bnx2x *bp = container_of(ptp, struct bnx2x, ptp_clock_info);
+ u64 ns;
+
++ if (!netif_running(bp->dev)) {
++ DP(BNX2X_MSG_PTP,
++ "PTP settime called while the interface is down\n");
++ return -ENETDOWN;
++ }
++
+ ns = timespec64_to_ns(ts);
+
+ DP(BNX2X_MSG_PTP, "PTP settime called, ns = %llu\n", ns);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 14 Nov 2017 17:15:50 -0800
+Subject: bpf: fix lockdep splat
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 89ad2fa3f043a1e8daae193bcb5fe34d5f8caf28 ]
+
+pcpu_freelist_pop() needs the same lockdep awareness than
+pcpu_freelist_populate() to avoid a false positive.
+
+ [ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]
+
+ switchto-defaul/12508 [HC0[0]:SC0[6]:HE0:SE0] is trying to acquire:
+ (&htab->buckets[i].lock){......}, at: [<ffffffff9dc099cb>] __htab_percpu_map_update_elem+0x1cb/0x300
+
+ and this task is already holding:
+ (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}, at: [<ffffffff9e135848>] __dev_queue_xmit+0
+x868/0x1240
+ which would create a new lock dependency:
+ (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...} -> (&htab->buckets[i].lock){......}
+
+ but this new dependency connects a SOFTIRQ-irq-safe lock:
+ (dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}
+ ... which became SOFTIRQ-irq-safe at:
+ [<ffffffff9db5931b>] __lock_acquire+0x42b/0x1f10
+ [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
+ [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
+ [<ffffffff9e135848>] __dev_queue_xmit+0x868/0x1240
+ [<ffffffff9e136240>] dev_queue_xmit+0x10/0x20
+ [<ffffffff9e1965d9>] ip_finish_output2+0x439/0x590
+ [<ffffffff9e197410>] ip_finish_output+0x150/0x2f0
+ [<ffffffff9e19886d>] ip_output+0x7d/0x260
+ [<ffffffff9e19789e>] ip_local_out+0x5e/0xe0
+ [<ffffffff9e197b25>] ip_queue_xmit+0x205/0x620
+ [<ffffffff9e1b8398>] tcp_transmit_skb+0x5a8/0xcb0
+ [<ffffffff9e1ba152>] tcp_write_xmit+0x242/0x1070
+ [<ffffffff9e1baffc>] __tcp_push_pending_frames+0x3c/0xf0
+ [<ffffffff9e1b3472>] tcp_rcv_established+0x312/0x700
+ [<ffffffff9e1c1acc>] tcp_v4_do_rcv+0x11c/0x200
+ [<ffffffff9e1c3dc2>] tcp_v4_rcv+0xaa2/0xc30
+ [<ffffffff9e191107>] ip_local_deliver_finish+0xa7/0x240
+ [<ffffffff9e191a36>] ip_local_deliver+0x66/0x200
+ [<ffffffff9e19137d>] ip_rcv_finish+0xdd/0x560
+ [<ffffffff9e191e65>] ip_rcv+0x295/0x510
+ [<ffffffff9e12ff88>] __netif_receive_skb_core+0x988/0x1020
+ [<ffffffff9e130641>] __netif_receive_skb+0x21/0x70
+ [<ffffffff9e1306ff>] process_backlog+0x6f/0x230
+ [<ffffffff9e132129>] net_rx_action+0x229/0x420
+ [<ffffffff9da07ee8>] __do_softirq+0xd8/0x43d
+ [<ffffffff9e282bcc>] do_softirq_own_stack+0x1c/0x30
+ [<ffffffff9dafc2f5>] do_softirq+0x55/0x60
+ [<ffffffff9dafc3a8>] __local_bh_enable_ip+0xa8/0xb0
+ [<ffffffff9db4c727>] cpu_startup_entry+0x1c7/0x500
+ [<ffffffff9daab333>] start_secondary+0x113/0x140
+
+ to a SOFTIRQ-irq-unsafe lock:
+ (&head->lock){+.+...}
+ ... which became SOFTIRQ-irq-unsafe at:
+ ... [<ffffffff9db5971f>] __lock_acquire+0x82f/0x1f10
+ [<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
+ [<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
+ [<ffffffff9dc0b7fa>] pcpu_freelist_pop+0x7a/0xb0
+ [<ffffffff9dc08b2c>] htab_map_alloc+0x50c/0x5f0
+ [<ffffffff9dc00dc5>] SyS_bpf+0x265/0x1200
+ [<ffffffff9e28195f>] entry_SYSCALL_64_fastpath+0x12/0x17
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2 --> &htab->buckets[i].lock --> &head->lock
+
+ Possible interrupt unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&head->lock);
+ local_irq_disable();
+ lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
+ lock(&htab->buckets[i].lock);
+ <Interrupt>
+ lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
+
+ *** DEADLOCK ***
+
+Fixes: e19494edab82 ("bpf: introduce percpu_freelist")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/percpu_freelist.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/percpu_freelist.c
++++ b/kernel/bpf/percpu_freelist.c
+@@ -78,8 +78,10 @@ struct pcpu_freelist_node *pcpu_freelist
+ {
+ struct pcpu_freelist_head *head;
+ struct pcpu_freelist_node *node;
++ unsigned long flags;
+ int orig_cpu, cpu;
+
++ local_irq_save(flags);
+ orig_cpu = cpu = raw_smp_processor_id();
+ while (1) {
+ head = per_cpu_ptr(s->freelist, cpu);
+@@ -87,14 +89,16 @@ struct pcpu_freelist_node *pcpu_freelist
+ node = head->first;
+ if (node) {
+ head->first = node->next;
+- raw_spin_unlock(&head->lock);
++ raw_spin_unlock_irqrestore(&head->lock, flags);
+ return node;
+ }
+ raw_spin_unlock(&head->lock);
+ cpu = cpumask_next(cpu, cpu_possible_mask);
+ if (cpu >= nr_cpu_ids)
+ cpu = 0;
+- if (cpu == orig_cpu)
++ if (cpu == orig_cpu) {
++ local_irq_restore(flags);
+ return NULL;
++ }
+ }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 5 Oct 2017 11:32:59 +0900
+Subject: clk: uniphier: fix DAPLL2 clock rate of Pro5
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 67affb78a4e4feb837953e3434c8402a5c3b272f ]
+
+The parent of DAPLL2 should be DAPLL1. Fix the clock connection.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/uniphier/clk-uniphier-sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/uniphier/clk-uniphier-sys.c
++++ b/drivers/clk/uniphier/clk-uniphier-sys.c
+@@ -98,7 +98,7 @@ const struct uniphier_clk_data uniphier_
+ const struct uniphier_clk_data uniphier_pro5_sys_clk_data[] = {
+ UNIPHIER_CLK_FACTOR("spll", -1, "ref", 120, 1), /* 2400 MHz */
+ UNIPHIER_CLK_FACTOR("dapll1", -1, "ref", 128, 1), /* 2560 MHz */
+- UNIPHIER_CLK_FACTOR("dapll2", -1, "ref", 144, 125), /* 2949.12 MHz */
++ UNIPHIER_CLK_FACTOR("dapll2", -1, "dapll1", 144, 125), /* 2949.12 MHz */
+ UNIPHIER_CLK_FACTOR("uart", 0, "dapll2", 1, 40),
+ UNIPHIER_CLK_FACTOR("i2c", 1, "spll", 1, 48),
+ UNIPHIER_PRO5_SYS_CLK_SD,
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Tue, 14 Nov 2017 20:38:07 +0900
+Subject: coccinelle: fix parallel build with CHECK=scripts/coccicheck
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit d7059ca0147adcd495f3c5b41f260e1ac55bb679 ]
+
+The command "make -j8 C=1 CHECK=scripts/coccicheck" produces
+lots of "coccicheck failed" error messages.
+
+Julia Lawall explained the Coccinelle behavior as follows:
+"The problem on the Coccinelle side is that it uses a subdirectory
+with the name of the semantic patch to store standard output and
+standard error for the different threads. I didn't want to use a
+name with the pid, so that one could easily find this information
+while Coccinelle is running. Normally the subdirectory is cleaned
+up when Coccinelle completes, so there is only one of them at a time.
+Maybe it is best to just add the pid. There is the risk that these
+subdirectories will accumulate if Coccinelle crashes in a way such
+that they don't get cleaned up, but Coccinelle could print a warning
+if it detects this case, rather than failing."
+
+When scripts/coccicheck is used as CHECK tool and -j option is given
+to Make, the whole of build process runs in parallel. So, multiple
+processes try to get access to the same subdirectory.
+
+I notice spatch creates the subdirectory only when it runs in parallel
+(i.e. --jobs <N> is given and <N> is greater than 1).
+
+Setting NPROC=1 is a reasonable solution; spatch does not create the
+subdirectory. Besides, ONLINE=1 mode takes a single file input for
+each spatch invocation, so there is no reason to parallelize it in
+the first place.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/coccicheck | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/scripts/coccicheck
++++ b/scripts/coccicheck
+@@ -29,12 +29,6 @@ else
+ VERBOSE=0
+ fi
+
+-if [ -z "$J" ]; then
+- NPROC=$(getconf _NPROCESSORS_ONLN)
+-else
+- NPROC="$J"
+-fi
+-
+ FLAGS="--very-quiet"
+
+ # You can use SPFLAGS to append extra arguments to coccicheck or override any
+@@ -69,6 +63,9 @@ if [ "$C" = "1" -o "$C" = "2" ]; then
+ # Take only the last argument, which is the C file to test
+ shift $(( $# - 1 ))
+ OPTIONS="$COCCIINCLUDE $1"
++
++ # No need to parallelize Coccinelle since this mode takes one input file.
++ NPROC=1
+ else
+ ONLINE=0
+ if [ "$KBUILD_EXTMOD" = "" ] ; then
+@@ -76,6 +73,12 @@ else
+ else
+ OPTIONS="--dir $KBUILD_EXTMOD $COCCIINCLUDE"
+ fi
++
++ if [ -z "$J" ]; then
++ NPROC=$(getconf _NPROCESSORS_ONLN)
++ else
++ NPROC="$J"
++ fi
+ fi
+
+ if [ "$KBUILD_EXTMOD" != "" ] ; then
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Sun, 5 Mar 2017 19:14:07 +0200
+Subject: crypto: s5p-sss - Fix completing crypto request in IRQ handler
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+
+[ Upstream commit 07de4bc88ce6a4d898cad9aa4c99c1df7e87702d ]
+
+In a regular interrupt handler driver was finishing the crypt/decrypt
+request by calling complete on crypto request. This is disallowed since
+converting to skcipher in commit b286d8b1a690 ("crypto: skcipher - Add
+skcipher walk interface") and causes a warning:
+ WARNING: CPU: 0 PID: 0 at crypto/skcipher.c:430 skcipher_walk_first+0x13c/0x14c
+
+The interrupt is marked shared but in fact there are no other users
+sharing it. Thus the simplest solution seems to be to just use a
+threaded interrupt handler, after converting it to oneshot.
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/s5p-sss.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/s5p-sss.c
++++ b/drivers/crypto/s5p-sss.c
+@@ -805,8 +805,9 @@ static int s5p_aes_probe(struct platform
+ dev_warn(dev, "feed control interrupt is not available.\n");
+ goto err_irq;
+ }
+- err = devm_request_irq(dev, pdata->irq_fc, s5p_aes_interrupt,
+- IRQF_SHARED, pdev->name, pdev);
++ err = devm_request_threaded_irq(dev, pdata->irq_fc, NULL,
++ s5p_aes_interrupt, IRQF_ONESHOT,
++ pdev->name, pdev);
+ if (err < 0) {
+ dev_warn(dev, "feed control interrupt is not available.\n");
+ goto err_irq;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 17 Nov 2017 15:37:57 -0800
+Subject: drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit b1402dcb5643b7a27d46a05edd7491d49ba0e248 ]
+
+If 'dma_map_sg()', we should branch to the existing error handling path
+to free some resources before returning.
+
+Link: http://lkml.kernel.org/r/61292a4f369229eee03394247385e955027283f8.1505687047.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Alexandre Bounine <alexandre.bounine@idt.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Cc: Jesper Nilsson <jesper.nilsson@axis.com>
+Cc: Christian K_nig <christian.koenig@amd.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -964,7 +964,8 @@ rio_dma_transfer(struct file *filp, u32
+ req->sgt.sgl, req->sgt.nents, dir);
+ if (nents == -EFAULT) {
+ rmcd_error("Failed to map SG list");
+- return -EFAULT;
++ ret = -EFAULT;
++ goto err_pg;
+ }
+
+ ret = do_dma_request(req, xfer, sync, nents);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Jim Qu <Jim.Qu@amd.com>
+Date: Wed, 1 Mar 2017 15:53:29 +0800
+Subject: drm/amd/amdgpu: fix console deadlock if late init failed
+
+From: Jim Qu <Jim.Qu@amd.com>
+
+
+[ Upstream commit c085bd5119d5d0bdf3ef591a5563566be7dedced ]
+
+Signed-off-by: Jim Qu <Jim.Qu@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2020,8 +2020,11 @@ int amdgpu_device_resume(struct drm_devi
+ }
+
+ r = amdgpu_late_init(adev);
+- if (r)
++ if (r) {
++ if (fbcon)
++ console_unlock();
+ return r;
++ }
+
+ /* pin cursors */
+ list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) {
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Nov 2017 18:07:17 +0100
+Subject: dt-bindings: usb: fix reg-property port-number range
+
+From: Johan Hovold <johan@kernel.org>
+
+
+[ Upstream commit f42ae7b0540937e00fe005812997f126aaac4bc2 ]
+
+The USB hub port-number range for USB 2.0 is 1-255 and not 1-31 which
+reflects an arbitrary limit set by the current Linux implementation.
+
+Note that for USB 3.1 hubs the valid range is 1-15.
+
+Increase the documented valid range in the binding to 255, which is the
+maximum allowed by the specifications.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/usb/usb-device.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/usb/usb-device.txt
++++ b/Documentation/devicetree/bindings/usb/usb-device.txt
+@@ -11,7 +11,7 @@ Required properties:
+ be used, but a device adhering to this binding may leave out all except
+ for usbVID,PID.
+ - reg: the port number which this device is connecting to, the range
+- is 1-31.
++ is 1-255.
+
+ Example:
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 17 Nov 2017 15:27:35 -0800
+Subject: dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+
+[ Upstream commit 1f3c790bd5989fcfec9e53ad8fa09f5b740c958f ]
+
+line-range is supposed to treat "1-" as "1-endoffile", so
+handle the special case by setting last_lineno to UINT_MAX.
+
+Fixes this error:
+
+ dynamic_debug:ddebug_parse_query: last-line:0 < 1st-line:1
+ dynamic_debug:ddebug_exec_query: query parse failed
+
+Link: http://lkml.kernel.org/r/10a6a101-e2be-209f-1f41-54637824788e@infradead.org
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/dynamic_debug.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -360,6 +360,10 @@ static int ddebug_parse_query(char *word
+ if (parse_lineno(last, &query->last_lineno) < 0)
+ return -EINVAL;
+
++ /* special case for last lineno not specified */
++ if (query->last_lineno == 0)
++ query->last_lineno = UINT_MAX;
++
+ if (query->last_lineno < query->first_lineno) {
+ pr_err("last-line:%d < 1st-line:%d\n",
+ query->last_lineno,
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Date: Wed, 28 Jun 2017 20:57:29 -0400
+Subject: EDAC, i5000, i5400: Fix definition of NRECMEMB register
+
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+
+
+[ Upstream commit a8c8261425649da58bdf08221570e5335ad33a31 ]
+
+In the i5000 and i5400 drivers, the NRECMEMB register is defined as a
+16-bit value, which results in wrong shifts in the code, as reported by
+sparse.
+
+In the datasheets ([1], section 3.9.22.20 and [2], section 3.9.22.21),
+this register is a 32-bit register. A u32 value for the register fixes
+the wrong shifts warnings and matches the datasheet.
+
+Also fix the mask to access to the CAS bits [27:16] in the i5000 driver.
+
+[1]: https://www.intel.com/content/dam/doc/datasheet/5000p-5000v-5000z-chipset-memory-controller-hub-datasheet.pdf
+[2]: https://www.intel.se/content/dam/doc/datasheet/5400-chipset-memory-controller-hub-datasheet.pdf
+
+Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20170629005729.8478-1-jeremy.lefaure@lse.epita.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i5000_edac.c | 6 +++---
+ drivers/edac/i5400_edac.c | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/edac/i5000_edac.c
++++ b/drivers/edac/i5000_edac.c
+@@ -227,7 +227,7 @@
+ #define NREC_RDWR(x) (((x)>>11) & 1)
+ #define NREC_RANK(x) (((x)>>8) & 0x7)
+ #define NRECMEMB 0xC0
+-#define NREC_CAS(x) (((x)>>16) & 0xFFFFFF)
++#define NREC_CAS(x) (((x)>>16) & 0xFFF)
+ #define NREC_RAS(x) ((x) & 0x7FFF)
+ #define NRECFGLOG 0xC4
+ #define NREEECFBDA 0xC8
+@@ -371,7 +371,7 @@ struct i5000_error_info {
+ /* These registers are input ONLY if there was a
+ * Non-Recoverable Error */
+ u16 nrecmema; /* Non-Recoverable Mem log A */
+- u16 nrecmemb; /* Non-Recoverable Mem log B */
++ u32 nrecmemb; /* Non-Recoverable Mem log B */
+
+ };
+
+@@ -407,7 +407,7 @@ static void i5000_get_error_info(struct
+ NERR_FAT_FBD, &info->nerr_fat_fbd);
+ pci_read_config_word(pvt->branchmap_werrors,
+ NRECMEMA, &info->nrecmema);
+- pci_read_config_word(pvt->branchmap_werrors,
++ pci_read_config_dword(pvt->branchmap_werrors,
+ NRECMEMB, &info->nrecmemb);
+
+ /* Clear the error bits, by writing them back */
+--- a/drivers/edac/i5400_edac.c
++++ b/drivers/edac/i5400_edac.c
+@@ -368,7 +368,7 @@ struct i5400_error_info {
+
+ /* These registers are input ONLY if there was a Non-Rec Error */
+ u16 nrecmema; /* Non-Recoverable Mem log A */
+- u16 nrecmemb; /* Non-Recoverable Mem log B */
++ u32 nrecmemb; /* Non-Recoverable Mem log B */
+
+ };
+
+@@ -458,7 +458,7 @@ static void i5400_get_error_info(struct
+ NERR_FAT_FBD, &info->nerr_fat_fbd);
+ pci_read_config_word(pvt->branchmap_werrors,
+ NRECMEMA, &info->nrecmema);
+- pci_read_config_word(pvt->branchmap_werrors,
++ pci_read_config_dword(pvt->branchmap_werrors,
+ NRECMEMB, &info->nrecmemb);
+
+ /* Clear the error bits, by writing them back */
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Date: Wed, 8 Mar 2017 20:18:09 -0500
+Subject: EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
+
+From: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+
+
+[ Upstream commit e61555c29c28a4a3b6ba6207f4a0883ee236004d ]
+
+The MTR_DRAM_WIDTH macro returns the data width. It is sometimes used
+as if it returned a boolean true if the width if 8. Fix the tests where
+MTR_DRAM_WIDTH is misused.
+
+Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20170309011809.8340-1-jeremy.lefaure@lse.epita.fr
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/i5000_edac.c | 2 +-
+ drivers/edac/i5400_edac.c | 5 +++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/i5000_edac.c
++++ b/drivers/edac/i5000_edac.c
+@@ -1293,7 +1293,7 @@ static int i5000_init_csrows(struct mem_
+ dimm->mtype = MEM_FB_DDR2;
+
+ /* ask what device type on this row */
+- if (MTR_DRAM_WIDTH(mtr))
++ if (MTR_DRAM_WIDTH(mtr) == 8)
+ dimm->dtype = DEV_X8;
+ else
+ dimm->dtype = DEV_X4;
+--- a/drivers/edac/i5400_edac.c
++++ b/drivers/edac/i5400_edac.c
+@@ -1207,13 +1207,14 @@ static int i5400_init_dimms(struct mem_c
+
+ dimm->nr_pages = size_mb << 8;
+ dimm->grain = 8;
+- dimm->dtype = MTR_DRAM_WIDTH(mtr) ? DEV_X8 : DEV_X4;
++ dimm->dtype = MTR_DRAM_WIDTH(mtr) == 8 ?
++ DEV_X8 : DEV_X4;
+ dimm->mtype = MEM_FB_DDR2;
+ /*
+ * The eccc mechanism is SDDC (aka SECC), with
+ * is similar to Chipkill.
+ */
+- dimm->edac_mode = MTR_DRAM_WIDTH(mtr) ?
++ dimm->edac_mode = MTR_DRAM_WIDTH(mtr) == 8 ?
+ EDAC_S8ECD8ED : EDAC_S4ECD4ED;
+ ndimms++;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Phil Reid <preid@electromag.com.au>
+Date: Mon, 20 Feb 2017 09:41:45 +0800
+Subject: gpio: altera: Use handle_level_irq when configured as a level_high
+
+From: Phil Reid <preid@electromag.com.au>
+
+
+[ Upstream commit f759921cfbf4847319d197a6ed7c9534d593f8bc ]
+
+When a threaded irq handler is chained attached to one of the gpio
+pins when configure for level irq the altera_gpio_irq_leveL_high_handler
+does not mask the interrupt while being handled by the chained irq.
+This resulting in the threaded irq not getting enough cycles to complete
+quickly enough before the irq was disabled as faulty. handle_level_irq
+should be used in this situation instead of handle_simple_irq.
+
+In gpiochip_irqchip_add set default handler to handle_bad_irq as
+per Documentation/gpio/driver.txt. Then set the correct handler in
+the set_type callback.
+
+Signed-off-by: Phil Reid <preid@electromag.com.au>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-altera.c | 26 +++++++++++---------------
+ 1 file changed, 11 insertions(+), 15 deletions(-)
+
+--- a/drivers/gpio/gpio-altera.c
++++ b/drivers/gpio/gpio-altera.c
+@@ -90,21 +90,18 @@ static int altera_gpio_irq_set_type(stru
+
+ altera_gc = gpiochip_get_data(irq_data_get_irq_chip_data(d));
+
+- if (type == IRQ_TYPE_NONE)
++ if (type == IRQ_TYPE_NONE) {
++ irq_set_handler_locked(d, handle_bad_irq);
+ return 0;
+- if (type == IRQ_TYPE_LEVEL_HIGH &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_LEVEL_HIGH)
+- return 0;
+- if (type == IRQ_TYPE_EDGE_RISING &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_RISING)
+- return 0;
+- if (type == IRQ_TYPE_EDGE_FALLING &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_FALLING)
+- return 0;
+- if (type == IRQ_TYPE_EDGE_BOTH &&
+- altera_gc->interrupt_trigger == IRQ_TYPE_EDGE_BOTH)
++ }
++ if (type == altera_gc->interrupt_trigger) {
++ if (type == IRQ_TYPE_LEVEL_HIGH)
++ irq_set_handler_locked(d, handle_level_irq);
++ else
++ irq_set_handler_locked(d, handle_simple_irq);
+ return 0;
+-
++ }
++ irq_set_handler_locked(d, handle_bad_irq);
+ return -EINVAL;
+ }
+
+@@ -230,7 +227,6 @@ static void altera_gpio_irq_edge_handler
+ chained_irq_exit(chip, desc);
+ }
+
+-
+ static void altera_gpio_irq_leveL_high_handler(struct irq_desc *desc)
+ {
+ struct altera_gpio_chip *altera_gc;
+@@ -310,7 +306,7 @@ static int altera_gpio_probe(struct plat
+ altera_gc->interrupt_trigger = reg;
+
+ ret = gpiochip_irqchip_add(&altera_gc->mmchip.gc, &altera_irq_chip, 0,
+- handle_simple_irq, IRQ_TYPE_NONE);
++ handle_bad_irq, IRQ_TYPE_NONE);
+
+ if (ret) {
+ dev_err(&pdev->dev, "could not add irqchip\n");
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Fri, 17 Nov 2017 19:16:17 +0300
+Subject: gre6: use log_ecn_error module parameter in ip6_tnl_rcv()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+
+[ Upstream commit 981542c526ecd846920bc500e9989da906ee9fb9 ]
+
+After commit 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call
+common GRE functions") it's not used anywhere in the module, but
+previously was used in ip6gre_rcv().
+
+Fixes: 308edfdf1563 ("gre6: Cleanup GREv6 receive path, call common GRE functions")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -461,7 +461,7 @@ static int ip6gre_rcv(struct sk_buff *sk
+ &ipv6h->saddr, &ipv6h->daddr, tpi->key,
+ tpi->proto);
+ if (tunnel) {
+- ip6_tnl_rcv(tunnel, skb, tpi, NULL, false);
++ ip6_tnl_rcv(tunnel, skb, tpi, NULL, log_ecn_error);
+
+ return PACKET_RCVD;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Daniel Drake <drake@endlessm.com>
+Date: Fri, 17 Feb 2017 07:40:52 -0600
+Subject: HID: chicony: Add support for another ASUS Zen AiO keyboard
+
+From: Daniel Drake <drake@endlessm.com>
+
+
+[ Upstream commit f2f10b7e722a75c6d75a7f7cd06b0eee3ae20f7c ]
+
+Add support for media keys on the keyboard that comes with the
+Asus V221ID and ZN241IC All In One computers.
+
+The keys to support here are WLAN, BRIGHTNESSDOWN and BRIGHTNESSUP.
+
+This device is not visibly branded as Chicony, and the USB Vendor ID
+suggests that it is a JESS device. However this seems like the right place
+to put it: the usage codes are identical to the currently supported
+devices, and this driver already supports the ASUS AIO keyboard AK1D.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/Kconfig | 4 ++--
+ drivers/hid/hid-chicony.c | 1 +
+ drivers/hid/hid-core.c | 1 +
+ drivers/hid/hid-ids.h | 1 +
+ 4 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -175,11 +175,11 @@ config HID_CHERRY
+ Support for Cherry Cymotion keyboard.
+
+ config HID_CHICONY
+- tristate "Chicony Tactical pad"
++ tristate "Chicony devices"
+ depends on HID
+ default !EXPERT
+ ---help---
+- Support for Chicony Tactical pad.
++ Support for Chicony Tactical pad and special keys on Chicony keyboards.
+
+ config HID_CORSAIR
+ tristate "Corsair devices"
+--- a/drivers/hid/hid-chicony.c
++++ b/drivers/hid/hid-chicony.c
+@@ -86,6 +86,7 @@ static const struct hid_device_id ch_dev
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_AK1D) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_ACER_SWITCH12) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_JESS, USB_DEVICE_ID_JESS_ZEN_AIO_KBD) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, ch_devices);
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1906,6 +1906,7 @@ static const struct hid_device_id hid_ha
+ { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A081) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_MOUSE_A0C2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_HUION, USB_DEVICE_ID_HUION_TABLET) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_JESS, USB_DEVICE_ID_JESS_ZEN_AIO_KBD) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_JESS2, USB_DEVICE_ID_JESS2_COLOR_RUMBLE_PAD) },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ION, USB_DEVICE_ID_ICADE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -558,6 +558,7 @@
+
+ #define USB_VENDOR_ID_JESS 0x0c45
+ #define USB_DEVICE_ID_JESS_YUREX 0x1010
++#define USB_DEVICE_ID_JESS_ZEN_AIO_KBD 0x5112
+
+ #define USB_VENDOR_ID_JESS2 0x0f30
+ #define USB_DEVICE_ID_JESS2_COLOR_RUMBLE_PAD 0x0111
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Mon, 6 Mar 2017 15:20:51 -0500
+Subject: i2c: riic: fix restart condition
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+
+[ Upstream commit 2501c1bb054290679baad0ff7f4f07c714251f4c ]
+
+While modifying the driver to use the STOP interrupt, the completion of the
+intermediate transfers need to wake the driver back up in order to initiate
+the next transfer (restart condition). Otherwise you get never ending
+interrupts and only the first transfer sent.
+
+Fixes: 71ccea095ea1 ("i2c: riic: correctly finish transfers")
+Reported-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Tested-by: Simon Horman <horms+renesas@verge.net.au>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-riic.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-riic.c
++++ b/drivers/i2c/busses/i2c-riic.c
+@@ -218,8 +218,12 @@ static irqreturn_t riic_tend_isr(int irq
+ }
+
+ if (riic->is_last || riic->err) {
+- riic_clear_set_bit(riic, 0, ICIER_SPIE, RIIC_ICIER);
++ riic_clear_set_bit(riic, ICIER_TEIE, ICIER_SPIE, RIIC_ICIER);
+ writeb(ICCR2_SP, riic->base + RIIC_ICCR2);
++ } else {
++ /* Transfer is complete, but do not send STOP */
++ riic_clear_set_bit(riic, ICIER_TEIE, 0, RIIC_ICIER);
++ complete(&riic->msg_done);
+ }
+
+ return IRQ_HANDLED;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Mark Bloch <markb@mellanox.com>
+Date: Thu, 2 Nov 2017 15:22:26 +0200
+Subject: IB/mlx4: Increase maximal message size under UD QP
+
+From: Mark Bloch <markb@mellanox.com>
+
+
+[ Upstream commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca ]
+
+Maximal message should be used as a limit to the max message payload allowed,
+without the headers. The ConnectX-3 check is done against this value includes
+the headers. When the payload is 4K this will cause the NIC to drop packets.
+
+Increase maximal message to 8K as workaround, this shouldn't change current
+behaviour because we continue to set the MTU to 4k.
+
+To reproduce;
+set MTU to 4296 on the corresponding interface, for example:
+ifconfig eth0 mtu 4296 (both server and client)
+
+On server:
+ib_send_bw -c UD -d mlx4_0 -s 4096 -n 1000000 -i1 -m 4096
+
+On client:
+ib_send_bw -d mlx4_0 -c UD <server_ip> -s 4096 -n 1000000 -i 1 -m 4096
+
+Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
+Signed-off-by: Mark Bloch <markb@mellanox.com>
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -1669,7 +1669,7 @@ static int __mlx4_ib_modify_qp(struct ib
+ context->mtu_msgmax = (IB_MTU_4096 << 5) |
+ ilog2(dev->dev->caps.max_gso_sz);
+ else
+- context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
++ context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
+ } else if (attr_mask & IB_QP_PATH_MTU) {
+ if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) {
+ pr_err("path MTU (%u) is invalid\n",
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Majd Dibbiny <majd@mellanox.com>
+Date: Mon, 30 Oct 2017 14:23:13 +0200
+Subject: IB/mlx5: Assign send CQ and recv CQ of UMR QP
+
+From: Majd Dibbiny <majd@mellanox.com>
+
+
+[ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ]
+
+The UMR's QP is created by calling mlx5_ib_create_qp directly, and
+therefore the send CQ and the recv CQ on the ibqp weren't assigned.
+
+Assign them right after calling the mlx5_ib_create_qp to assure
+that any access to those pointers will work as expected and won't
+crash the system as might happen as part of reset flow.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Majd Dibbiny <majd@mellanox.com>
+Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -2514,6 +2514,8 @@ static int create_umr_res(struct mlx5_ib
+ qp->real_qp = qp;
+ qp->uobject = NULL;
+ qp->qp_type = MLX5_IB_QPT_REG_UMR;
++ qp->send_cq = init_attr->send_cq;
++ qp->recv_cq = init_attr->recv_cq;
+
+ attr->qp_state = IB_QPS_INIT;
+ attr->port_num = 1;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Sun, 5 Mar 2017 12:18:42 -0600
+Subject: ibmvnic: Allocate number of rx/tx buffers agreed on by firmware
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+
+[ Upstream commit 068d9f90a6978c3e3a662d9e85204a7d6be240d2 ]
+
+The amount of TX/RX buffers that the vNIC driver currently allocates
+is different from the amount agreed upon in negotiation with firmware.
+Correct that by allocating the requested number of buffers confirmed
+by firmware.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -404,7 +404,7 @@ static int ibmvnic_open(struct net_devic
+ send_map_query(adapter);
+ for (i = 0; i < rxadd_subcrqs; i++) {
+ init_rx_pool(adapter, &adapter->rx_pool[i],
+- IBMVNIC_BUFFS_PER_POOL, i,
++ adapter->req_rx_add_entries_per_subcrq, i,
+ be64_to_cpu(size_array[i]), 1);
+ if (alloc_rx_pool(adapter, &adapter->rx_pool[i])) {
+ dev_err(dev, "Couldn't alloc rx pool\n");
+@@ -419,23 +419,23 @@ static int ibmvnic_open(struct net_devic
+ for (i = 0; i < tx_subcrqs; i++) {
+ tx_pool = &adapter->tx_pool[i];
+ tx_pool->tx_buff =
+- kcalloc(adapter->max_tx_entries_per_subcrq,
++ kcalloc(adapter->req_tx_entries_per_subcrq,
+ sizeof(struct ibmvnic_tx_buff), GFP_KERNEL);
+ if (!tx_pool->tx_buff)
+ goto tx_pool_alloc_failed;
+
+ if (alloc_long_term_buff(adapter, &tx_pool->long_term_buff,
+- adapter->max_tx_entries_per_subcrq *
++ adapter->req_tx_entries_per_subcrq *
+ adapter->req_mtu))
+ goto tx_ltb_alloc_failed;
+
+ tx_pool->free_map =
+- kcalloc(adapter->max_tx_entries_per_subcrq,
++ kcalloc(adapter->req_tx_entries_per_subcrq,
+ sizeof(int), GFP_KERNEL);
+ if (!tx_pool->free_map)
+ goto tx_fm_alloc_failed;
+
+- for (j = 0; j < adapter->max_tx_entries_per_subcrq; j++)
++ for (j = 0; j < adapter->req_tx_entries_per_subcrq; j++)
+ tx_pool->free_map[j] = j;
+
+ tx_pool->consumer_index = 0;
+@@ -746,7 +746,7 @@ static int ibmvnic_xmit(struct sk_buff *
+
+ tx_pool->consumer_index =
+ (tx_pool->consumer_index + 1) %
+- adapter->max_tx_entries_per_subcrq;
++ adapter->req_tx_entries_per_subcrq;
+
+ tx_buff = &tx_pool->tx_buff[index];
+ tx_buff->skb = skb;
+@@ -819,7 +819,7 @@ static int ibmvnic_xmit(struct sk_buff *
+
+ if (tx_pool->consumer_index == 0)
+ tx_pool->consumer_index =
+- adapter->max_tx_entries_per_subcrq - 1;
++ adapter->req_tx_entries_per_subcrq - 1;
+ else
+ tx_pool->consumer_index--;
+
+@@ -1400,7 +1400,7 @@ restart_loop:
+ producer_index] = index;
+ adapter->tx_pool[pool].producer_index =
+ (adapter->tx_pool[pool].producer_index + 1) %
+- adapter->max_tx_entries_per_subcrq;
++ adapter->req_tx_entries_per_subcrq;
+ }
+ /* remove tx_comp scrq*/
+ next->tx_comp.first = 0;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Date: Sun, 5 Mar 2017 12:18:41 -0600
+Subject: ibmvnic: Fix overflowing firmware/hardware TX queue
+
+From: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+
+
+[ Upstream commit 142c0ac445792c492579cb01f1cfd4e32e6dfcce ]
+
+Use a counter to track the number of outstanding transmissions sent
+that have not received completions. If the counter reaches the maximum
+number of queue entries, stop transmissions on that queue. As we receive
+more completions from firmware, wake the queue once the counter reaches
+an acceptable level.
+
+This patch prevents hardware/firmware TX queue from filling up and
+and generating errors. Since incorporating this fix, internal testing
+has reported that these firmware errors have stopped.
+
+Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 27 ++++++++++++++++++++++++++-
+ drivers/net/ethernet/ibm/ibmvnic.h | 1 +
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -705,6 +705,7 @@ static int ibmvnic_xmit(struct sk_buff *
+ u8 *hdrs = (u8 *)&adapter->tx_rx_desc_req;
+ struct device *dev = &adapter->vdev->dev;
+ struct ibmvnic_tx_buff *tx_buff = NULL;
++ struct ibmvnic_sub_crq_queue *tx_scrq;
+ struct ibmvnic_tx_pool *tx_pool;
+ unsigned int tx_send_failed = 0;
+ unsigned int tx_map_failed = 0;
+@@ -724,6 +725,7 @@ static int ibmvnic_xmit(struct sk_buff *
+ int ret = 0;
+
+ tx_pool = &adapter->tx_pool[queue_num];
++ tx_scrq = adapter->tx_scrq[queue_num];
+ txq = netdev_get_tx_queue(netdev, skb_get_queue_mapping(skb));
+ handle_array = (u64 *)((u8 *)(adapter->login_rsp_buf) +
+ be32_to_cpu(adapter->login_rsp_buf->
+@@ -826,6 +828,14 @@ static int ibmvnic_xmit(struct sk_buff *
+ ret = NETDEV_TX_BUSY;
+ goto out;
+ }
++
++ atomic_inc(&tx_scrq->used);
++
++ if (atomic_read(&tx_scrq->used) >= adapter->req_tx_entries_per_subcrq) {
++ netdev_info(netdev, "Stopping queue %d\n", queue_num);
++ netif_stop_subqueue(netdev, queue_num);
++ }
++
+ tx_packets++;
+ tx_bytes += skb->len;
+ txq->trans_start = jiffies;
+@@ -1220,6 +1230,7 @@ static struct ibmvnic_sub_crq_queue *ini
+ scrq->adapter = adapter;
+ scrq->size = 4 * PAGE_SIZE / sizeof(*scrq->msgs);
+ scrq->cur = 0;
++ atomic_set(&scrq->used, 0);
+ scrq->rx_skb_top = NULL;
+ spin_lock_init(&scrq->lock);
+
+@@ -1368,8 +1379,22 @@ restart_loop:
+ DMA_TO_DEVICE);
+ }
+
+- if (txbuff->last_frag)
++ if (txbuff->last_frag) {
++ atomic_dec(&scrq->used);
++
++ if (atomic_read(&scrq->used) <=
++ (adapter->req_tx_entries_per_subcrq / 2) &&
++ netif_subqueue_stopped(adapter->netdev,
++ txbuff->skb)) {
++ netif_wake_subqueue(adapter->netdev,
++ scrq->pool_index);
++ netdev_dbg(adapter->netdev,
++ "Started queue %d\n",
++ scrq->pool_index);
++ }
++
+ dev_kfree_skb_any(txbuff->skb);
++ }
+
+ adapter->tx_pool[pool].free_map[adapter->tx_pool[pool].
+ producer_index] = index;
+--- a/drivers/net/ethernet/ibm/ibmvnic.h
++++ b/drivers/net/ethernet/ibm/ibmvnic.h
+@@ -863,6 +863,7 @@ struct ibmvnic_sub_crq_queue {
+ spinlock_t lock;
+ struct sk_buff *rx_skb_top;
+ struct ibmvnic_adapter *adapter;
++ atomic_t used;
+ };
+
+ struct ibmvnic_long_term_buff {
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Sun, 5 Mar 2017 12:34:53 -0800
+Subject: ipv6: reorder icmpv6_init() and ip6_mr_init()
+
+From: WANG Cong <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ]
+
+Andrey reported the following kernel crash:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+task: ffff88001f311700 task.stack: ffff88001f6e8000
+RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618
+RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000
+RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020
+RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000
+R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040
+FS: 00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0
+DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
+Call Trace:
+ rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217
+ inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
+ inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432
+ sock_release+0x8d/0x1e0 net/socket.c:597
+ __sock_create+0x39d/0x880 net/socket.c:1226
+ sock_create_kern+0x3f/0x50 net/socket.c:1243
+ inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526
+ icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954
+ ops_init+0x10a/0x550 net/core/net_namespace.c:115
+ setup_net+0x261/0x660 net/core/net_namespace.c:291
+ copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396
+9pnet_virtio: no channels available for device ./file1
+ create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106
+ unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
+ SYSC_unshare kernel/fork.c:2281 [inline]
+ SyS_unshare+0x64e/0x1000 kernel/fork.c:2231
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+This is because net->ipv6.mr6_tables is not initialized at that point,
+ip6mr_rules_init() is not called yet, therefore on the error path when
+we iterator the list, we trigger this oops. Fix this by reordering
+ip6mr_rules_init() before icmpv6_sk_init().
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/af_inet6.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -909,12 +909,12 @@ static int __init inet6_init(void)
+ err = register_pernet_subsys(&inet6_net_ops);
+ if (err)
+ goto register_pernet_fail;
+- err = icmpv6_init();
+- if (err)
+- goto icmp_fail;
+ err = ip6_mr_init();
+ if (err)
+ goto ipmr_fail;
++ err = icmpv6_init();
++ if (err)
++ goto icmp_fail;
+ err = ndisc_init();
+ if (err)
+ goto ndisc_fail;
+@@ -1044,10 +1044,10 @@ igmp_fail:
+ ndisc_cleanup();
+ ndisc_fail:
+ ip6_mr_cleanup();
+-ipmr_fail:
+- icmpv6_cleanup();
+ icmp_fail:
+ unregister_pernet_subsys(&inet6_net_ops);
++ipmr_fail:
++ icmpv6_cleanup();
+ register_pernet_fail:
+ sock_unregister(PF_INET6);
+ rtnl_unregister_all(PF_INET6);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Keefe Liu <liuqifa@huawei.com>
+Date: Thu, 9 Nov 2017 20:09:31 +0800
+Subject: ipvlan: fix ipv6 outbound device
+
+From: Keefe Liu <liuqifa@huawei.com>
+
+
+[ Upstream commit ca29fd7cce5a6444d57fb86517589a1a31c759e1 ]
+
+When process the outbound packet of ipv6, we should assign the master
+device to output device other than input device.
+
+Signed-off-by: Keefe Liu <liuqifa@huawei.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -404,7 +404,7 @@ static int ipvlan_process_v6_outbound(st
+ struct dst_entry *dst;
+ int err, ret = NET_XMIT_DROP;
+ struct flowi6 fl6 = {
+- .flowi6_iif = dev->ifindex,
++ .flowi6_oif = dev->ifindex,
+ .daddr = ip6h->daddr,
+ .saddr = ip6h->saddr,
+ .flowi6_flags = FLOWI_FLAG_ANYSRC,
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Franck Demathieu <fdemathieu@gmail.com>
+Date: Mon, 6 Mar 2017 14:41:06 +0100
+Subject: irqchip/crossbar: Fix incorrect type of register size
+
+From: Franck Demathieu <fdemathieu@gmail.com>
+
+
+[ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ]
+
+The 'size' variable is unsigned according to the dt-bindings.
+As this variable is used as integer in other places, create a new variable
+that allows to fix the following sparse issue (-Wtypesign):
+
+ drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness)
+ drivers/irqchip/irq-crossbar.c:279:52: expected unsigned int [usertype] *out_value
+ drivers/irqchip/irq-crossbar.c:279:52: got int *<noident>
+
+Signed-off-by: Franck Demathieu <fdemathieu@gmail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-crossbar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-crossbar.c
++++ b/drivers/irqchip/irq-crossbar.c
+@@ -199,7 +199,7 @@ static const struct irq_domain_ops cross
+ static int __init crossbar_of_init(struct device_node *node)
+ {
+ int i, size, reserved = 0;
+- u32 max = 0, entry;
++ u32 max = 0, entry, reg_size;
+ const __be32 *irqsr;
+ int ret = -ENOMEM;
+
+@@ -276,9 +276,9 @@ static int __init crossbar_of_init(struc
+ if (!cb->register_offsets)
+ goto err_irq_map;
+
+- of_property_read_u32(node, "ti,reg-size", &size);
++ of_property_read_u32(node, "ti,reg-size", ®_size);
+
+- switch (size) {
++ switch (reg_size) {
+ case 1:
+ cb->write = crossbar_writeb;
+ break;
+@@ -304,7 +304,7 @@ static int __init crossbar_of_init(struc
+ continue;
+
+ cb->register_offsets[i] = reserved;
+- reserved += size;
++ reserved += reg_size;
+ }
+
+ of_property_read_u32(node, "ti,irqs-safe-map", &cb->safe_map);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 13 Nov 2017 16:48:47 -0500
+Subject: jump_label: Invoke jump_label_test() via early_initcall()
+
+From: Jason Baron <jbaron@akamai.com>
+
+
+[ Upstream commit 92ee46efeb505ead3ab06d3c5ce695637ed5f152 ]
+
+Fengguang Wu reported that running the rcuperf test during boot can cause
+the jump_label_test() to hit a WARN_ON(). The issue is that the core jump
+label code relies on kernel_text_address() to detect when it can no longer
+update branches that may be contained in __init sections. The
+kernel_text_address() in turn assumes that if the system_state variable is
+greter than or equal to SYSTEM_RUNNING then __init sections are no longer
+valid (since the assumption is that they have been freed). However, when
+rcuperf is setup to run in early boot it can call kernel_power_off() which
+sets the system_state to SYSTEM_POWER_OFF.
+
+Since rcuperf initialization is invoked via a module_init(), we can make
+the dependency of jump_label_test() needing to complete before rcuperf
+explicit by calling it via early_initcall().
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1510609727-2238-1-git-send-email-jbaron@akamai.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/jump_label.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/jump_label.c
++++ b/kernel/jump_label.c
+@@ -612,7 +612,7 @@ static __init int jump_label_test(void)
+
+ return 0;
+ }
+-late_initcall(jump_label_test);
++early_initcall(jump_label_test);
+ #endif /* STATIC_KEYS_SELFTEST */
+
+ #endif /* HAVE_JUMP_LABEL */
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Thu, 12 Oct 2017 18:22:25 +0900
+Subject: kbuild: do not call cc-option before KBUILD_CFLAGS initialization
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 433dc2ebe7d17dd21cba7ad5c362d37323592236 ]
+
+Some $(call cc-option,...) are invoked very early, even before
+KBUILD_CFLAGS, etc. are initialized.
+
+The returned string from $(call cc-option,...) depends on
+KBUILD_CPPFLAGS, KBUILD_CFLAGS, and GCC_PLUGINS_CFLAGS.
+
+Since they are exported, they are not empty when the top Makefile
+is recursively invoked.
+
+The recursion occurs in several places. For example, the top
+Makefile invokes itself for silentoldconfig. "make tinyconfig",
+"make rpm-pkg" are the cases, too.
+
+In those cases, the second call of cc-option from the same line
+runs a different shell command due to non-pristine KBUILD_CFLAGS.
+
+To get the same result all the time, KBUILD_* and GCC_PLUGINS_CFLAGS
+must be initialized before any call of cc-option. This avoids
+garbage data in the .cache.mk file.
+
+Move all calls of cc-option below the config targets because target
+compiler flags are unnecessary for Kconfig.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -370,9 +370,6 @@ LDFLAGS_MODULE =
+ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+-CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+-CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+-
+
+ # Use USERINCLUDE when you must reference the UAPI directories only.
+ USERINCLUDE := \
+@@ -393,21 +390,19 @@ LINUXINCLUDE := \
+
+ LINUXINCLUDE += $(filter-out $(LINUXINCLUDE),$(USERINCLUDE))
+
+-KBUILD_CPPFLAGS := -D__KERNEL__
+-
++KBUILD_AFLAGS := -D__ASSEMBLY__
+ KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+ -fno-strict-aliasing -fno-common \
+ -Werror-implicit-function-declaration \
+ -Wno-format-security \
+- -std=gnu89 $(call cc-option,-fno-PIE)
+-
+-
++ -std=gnu89
++KBUILD_CPPFLAGS := -D__KERNEL__
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+-KBUILD_AFLAGS := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS_MODULE := -DMODULE
+ KBUILD_CFLAGS_MODULE := -DMODULE
+ KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
++GCC_PLUGINS_CFLAGS :=
+
+ # Read KERNELRELEASE from include/config/kernel.release (if it exists)
+ KERNELRELEASE = $(shell cat include/config/kernel.release 2> /dev/null)
+@@ -420,7 +415,7 @@ export MAKE AWK GENKSYMS INSTALLKERNEL P
+ export HOSTCXX HOSTCXXFLAGS LDFLAGS_MODULE CHECK CHECKFLAGS
+
+ export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS LDFLAGS
+-export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_GCOV CFLAGS_KCOV CFLAGS_KASAN CFLAGS_UBSAN
++export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE CFLAGS_KASAN CFLAGS_UBSAN
+ export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
+ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_LDFLAGS_MODULE
+ export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL
+@@ -620,6 +615,12 @@ endif
+ # Defaults to vmlinux, but the arch makefile usually adds further targets
+ all: vmlinux
+
++KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
++KBUILD_AFLAGS += $(call cc-option,-fno-PIE)
++CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
++CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
++export CFLAGS_GCOV CFLAGS_KCOV
++
+ # The arch Makefile can set ARCH_{CPP,A,C}FLAGS to override the default
+ # values of the respective KBUILD_* variables
+ ARCH_CPPFLAGS :=
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Wed, 15 Nov 2017 18:17:07 +0900
+Subject: kbuild: pkg: use --transform option to prefix paths in tar
+
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+
+
+[ Upstream commit 2dbc644ac62bbcb9ee78e84719953f611be0413d ]
+
+For rpm-pkg and deb-pkg, a source tar file is created. All paths in
+the archive must be prefixed with the base name of the tar so that
+everything is contained in the directory when you extract it.
+
+Currently, scripts/package/Makefile uses a symlink for that, and
+removes it after the tar is created.
+
+If you terminate the build during the tar creation, the symlink is
+left over. Then, at the next package build, you will see a warning
+like follows:
+
+ ln: '.' and 'kernel-4.14.0+/.' are the same file
+
+It is possible to fix it by adding -n (--no-dereference) option to
+the "ln" command, but a cleaner way is to use --transform option
+of "tar" command. This option is GNU extension, but it should not
+hurt to use it in the Linux build system.
+
+The 'S' flag is needed to exclude symlinks from the path fixup.
+Without it, symlinks in the kernel are broken.
+
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/package/Makefile | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/scripts/package/Makefile
++++ b/scripts/package/Makefile
+@@ -39,10 +39,9 @@ if test "$(objtree)" != "$(srctree)"; th
+ false; \
+ fi ; \
+ $(srctree)/scripts/setlocalversion --save-scmversion; \
+-ln -sf $(srctree) $(2); \
+ tar -cz $(RCS_TAR_IGNORE) -f $(2).tar.gz \
+- $(addprefix $(2)/,$(TAR_CONTENT) $(3)); \
+-rm -f $(2) $(objtree)/.scmversion
++ --transform 's:^:$(2)/:S' $(TAR_CONTENT) $(3); \
++rm -f $(objtree)/.scmversion
+
+ # rpm-pkg
+ # ---------------------------------------------------------------------------
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Andre Przywara <andre.przywara@arm.com>
+Date: Thu, 16 Feb 2017 10:41:20 +0000
+Subject: KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+
+[ Upstream commit a5e1e6ca94a8cec51571fd62e3eaec269717969c ]
+
+The ITS spec says that ITS commands are only processed when the ITS
+is enabled (section 8.19.4, Enabled, bit[0]). Our emulation was not taking
+this into account.
+Fix this by checking the enabled state before handling CWRITER writes.
+
+On the other hand that means that CWRITER could advance while the ITS
+is disabled, and enabling it would need those commands to be processed.
+Fix this case as well by refactoring actual command processing and
+calling this from both the GITS_CWRITER and GITS_CTLR handlers.
+
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Christoffer Dall <cdall@linaro.org>
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/arm/vgic/vgic-its.c | 109 +++++++++++++++++++++++++------------------
+ 1 file changed, 65 insertions(+), 44 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-its.c
++++ b/virt/kvm/arm/vgic/vgic-its.c
+@@ -360,29 +360,6 @@ static int its_sync_lpi_pending_table(st
+ return ret;
+ }
+
+-static unsigned long vgic_mmio_read_its_ctlr(struct kvm *vcpu,
+- struct vgic_its *its,
+- gpa_t addr, unsigned int len)
+-{
+- u32 reg = 0;
+-
+- mutex_lock(&its->cmd_lock);
+- if (its->creadr == its->cwriter)
+- reg |= GITS_CTLR_QUIESCENT;
+- if (its->enabled)
+- reg |= GITS_CTLR_ENABLE;
+- mutex_unlock(&its->cmd_lock);
+-
+- return reg;
+-}
+-
+-static void vgic_mmio_write_its_ctlr(struct kvm *kvm, struct vgic_its *its,
+- gpa_t addr, unsigned int len,
+- unsigned long val)
+-{
+- its->enabled = !!(val & GITS_CTLR_ENABLE);
+-}
+-
+ static unsigned long vgic_mmio_read_its_typer(struct kvm *kvm,
+ struct vgic_its *its,
+ gpa_t addr, unsigned int len)
+@@ -1162,33 +1139,16 @@ static void vgic_mmio_write_its_cbaser(s
+ #define ITS_CMD_SIZE 32
+ #define ITS_CMD_OFFSET(reg) ((reg) & GENMASK(19, 5))
+
+-/*
+- * By writing to CWRITER the guest announces new commands to be processed.
+- * To avoid any races in the first place, we take the its_cmd lock, which
+- * protects our ring buffer variables, so that there is only one user
+- * per ITS handling commands at a given time.
+- */
+-static void vgic_mmio_write_its_cwriter(struct kvm *kvm, struct vgic_its *its,
+- gpa_t addr, unsigned int len,
+- unsigned long val)
++/* Must be called with the cmd_lock held. */
++static void vgic_its_process_commands(struct kvm *kvm, struct vgic_its *its)
+ {
+ gpa_t cbaser;
+ u64 cmd_buf[4];
+- u32 reg;
+
+- if (!its)
+- return;
+-
+- mutex_lock(&its->cmd_lock);
+-
+- reg = update_64bit_reg(its->cwriter, addr & 7, len, val);
+- reg = ITS_CMD_OFFSET(reg);
+- if (reg >= ITS_CMD_BUFFER_SIZE(its->cbaser)) {
+- mutex_unlock(&its->cmd_lock);
++ /* Commands are only processed when the ITS is enabled. */
++ if (!its->enabled)
+ return;
+- }
+
+- its->cwriter = reg;
+ cbaser = CBASER_ADDRESS(its->cbaser);
+
+ while (its->cwriter != its->creadr) {
+@@ -1208,6 +1168,34 @@ static void vgic_mmio_write_its_cwriter(
+ if (its->creadr == ITS_CMD_BUFFER_SIZE(its->cbaser))
+ its->creadr = 0;
+ }
++}
++
++/*
++ * By writing to CWRITER the guest announces new commands to be processed.
++ * To avoid any races in the first place, we take the its_cmd lock, which
++ * protects our ring buffer variables, so that there is only one user
++ * per ITS handling commands at a given time.
++ */
++static void vgic_mmio_write_its_cwriter(struct kvm *kvm, struct vgic_its *its,
++ gpa_t addr, unsigned int len,
++ unsigned long val)
++{
++ u64 reg;
++
++ if (!its)
++ return;
++
++ mutex_lock(&its->cmd_lock);
++
++ reg = update_64bit_reg(its->cwriter, addr & 7, len, val);
++ reg = ITS_CMD_OFFSET(reg);
++ if (reg >= ITS_CMD_BUFFER_SIZE(its->cbaser)) {
++ mutex_unlock(&its->cmd_lock);
++ return;
++ }
++ its->cwriter = reg;
++
++ vgic_its_process_commands(kvm, its);
+
+ mutex_unlock(&its->cmd_lock);
+ }
+@@ -1288,6 +1276,39 @@ static void vgic_mmio_write_its_baser(st
+ *regptr = reg;
+ }
+
++static unsigned long vgic_mmio_read_its_ctlr(struct kvm *vcpu,
++ struct vgic_its *its,
++ gpa_t addr, unsigned int len)
++{
++ u32 reg = 0;
++
++ mutex_lock(&its->cmd_lock);
++ if (its->creadr == its->cwriter)
++ reg |= GITS_CTLR_QUIESCENT;
++ if (its->enabled)
++ reg |= GITS_CTLR_ENABLE;
++ mutex_unlock(&its->cmd_lock);
++
++ return reg;
++}
++
++static void vgic_mmio_write_its_ctlr(struct kvm *kvm, struct vgic_its *its,
++ gpa_t addr, unsigned int len,
++ unsigned long val)
++{
++ mutex_lock(&its->cmd_lock);
++
++ its->enabled = !!(val & GITS_CTLR_ENABLE);
++
++ /*
++ * Try to process any pending commands. This function bails out early
++ * if the ITS is disabled or no commands have been queued.
++ */
++ vgic_its_process_commands(kvm, its);
++
++ mutex_unlock(&its->cmd_lock);
++}
++
+ #define REGISTER_ITS_DESC(off, rd, wr, length, acc) \
+ { \
+ .reg_offset = off, \
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 6 Mar 2017 04:03:28 -0800
+Subject: KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 2f707d97982286b307ef2a9b034e19aabc1abb56 ]
+
+Reported by syzkaller:
+
+ WARNING: CPU: 1 PID: 27742 at arch/x86/kvm/vmx.c:11029
+ nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
+ CPU: 1 PID: 27742 Comm: a.out Not tainted 4.10.0+ #229
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:15 [inline]
+ dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
+ panic+0x1fb/0x412 kernel/panic.c:179
+ __warn+0x1c4/0x1e0 kernel/panic.c:540
+ warn_slowpath_null+0x2c/0x40 kernel/panic.c:583
+ nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
+ vmx_leave_nested arch/x86/kvm/vmx.c:11136 [inline]
+ vmx_set_msr+0x1565/0x1910 arch/x86/kvm/vmx.c:3324
+ kvm_set_msr+0xd4/0x170 arch/x86/kvm/x86.c:1099
+ do_set_msr+0x11e/0x190 arch/x86/kvm/x86.c:1128
+ __msr_io arch/x86/kvm/x86.c:2577 [inline]
+ msr_io+0x24b/0x450 arch/x86/kvm/x86.c:2614
+ kvm_arch_vcpu_ioctl+0x35b/0x46a0 arch/x86/kvm/x86.c:3497
+ kvm_vcpu_ioctl+0x232/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2721
+ vfs_ioctl fs/ioctl.c:43 [inline]
+ do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683
+ SYSC_ioctl fs/ioctl.c:698 [inline]
+ SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+The syzkaller folks reported a nested_run_pending warning during userspace
+clear VMX capability which is exposed to L1 before.
+
+The warning gets thrown while doing
+
+(*(uint32_t*)0x20aecfe8 = (uint32_t)0x1);
+(*(uint32_t*)0x20aecfec = (uint32_t)0x0);
+(*(uint32_t*)0x20aecff0 = (uint32_t)0x3a);
+(*(uint32_t*)0x20aecff4 = (uint32_t)0x0);
+(*(uint64_t*)0x20aecff8 = (uint64_t)0x0);
+r[29] = syscall(__NR_ioctl, r[4], 0x4008ae89ul,
+ 0x20aecfe8ul, 0, 0, 0, 0, 0, 0);
+
+i.e. KVM_SET_MSR ioctl with
+
+struct kvm_msrs {
+ .nmsrs = 1,
+ .pad = 0,
+ .entries = {
+ {.index = MSR_IA32_FEATURE_CONTROL,
+ .reserved = 0,
+ .data = 0}
+ }
+}
+
+The VMLANCH/VMRESUME emulation should be stopped since the CPU is going to
+reset here. This patch resets the nested_run_pending since the CPU is going
+to be reset hence there should be nothing pending.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Suggested-by: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: David Hildenbrand <david@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -10884,8 +10884,10 @@ static void nested_vmx_vmexit(struct kvm
+ */
+ static void vmx_leave_nested(struct kvm_vcpu *vcpu)
+ {
+- if (is_guest_mode(vcpu))
++ if (is_guest_mode(vcpu)) {
++ to_vmx(vcpu)->nested.nested_run_pending = 0;
+ nested_vmx_vmexit(vcpu, -1, 0, 0);
++ }
+ free_nested(to_vmx(vcpu));
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Jim Mattson <jmattson@google.com>
+Date: Thu, 2 Mar 2017 12:41:48 -0800
+Subject: kvm: nVMX: VMCLEAR should not cause the vCPU to shut down
+
+From: Jim Mattson <jmattson@google.com>
+
+
+[ Upstream commit 587d7e72aedca91cee80c0a56811649c3efab765 ]
+
+VMCLEAR should silently ignore a failure to clear the launch state of
+the VMCS referenced by the operand.
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+[Changed "kvm_write_guest(vcpu->kvm" to "kvm_vcpu_write_guest(vcpu".]
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 22 ++++------------------
+ 1 file changed, 4 insertions(+), 18 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7203,9 +7203,8 @@ static int handle_vmoff(struct kvm_vcpu
+ static int handle_vmclear(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
++ u32 zero = 0;
+ gpa_t vmptr;
+- struct vmcs12 *vmcs12;
+- struct page *page;
+
+ if (!nested_vmx_check_permission(vcpu))
+ return 1;
+@@ -7216,22 +7215,9 @@ static int handle_vmclear(struct kvm_vcp
+ if (vmptr == vmx->nested.current_vmptr)
+ nested_release_vmcs12(vmx);
+
+- page = nested_get_page(vcpu, vmptr);
+- if (page == NULL) {
+- /*
+- * For accurate processor emulation, VMCLEAR beyond available
+- * physical memory should do nothing at all. However, it is
+- * possible that a nested vmx bug, not a guest hypervisor bug,
+- * resulted in this case, so let's shut down before doing any
+- * more damage:
+- */
+- kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
+- return 1;
+- }
+- vmcs12 = kmap(page);
+- vmcs12->launch_state = 0;
+- kunmap(page);
+- nested_release_page(page);
++ kvm_vcpu_write_guest(vcpu,
++ vmptr + offsetof(struct vmcs12, launch_state),
++ &zero, sizeof(zero));
+
+ nested_free_vmcs02(vmx, vmptr);
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Stephen Bates <sbates@raithlin.com>
+Date: Fri, 17 Nov 2017 15:28:16 -0800
+Subject: lib/genalloc.c: make the avail variable an atomic_long_t
+
+From: Stephen Bates <sbates@raithlin.com>
+
+
+[ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ]
+
+If the amount of resources allocated to a gen_pool exceeds 2^32 then the
+avail atomic overflows and this causes problems when clients try and
+borrow resources from the pool. This is only expected to be an issue on
+64 bit systems.
+
+Add the <linux/atomic.h> header to pull in atomic_long* operations. So
+that 32 bit systems continue to use atomic32_t but 64 bit systems can
+use atomic64_t.
+
+Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.com
+Signed-off-by: Stephen Bates <sbates@raithlin.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Reviewed-by: Daniel Mentz <danielmentz@google.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/genalloc.h | 3 ++-
+ lib/genalloc.c | 10 +++++-----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -32,6 +32,7 @@
+
+ #include <linux/types.h>
+ #include <linux/spinlock_types.h>
++#include <linux/atomic.h>
+
+ struct device;
+ struct device_node;
+@@ -70,7 +71,7 @@ struct gen_pool {
+ */
+ struct gen_pool_chunk {
+ struct list_head next_chunk; /* next chunk in pool */
+- atomic_t avail;
++ atomic_long_t avail;
+ phys_addr_t phys_addr; /* physical starting address of memory chunk */
+ unsigned long start_addr; /* start address of memory chunk */
+ unsigned long end_addr; /* end address of memory chunk (inclusive) */
+--- a/lib/genalloc.c
++++ b/lib/genalloc.c
+@@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p
+ chunk->phys_addr = phys;
+ chunk->start_addr = virt;
+ chunk->end_addr = virt + size - 1;
+- atomic_set(&chunk->avail, size);
++ atomic_long_set(&chunk->avail, size);
+
+ spin_lock(&pool->lock);
+ list_add_rcu(&chunk->next_chunk, &pool->chunks);
+@@ -304,7 +304,7 @@ unsigned long gen_pool_alloc_algo(struct
+ nbits = (size + (1UL << order) - 1) >> order;
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) {
+- if (size > atomic_read(&chunk->avail))
++ if (size > atomic_long_read(&chunk->avail))
+ continue;
+
+ start_bit = 0;
+@@ -324,7 +324,7 @@ retry:
+
+ addr = chunk->start_addr + ((unsigned long)start_bit << order);
+ size = nbits << order;
+- atomic_sub(size, &chunk->avail);
++ atomic_long_sub(size, &chunk->avail);
+ break;
+ }
+ rcu_read_unlock();
+@@ -390,7 +390,7 @@ void gen_pool_free(struct gen_pool *pool
+ remain = bitmap_clear_ll(chunk->bits, start_bit, nbits);
+ BUG_ON(remain);
+ size = nbits << order;
+- atomic_add(size, &chunk->avail);
++ atomic_long_add(size, &chunk->avail);
+ rcu_read_unlock();
+ return;
+ }
+@@ -464,7 +464,7 @@ size_t gen_pool_avail(struct gen_pool *p
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk)
+- avail += atomic_read(&chunk->avail);
++ avail += atomic_long_read(&chunk->avail);
+ rcu_read_unlock();
+ return avail;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 6 Mar 2017 15:26:54 -0500
+Subject: libata: drop WARN from protocol error in ata_sff_qc_issue()
+
+From: Tejun Heo <tj@kernel.org>
+
+
+[ Upstream commit 0580b762a4d6b70817476b90042813f8573283fa ]
+
+ata_sff_qc_issue() expects upper layers to never issue commands on a
+command protocol that it doesn't implement. While the assumption
+holds fine with the usual IO path, nothing filters based on the
+command protocol in the passthrough path (which was added later),
+allowing the warning to be tripped with a passthrough command with the
+right (well, wrong) protocol.
+
+Failing with AC_ERR_SYSTEM is the right thing to do anyway. Remove
+the unnecessary WARN.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Link: http://lkml.kernel.org/r/CACT4Y+bXkvevNZU8uP6X0QVqsj6wNoUA_1exfTSOzc+SmUtMOA@mail.gmail.com
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-sff.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -1481,7 +1481,6 @@ unsigned int ata_sff_qc_issue(struct ata
+ break;
+
+ default:
+- WARN_ON_ONCE(1);
+ return AC_ERR_SYSTEM;
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Sean Young <sean@mess.org>
+Date: Mon, 13 Feb 2017 10:35:44 -0200
+Subject: [media] lirc: fix dead lock between open and wakeup_filter
+
+From: Sean Young <sean@mess.org>
+
+
+[ Upstream commit db5b15b74ed9a5c04bb808d18ffa2c773f5c18c0 ]
+
+The locking in lirc needs improvement, but for now just fix this potential
+deadlock.
+
+======================================================
+[ INFO: possible circular locking dependency detected ]
+4.10.0-rc1+ #1 Not tainted
+-------------------------------------------------------
+bash/2502 is trying to acquire lock:
+ (ir_raw_handler_lock){+.+.+.}, at: [<ffffffffc06f6a5e>] ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
+
+ but task is already holding lock:
+ (&dev->lock){+.+.+.}, at: [<ffffffffc06f511f>] store_filter+0x9f/0x240 [rc_core]
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #2 (&dev->lock){+.+.+.}:
+
+[<ffffffffa110adad>] lock_acquire+0xfd/0x200
+[<ffffffffa1921327>] mutex_lock_nested+0x77/0x6d0
+[<ffffffffc06f436a>] rc_open+0x2a/0x80 [rc_core]
+[<ffffffffc07114ca>] lirc_dev_fop_open+0xda/0x1e0 [lirc_dev]
+[<ffffffffa12975e0>] chrdev_open+0xb0/0x210
+[<ffffffffa128eb5a>] do_dentry_open+0x20a/0x2f0
+[<ffffffffa128ffcc>] vfs_open+0x4c/0x80
+[<ffffffffa12a35ec>] path_openat+0x5bc/0xc00
+[<ffffffffa12a5271>] do_filp_open+0x91/0x100
+[<ffffffffa12903f0>] do_sys_open+0x130/0x220
+[<ffffffffa12904fe>] SyS_open+0x1e/0x20
+[<ffffffffa19278c1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
+ -> #1 (lirc_dev_lock){+.+.+.}:
+[<ffffffffa110adad>] lock_acquire+0xfd/0x200
+[<ffffffffa1921327>] mutex_lock_nested+0x77/0x6d0
+[<ffffffffc0711f47>] lirc_register_driver+0x67/0x59b [lirc_dev]
+[<ffffffffc06db7f4>] ir_lirc_register+0x1f4/0x260 [ir_lirc_codec]
+[<ffffffffc06f6cac>] ir_raw_handler_register+0x7c/0xb0 [rc_core]
+[<ffffffffc0398010>] 0xffffffffc0398010
+[<ffffffffa1002192>] do_one_initcall+0x52/0x1b0
+[<ffffffffa11ef5c8>] do_init_module+0x5f/0x1fa
+[<ffffffffa11566b5>] load_module+0x2675/0x2b00
+[<ffffffffa1156dcf>] SYSC_finit_module+0xdf/0x110
+[<ffffffffa1156e1e>] SyS_finit_module+0xe/0x10
+[<ffffffffa1003f5c>] do_syscall_64+0x6c/0x1f0
+[<ffffffffa1927989>] return_from_SYSCALL_64+0x0/0x7a
+ -> #0 (ir_raw_handler_lock){+.+.+.}:
+[<ffffffffa110a7b7>] __lock_acquire+0x10f7/0x1290
+[<ffffffffa110adad>] lock_acquire+0xfd/0x200
+[<ffffffffa1921327>] mutex_lock_nested+0x77/0x6d0
+[<ffffffffc06f6a5e>] ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
+[<ffffffffc0b0f492>] loop_set_wakeup_filter+0x62/0xbd [rc_loopback]
+[<ffffffffc06f522a>] store_filter+0x1aa/0x240 [rc_core]
+[<ffffffffa15e46f8>] dev_attr_store+0x18/0x30
+[<ffffffffa13318e5>] sysfs_kf_write+0x45/0x60
+[<ffffffffa1330b55>] kernfs_fop_write+0x155/0x1e0
+[<ffffffffa1290797>] __vfs_write+0x37/0x160
+[<ffffffffa12921f8>] vfs_write+0xc8/0x1e0
+[<ffffffffa12936e8>] SyS_write+0x58/0xc0
+[<ffffffffa19278c1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+ other info that might help us debug this:
+
+Chain exists of:
+ ir_raw_handler_lock --> lirc_dev_lock --> &dev->lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&dev->lock);
+ lock(lirc_dev_lock);
+ lock(&dev->lock);
+ lock(ir_raw_handler_lock);
+
+ *** DEADLOCK ***
+
+4 locks held by bash/2502:
+ #0: (sb_writers#4){.+.+.+}, at: [<ffffffffa12922c5>] vfs_write+0x195/0x1e0
+ #1: (&of->mutex){+.+.+.}, at: [<ffffffffa1330b1f>] kernfs_fop_write+0x11f/0x1e0
+ #2: (s_active#215){.+.+.+}, at: [<ffffffffa1330b28>] kernfs_fop_write+0x128/0x1e0
+ #3: (&dev->lock){+.+.+.}, at: [<ffffffffc06f511f>] store_filter+0x9f/0x240 [rc_core]
+
+ stack backtrace:
+CPU: 3 PID: 2502 Comm: bash Not tainted 4.10.0-rc1+ #1
+Hardware name: /DG45ID, BIOS IDG4510H.86A.0135.2011.0225.1100 02/25/2011
+Call Trace:
+ dump_stack+0x86/0xc3
+ print_circular_bug+0x1be/0x210
+ __lock_acquire+0x10f7/0x1290
+ lock_acquire+0xfd/0x200
+ ? ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
+ ? ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
+ mutex_lock_nested+0x77/0x6d0
+ ? ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
+ ? loop_set_wakeup_filter+0x44/0xbd [rc_loopback]
+ ir_raw_encode_scancode+0x3e/0xb0 [rc_core]
+ loop_set_wakeup_filter+0x62/0xbd [rc_loopback]
+ ? loop_set_tx_duty_cycle+0x70/0x70 [rc_loopback]
+ store_filter+0x1aa/0x240 [rc_core]
+ dev_attr_store+0x18/0x30
+ sysfs_kf_write+0x45/0x60
+ kernfs_fop_write+0x155/0x1e0
+ __vfs_write+0x37/0x160
+ ? rcu_read_lock_sched_held+0x4a/0x80
+ ? rcu_sync_lockdep_assert+0x2f/0x60
+ ? __sb_start_write+0x10c/0x220
+ ? vfs_write+0x195/0x1e0
+ ? security_file_permission+0x3b/0xc0
+ vfs_write+0xc8/0x1e0
+ SyS_write+0x58/0xc0
+ entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/lirc_dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/rc/lirc_dev.c
++++ b/drivers/media/rc/lirc_dev.c
+@@ -446,6 +446,8 @@ int lirc_dev_fop_open(struct inode *inod
+ return -ERESTARTSYS;
+
+ ir = irctls[iminor(inode)];
++ mutex_unlock(&lirc_dev_lock);
++
+ if (!ir) {
+ retval = -ENODEV;
+ goto error;
+@@ -486,8 +488,6 @@ int lirc_dev_fop_open(struct inode *inod
+ }
+
+ error:
+- mutex_unlock(&lirc_dev_lock);
+-
+ nonseekable_open(inode, file);
+
+ return retval;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Fri, 10 Nov 2017 18:48:50 +0000
+Subject: mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+
+[ Upstream commit 67bd52386125ce1159c0581cbcd2740addf33cd4 ]
+
+hwsim_new_radio_nl() now copies the name attribute in order to add a
+null-terminator. mac80211_hwsim_new_radio() (indirectly) copies it
+again into the net_device structure, so the first copy is not used or
+freed later. Free the first copy before returning.
+
+Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length")
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3047,6 +3047,7 @@ static int hwsim_new_radio_nl(struct sk_
+ {
+ struct hwsim_new_radio_params param = { 0 };
+ const char *hwname = NULL;
++ int ret;
+
+ param.reg_strict = info->attrs[HWSIM_ATTR_REG_STRICT_REG];
+ param.p2p_device = info->attrs[HWSIM_ATTR_SUPPORT_P2P_DEVICE];
+@@ -3086,7 +3087,9 @@ static int hwsim_new_radio_nl(struct sk_
+ param.regd = hwsim_world_regdom_custom[idx];
+ }
+
+- return mac80211_hwsim_new_radio(info, ¶m);
++ ret = mac80211_hwsim_new_radio(info, ¶m);
++ kfree(hwname);
++ return ret;
+ }
+
+ static int hwsim_del_radio_nl(struct sk_buff *msg, struct genl_info *info)
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Zdenek Kabelac <zkabelac@redhat.com>
+Date: Wed, 8 Nov 2017 13:44:56 +0100
+Subject: md: free unused memory after bitmap resize
+
+From: Zdenek Kabelac <zkabelac@redhat.com>
+
+
+[ Upstream commit 0868b99c214a3d55486c700de7c3f770b7243e7c ]
+
+When bitmap is resized, the old kalloced chunks just are not released
+once the resized bitmap starts to use new space.
+
+This fixes in particular kmemleak reports like this one:
+
+unreferenced object 0xffff8f4311e9c000 (size 4096):
+ comm "lvm", pid 19333, jiffies 4295263268 (age 528.265s)
+ hex dump (first 32 bytes):
+ 02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80 ................
+ 02 80 02 80 02 80 02 80 02 80 02 80 02 80 02 80 ................
+ backtrace:
+ [<ffffffffa69471ca>] kmemleak_alloc+0x4a/0xa0
+ [<ffffffffa628c10e>] kmem_cache_alloc_trace+0x14e/0x2e0
+ [<ffffffffa676cfec>] bitmap_checkpage+0x7c/0x110
+ [<ffffffffa676d0c5>] bitmap_get_counter+0x45/0xd0
+ [<ffffffffa676d6b3>] bitmap_set_memory_bits+0x43/0xe0
+ [<ffffffffa676e41c>] bitmap_init_from_disk+0x23c/0x530
+ [<ffffffffa676f1ae>] bitmap_load+0xbe/0x160
+ [<ffffffffc04c47d3>] raid_preresume+0x203/0x2f0 [dm_raid]
+ [<ffffffffa677762f>] dm_table_resume_targets+0x4f/0xe0
+ [<ffffffffa6774b52>] dm_resume+0x122/0x140
+ [<ffffffffa6779b9f>] dev_suspend+0x18f/0x290
+ [<ffffffffa677a3a7>] ctl_ioctl+0x287/0x560
+ [<ffffffffa677a693>] dm_ctl_ioctl+0x13/0x20
+ [<ffffffffa62d6b46>] do_vfs_ioctl+0xa6/0x750
+ [<ffffffffa62d7269>] SyS_ioctl+0x79/0x90
+ [<ffffffffa6956d41>] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+Signed-off-by: Zdenek Kabelac <zkabelac@redhat.com>
+Signed-off-by: Shaohua Li <shli@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bitmap.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/md/bitmap.c
++++ b/drivers/md/bitmap.c
+@@ -2084,6 +2084,7 @@ int bitmap_resize(struct bitmap *bitmap,
+ for (k = 0; k < page; k++) {
+ kfree(new_bp[k].map);
+ }
++ kfree(new_bp);
+
+ /* restore some fields from old_counts */
+ bitmap->counts.bp = old_counts.bp;
+@@ -2134,6 +2135,14 @@ int bitmap_resize(struct bitmap *bitmap,
+ block += old_blocks;
+ }
+
++ if (bitmap->counts.bp != old_counts.bp) {
++ unsigned long k;
++ for (k = 0; k < old_counts.pages; k++)
++ if (!old_counts.bp[k].hijacked)
++ kfree(old_counts.bp[k].map);
++ kfree(old_counts.bp);
++ }
++
+ if (!init) {
+ int i;
+ while (block < (chunks << chunkshift)) {
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: David Daney <david.daney@cavium.com>
+Date: Wed, 1 Mar 2017 14:04:53 -0800
+Subject: module: set __jump_table alignment to 8
+
+From: David Daney <david.daney@cavium.com>
+
+
+[ Upstream commit ab42632156becd35d3884ee5c14da2bedbf3149a ]
+
+For powerpc the __jump_table section in modules is not aligned, this
+causes a WARN_ON() splat when loading a module containing a __jump_table.
+
+Strict alignment became necessary with commit 3821fd35b58d
+("jump_label: Reduce the size of struct static_key"), currently in
+linux-next, which uses the two least significant bits of pointers to
+__jump_table elements.
+
+Fix by forcing __jump_table to 8, which is the same alignment used for
+this section in the kernel proper.
+
+Link: http://lkml.kernel.org/r/20170301220453.4756-1-david.daney@cavium.com
+
+Reviewed-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Jessica Yu <jeyu@redhat.com>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: David Daney <david.daney@cavium.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/module-common.lds | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/scripts/module-common.lds
++++ b/scripts/module-common.lds
+@@ -19,4 +19,6 @@ SECTIONS {
+
+ . = ALIGN(8);
+ .init_array 0 : { *(SORT(.init_array.*)) *(.init_array) }
++
++ __jump_table 0 : ALIGN(8) { KEEP(*(__jump_table)) }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 3 Mar 2017 21:44:00 +0100
+Subject: netfilter: don't track fragmented packets
+
+From: Florian Westphal <fw@strlen.de>
+
+
+[ Upstream commit 7b4fdf77a450ec0fdcb2f677b080ddbf2c186544 ]
+
+Andrey reports syzkaller splat caused by
+
+NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));
+
+in ipv4 nat. But this assertion (and the comment) are wrong, this function
+does see fragments when IP_NODEFRAG setsockopt is used.
+
+As conntrack doesn't track packets without complete l4 header, only the
+first fragment is tracked.
+
+Because applying nat to first packet but not the rest makes no sense this
+also turns off tracking of all fragments.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 ++++
+ net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 -----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+@@ -158,6 +158,10 @@ static unsigned int ipv4_conntrack_local
+ if (skb->len < sizeof(struct iphdr) ||
+ ip_hdrlen(skb) < sizeof(struct iphdr))
+ return NF_ACCEPT;
++
++ if (ip_is_fragment(ip_hdr(skb))) /* IP_NODEFRAG setsockopt set */
++ return NF_ACCEPT;
++
+ return nf_conntrack_in(state->net, PF_INET, state->hook, skb);
+ }
+
+--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+@@ -255,11 +255,6 @@ nf_nat_ipv4_fn(void *priv, struct sk_buf
+ /* maniptype == SRC for postrouting. */
+ enum nf_nat_manip_type maniptype = HOOK2MANIP(state->hook);
+
+- /* We never see fragments: conntrack defrags on pre-routing
+- * and local-out, and nf_nat_out protects post-routing.
+- */
+- NF_CT_ASSERT(!ip_is_fragment(ip_hdr(skb)));
+-
+ ct = nf_ct_get(skb, &ctinfo);
+ /* Can't track? It's not due to stress, or conntrack would
+ * have dropped it. Hence it's the user's responsibilty to
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 6 Nov 2017 15:28:04 -0500
+Subject: NFS: Fix a typo in nfs_rename()
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+
+[ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ]
+
+On successful rename, the "old_dentry" is retained and is attached to
+the "new_dir", so we need to call nfs_set_verifier() accordingly.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -2098,7 +2098,7 @@ out:
+ if (new_inode != NULL)
+ nfs_drop_nlink(new_inode);
+ d_move(old_dentry, new_dentry);
+- nfs_set_verifier(new_dentry,
++ nfs_set_verifier(old_dentry,
+ nfs_save_change_attribute(new_dir));
+ } else if (error == -ENOENT)
+ nfs_dentry_handle_enoent(old_dentry);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Shile Zhang <shile.zhang@nokia.com>
+Date: Sat, 4 Feb 2017 17:03:40 +0800
+Subject: powerpc/64: Fix checksum folding in csum_add()
+
+From: Shile Zhang <shile.zhang@nokia.com>
+
+
+[ Upstream commit 6ad966d7303b70165228dba1ee8da1a05c10eefe ]
+
+Paul's patch to fix checksum folding, commit b492f7e4e07a ("powerpc/64:
+Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold")
+missed a case in csum_add(). Fix it.
+
+Signed-off-by: Shile Zhang <shile.zhang@nokia.com>
+Acked-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/checksum.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/checksum.h
++++ b/arch/powerpc/include/asm/checksum.h
+@@ -100,7 +100,7 @@ static inline __wsum csum_add(__wsum csu
+
+ #ifdef __powerpc64__
+ res += (__force u64)addend;
+- return (__force __wsum)((u32)res + (res >> 32));
++ return (__force __wsum) from64to32(res);
+ #else
+ asm("addc %0,%0,%1;"
+ "addze %0,%0;"
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 27 Feb 2017 14:32:41 +1100
+Subject: powerpc/64: Invalidate process table caching after setting process table
+
+From: Paul Mackerras <paulus@ozlabs.org>
+
+
+[ Upstream commit 7a70d7288c926ae88e0c773fbb506aa374e99c2d ]
+
+The POWER9 MMU reads and caches entries from the process table.
+When we kexec from one kernel to another, the second kernel sets
+its process table pointer but doesn't currently do anything to
+make the CPU invalidate any cached entries from the old process table.
+This adds a tlbie (TLB invalidate entry) instruction with parameters
+to invalidate caching of the process table after the new process
+table is installed.
+
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/mm/pgtable-radix.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/powerpc/mm/pgtable-radix.c
++++ b/arch/powerpc/mm/pgtable-radix.c
+@@ -173,6 +173,10 @@ redo:
+ */
+ register_process_table(__pa(process_tb), 0, PRTB_SIZE_SHIFT - 12);
+ pr_info("Process table %p and radix root for kernel: %p\n", process_tb, init_mm.pgd);
++ asm volatile("ptesync" : : : "memory");
++ asm volatile(PPC_TLBIE_5(%0,%1,2,1,1) : :
++ "r" (TLBIEL_INVAL_SET_LPID), "r" (0));
++ asm volatile("eieio; tlbsync; ptesync" : : : "memory");
+ }
+
+ static void __init radix_init_partition_table(void)
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Sun, 27 Nov 2016 13:46:20 +1100
+Subject: powerpc: Fix compiling a BE kernel with a powerpc64le toolchain
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+
+[ Upstream commit 4dc831aa88132f835cefe876aa0206977c4d7710 ]
+
+GCC can compile with either endian, but the default ABI version is set
+based on the default endianness of the toolchain. Alan Modra says:
+
+ you need both -mbig and -mabi=elfv1 to make a powerpc64le gcc
+ generate powerpc64 code
+
+The opposite is true for powerpc64 when generating -mlittle it
+requires -mabi=elfv2 to generate v2 ABI, which we were already doing.
+
+This change adds ABI annotations together with endianness for all cases,
+LE and BE. This fixes the case of building a BE kernel with a toolchain
+that is LE by default.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/Makefile | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/Makefile
++++ b/arch/powerpc/Makefile
+@@ -72,8 +72,15 @@ GNUTARGET := powerpc
+ MULTIPLEWORD := -mmultiple
+ endif
+
+-cflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mbig-endian)
++ifdef CONFIG_PPC64
++cflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mabi=elfv1)
++cflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mcall-aixdesc)
++aflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mabi=elfv1)
++aflags-$(CONFIG_CPU_LITTLE_ENDIAN) += -mabi=elfv2
++endif
++
+ cflags-$(CONFIG_CPU_LITTLE_ENDIAN) += -mlittle-endian
++cflags-$(CONFIG_CPU_BIG_ENDIAN) += $(call cc-option,-mbig-endian)
+ ifneq ($(cc-name),clang)
+ cflags-$(CONFIG_CPU_LITTLE_ENDIAN) += -mno-strict-align
+ endif
+@@ -113,7 +120,9 @@ ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y)
+ CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv2,$(call cc-option,-mcall-aixdesc))
+ AFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv2)
+ else
++CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv1)
+ CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mcall-aixdesc)
++AFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mabi=elfv1)
+ endif
+ CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mcmodel=medium,$(call cc-option,-mminimal-toc))
+ CFLAGS-$(CONFIG_PPC64) += $(call cc-option,-mno-pointers-to-nested-functions)
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Wed, 22 Feb 2017 15:43:59 +1100
+Subject: powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+
+[ Upstream commit 7aafac11e308d37ed3c509829bb43d80c1811ac3 ]
+
+The IODA2 specification says that a 64 DMA address cannot use top 4 bits
+(3 are reserved and one is a "TVE select"); bottom page_shift bits
+cannot be used for multilevel table addressing either.
+
+The existing IODA2 table allocation code aligns the minimum TCE table
+size to PAGE_SIZE so in the case of 64K system pages and 4K IOMMU pages,
+we have 64-4-12=48 bits. Since 64K page stores 8192 TCEs, i.e. needs
+13 bits, the maximum number of levels is 48/13 = 3 so we physically
+cannot address more and EEH happens on DMA accesses.
+
+This adds a check that too many levels were requested.
+
+It is still possible to have 5 levels in the case of 4K system page size.
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Acked-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -2623,6 +2623,9 @@ static long pnv_pci_ioda2_table_alloc_pa
+ level_shift = entries_shift + 3;
+ level_shift = max_t(unsigned, level_shift, PAGE_SHIFT);
+
++ if ((level_shift - 3) * levels + page_shift >= 60)
++ return -EINVAL;
++
+ /* Allocate TCE table */
+ addr = pnv_pci_ioda2_table_do_alloc_pages(nid, level_shift,
+ levels, tce_table_size, &offset, &total_allocated);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Leon Romanovsky <leon@kernel.org>
+Date: Wed, 25 Oct 2017 23:10:19 +0300
+Subject: RDMA/cxgb4: Annotate r2 and stag as __be32
+
+From: Leon Romanovsky <leon@kernel.org>
+
+
+[ Upstream commit 7d7d065a5eec7e218174d5c64a9f53f99ffdb119 ]
+
+Chelsio cxgb4 HW is big-endian, hence there is need to properly
+annotate r2 and stag fields as __be32 and not __u32 to fix the
+following sparse warnings.
+
+ drivers/infiniband/hw/cxgb4/qp.c:614:16:
+ warning: incorrect type in assignment (different base types)
+ expected unsigned int [unsigned] [usertype] r2
+ got restricted __be32 [usertype] <noident>
+ drivers/infiniband/hw/cxgb4/qp.c:615:18:
+ warning: incorrect type in assignment (different base types)
+ expected unsigned int [unsigned] [usertype] stag
+ got restricted __be32 [usertype] <noident>
+
+Cc: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/cxgb4/t4fw_ri_api.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
++++ b/drivers/infiniband/hw/cxgb4/t4fw_ri_api.h
+@@ -675,8 +675,8 @@ struct fw_ri_fr_nsmr_tpte_wr {
+ __u16 wrid;
+ __u8 r1[3];
+ __u8 len16;
+- __u32 r2;
+- __u32 stag;
++ __be32 r2;
++ __be32 stag;
+ struct fw_ri_tpte tpte;
+ __u64 pbl[2];
+ };
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Date: Sat, 4 Mar 2017 08:57:35 -0800
+Subject: rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races
+
+From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+
+
+[ Upstream commit b21dd4506b71bdb9c5a20e759255cd2513ea7ebe ]
+
+Commit a93d01f5777e ("RDS: TCP: avoid bad page reference in
+rds_tcp_listen_data_ready") added the function
+rds_tcp_listen_sock_def_readable() to handle the case when a
+partially set-up acceptor socket drops into rds_tcp_listen_data_ready().
+However, if the listen socket (rtn->rds_tcp_listen_sock) is itself going
+through a tear-down via rds_tcp_listen_stop(), the (*ready)() will be
+null and we would hit a panic of the form
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: (null)
+ :
+ ? rds_tcp_listen_data_ready+0x59/0xb0 [rds_tcp]
+ tcp_data_queue+0x39d/0x5b0
+ tcp_rcv_established+0x2e5/0x660
+ tcp_v4_do_rcv+0x122/0x220
+ tcp_v4_rcv+0x8b7/0x980
+ :
+In the above case, it is not fatal to encounter a NULL value for
+ready- we should just drop the packet and let the flush of the
+acceptor thread finish gracefully.
+
+In general, the tear-down sequence for listen() and accept() socket
+that is ensured by this commit is:
+ rtn->rds_tcp_listen_sock = NULL; /* prevent any new accepts */
+ In rds_tcp_listen_stop():
+ serialize with, and prevent, further callbacks using lock_sock()
+ flush rds_wq
+ flush acceptor workq
+ sock_release(listen socket)
+
+Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/tcp.c | 15 ++++++++++-----
+ net/rds/tcp.h | 2 +-
+ net/rds/tcp_listen.c | 9 +++++++--
+ 3 files changed, 18 insertions(+), 8 deletions(-)
+
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -478,9 +478,10 @@ static void __net_exit rds_tcp_exit_net(
+ * we do need to clean up the listen socket here.
+ */
+ if (rtn->rds_tcp_listen_sock) {
+- rds_tcp_listen_stop(rtn->rds_tcp_listen_sock);
++ struct socket *lsock = rtn->rds_tcp_listen_sock;
++
+ rtn->rds_tcp_listen_sock = NULL;
+- flush_work(&rtn->rds_tcp_accept_w);
++ rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w);
+ }
+ }
+
+@@ -517,10 +518,10 @@ static void rds_tcp_kill_sock(struct net
+ struct rds_tcp_connection *tc, *_tc;
+ LIST_HEAD(tmp_list);
+ struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
++ struct socket *lsock = rtn->rds_tcp_listen_sock;
+
+- rds_tcp_listen_stop(rtn->rds_tcp_listen_sock);
+ rtn->rds_tcp_listen_sock = NULL;
+- flush_work(&rtn->rds_tcp_accept_w);
++ rds_tcp_listen_stop(lsock, &rtn->rds_tcp_accept_w);
+ spin_lock_irq(&rds_tcp_conn_lock);
+ list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) {
+ struct net *c_net = read_pnet(&tc->t_cpath->cp_conn->c_net);
+@@ -540,8 +541,12 @@ static void rds_tcp_kill_sock(struct net
+ void *rds_tcp_listen_sock_def_readable(struct net *net)
+ {
+ struct rds_tcp_net *rtn = net_generic(net, rds_tcp_netid);
++ struct socket *lsock = rtn->rds_tcp_listen_sock;
++
++ if (!lsock)
++ return NULL;
+
+- return rtn->rds_tcp_listen_sock->sk->sk_user_data;
++ return lsock->sk->sk_user_data;
+ }
+
+ static int rds_tcp_dev_event(struct notifier_block *this,
+--- a/net/rds/tcp.h
++++ b/net/rds/tcp.h
+@@ -66,7 +66,7 @@ void rds_tcp_state_change(struct sock *s
+
+ /* tcp_listen.c */
+ struct socket *rds_tcp_listen_init(struct net *);
+-void rds_tcp_listen_stop(struct socket *);
++void rds_tcp_listen_stop(struct socket *sock, struct work_struct *acceptor);
+ void rds_tcp_listen_data_ready(struct sock *sk);
+ int rds_tcp_accept_one(struct socket *sock);
+ int rds_tcp_keepalive(struct socket *sock);
+--- a/net/rds/tcp_listen.c
++++ b/net/rds/tcp_listen.c
+@@ -227,6 +227,9 @@ void rds_tcp_listen_data_ready(struct so
+ * before it has been accepted and the accepter has set up their
+ * data_ready.. we only want to queue listen work for our listening
+ * socket
++ *
++ * (*ready)() may be null if we are racing with netns delete, and
++ * the listen socket is being torn down.
+ */
+ if (sk->sk_state == TCP_LISTEN)
+ rds_tcp_accept_work(sk);
+@@ -235,7 +238,8 @@ void rds_tcp_listen_data_ready(struct so
+
+ out:
+ read_unlock_bh(&sk->sk_callback_lock);
+- ready(sk);
++ if (ready)
++ ready(sk);
+ }
+
+ struct socket *rds_tcp_listen_init(struct net *net)
+@@ -275,7 +279,7 @@ out:
+ return NULL;
+ }
+
+-void rds_tcp_listen_stop(struct socket *sock)
++void rds_tcp_listen_stop(struct socket *sock, struct work_struct *acceptor)
+ {
+ struct sock *sk;
+
+@@ -296,5 +300,6 @@ void rds_tcp_listen_stop(struct socket *
+
+ /* wait for accepts to stop and close the socket */
+ flush_workqueue(rds_wq);
++ flush_work(acceptor);
+ sock_release(sock);
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Sasha Levin <alexander.levin@verizon.com>
+Date: Thu, 7 Dec 2017 23:21:06 -0500
+Subject: Revert "drm/armada: Fix compile fail"
+
+From: Sasha Levin <alexander.levin@verizon.com>
+
+
+This reverts commit 82f260d472c3b4dbb7324624e395c3e91f73a040.
+
+Not required on < 4.10.
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/armada/Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/gpu/drm/armada/Makefile
++++ b/drivers/gpu/drm/armada/Makefile
+@@ -4,5 +4,3 @@ armada-y += armada_510.o
+ armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o
+
+ obj-$(CONFIG_DRM_ARMADA) := armada.o
+-
+-CFLAGS_armada_trace.o := -I$(src)
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Sasha Levin <alexander.levin@verizon.com>
+Date: Thu, 7 Dec 2017 23:23:42 -0500
+Subject: Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA"
+
+From: Sasha Levin <alexander.levin@verizon.com>
+
+
+This reverts commit dadab2d4e3cf708ceba22ecddd94aedfecb39199.
+
+Not required on < 4.10.
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/spi/Kconfig
++++ b/drivers/spi/Kconfig
+@@ -365,7 +365,6 @@ config SPI_FSL_SPI
+ config SPI_FSL_DSPI
+ tristate "Freescale DSPI controller"
+ select REGMAP_MMIO
+- depends on HAS_DMA
+ depends on SOC_VF610 || SOC_LS1021A || ARCH_LAYERSCAPE || COMPILE_TEST
+ help
+ This enables support for the Freescale DSPI controller in master
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:18 +0800
+Subject: route: also update fnhe_genid when updating a route cache
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cebe84c6190d741045a322f5343f717139993c08 ]
+
+Now when ip route flush cache and it turn out all fnhe_genid != genid.
+If a redirect/pmtu icmp packet comes and the old fnhe is found and all
+it's members but fnhe_genid will be updated.
+
+Then next time when it looks up route and tries to rebind this fnhe to
+the new dst, the fnhe will be flushed due to fnhe_genid != genid. It
+causes this redirect/pmtu icmp packet acutally not to be applied.
+
+This patch is to also reset fnhe_genid when updating a route cache.
+
+Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions")
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -630,9 +630,12 @@ static void update_or_create_fnhe(struct
+ struct fnhe_hash_bucket *hash;
+ struct fib_nh_exception *fnhe;
+ struct rtable *rt;
++ u32 genid, hval;
+ unsigned int i;
+ int depth;
+- u32 hval = fnhe_hashfun(daddr);
++
++ genid = fnhe_genid(dev_net(nh->nh_dev));
++ hval = fnhe_hashfun(daddr);
+
+ spin_lock_bh(&fnhe_lock);
+
+@@ -655,6 +658,8 @@ static void update_or_create_fnhe(struct
+ }
+
+ if (fnhe) {
++ if (fnhe->fnhe_genid != genid)
++ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+ if (pmtu) {
+@@ -679,7 +684,7 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_next = hash->chain;
+ rcu_assign_pointer(hash->chain, fnhe);
+ }
+- fnhe->fnhe_genid = fnhe_genid(dev_net(nh->nh_dev));
++ fnhe->fnhe_genid = genid;
+ fnhe->fnhe_daddr = daddr;
+ fnhe->fnhe_gw = gw;
+ fnhe->fnhe_pmtu = pmtu;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 17 Nov 2017 14:27:06 +0800
+Subject: route: update fnhe_expires for redirect when the fnhe exists
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit e39d5246111399dbc6e11cd39fd8580191b86c47 ]
+
+Now when creating fnhe for redirect, it sets fnhe_expires for this
+new route cache. But when updating the exist one, it doesn't do it.
+It will cause this fnhe never to be expired.
+
+Paolo already noticed it before, in Jianlin's test case, it became
+even worse:
+
+When ip route flush cache, the old fnhe is not to be removed, but
+only clean it's members. When redirect comes again, this fnhe will
+be found and updated, but never be expired due to fnhe_expires not
+being set.
+
+So fix it by simply updating fnhe_expires even it's for redirect.
+
+Fixes: aee06da6726d ("ipv4: use seqlock for nh_exceptions")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -662,10 +662,9 @@ static void update_or_create_fnhe(struct
+ fnhe->fnhe_genid = genid;
+ if (gw)
+ fnhe->fnhe_gw = gw;
+- if (pmtu) {
++ if (pmtu)
+ fnhe->fnhe_pmtu = pmtu;
+- fnhe->fnhe_expires = max(1UL, expires);
+- }
++ fnhe->fnhe_expires = max(1UL, expires);
+ /* Update all cached dsts too */
+ rt = rcu_dereference(fnhe->fnhe_rth_input);
+ if (rt)
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 1 Mar 2017 11:24:35 +0100
+Subject: sched/fair: Make select_idle_cpu() more aggressive
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+
+[ Upstream commit 4c77b18cf8b7ab37c7d5737b4609010d2ceec5f0 ]
+
+Kitsunyan reported desktop latency issues on his Celeron 887 because
+of commit:
+
+ 1b568f0aabf2 ("sched/core: Optimize SCHED_SMT")
+
+... even though his CPU doesn't do SMT.
+
+The effect of running the SMT code on a !SMT part is basically a more
+aggressive select_idle_cpu(). Removing the avg condition fixed things
+for him.
+
+I also know FB likes this test gone, even though other workloads like
+having it.
+
+For now, take it out by default, until we get a better idea.
+
+Reported-by: kitsunyan <kitsunyan@inbox.ru>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Chris Mason <clm@fb.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Mike Galbraith <umgwanakikbuti@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/fair.c | 2 +-
+ kernel/sched/features.h | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -5451,7 +5451,7 @@ static int select_idle_cpu(struct task_s
+ * Due to large variance we need a large fuzz factor; hackbench in
+ * particularly is sensitive here.
+ */
+- if ((avg_idle / 512) < avg_cost)
++ if (sched_feat(SIS_AVG_CPU) && (avg_idle / 512) < avg_cost)
+ return -1;
+
+ time = local_clock();
+--- a/kernel/sched/features.h
++++ b/kernel/sched/features.h
+@@ -51,6 +51,11 @@ SCHED_FEAT(NONTASK_CAPACITY, true)
+ */
+ SCHED_FEAT(TTWU_QUEUE, true)
+
++/*
++ * When doing wakeups, attempt to limit superfluous scans of the LLC domain.
++ */
++SCHED_FEAT(SIS_AVG_CPU, false)
++
+ #ifdef HAVE_RT_PUSH_IPI
+ /*
+ * In order to avoid a thundering herd attack of CPUs that are
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: James Smart <jsmart2021@gmail.com>
+Date: Sat, 4 Mar 2017 09:30:25 -0800
+Subject: scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters
+
+From: James Smart <jsmart2021@gmail.com>
+
+
+[ Upstream commit 5d181531bc6169e19a02a27d202cf0e982db9d0e ]
+
+if REG_VPI fails, the driver was incorrectly issuing INIT_VFI
+(a SLI4 command) on a SLI3 adapter.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -8185,11 +8185,17 @@ lpfc_cmpl_reg_new_vport(struct lpfc_hba
+ spin_lock_irq(shost->host_lock);
+ vport->fc_flag |= FC_VPORT_NEEDS_REG_VPI;
+ spin_unlock_irq(shost->host_lock);
+- if (vport->port_type == LPFC_PHYSICAL_PORT
+- && !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG))
+- lpfc_issue_init_vfi(vport);
+- else
++ if (mb->mbxStatus == MBX_NOT_FINISHED)
++ break;
++ if ((vport->port_type == LPFC_PHYSICAL_PORT) &&
++ !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) {
++ if (phba->sli_rev == LPFC_SLI_REV4)
++ lpfc_issue_init_vfi(vport);
++ else
++ lpfc_initial_flogi(vport);
++ } else {
+ lpfc_initial_fdisc(vport);
++ }
+ break;
+ }
+ } else {
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Joe Perches <joe@perches.com>
+Date: Thu, 2 Mar 2017 17:14:47 -0800
+Subject: scsi: qla2xxx: Fix ql_dump_buffer
+
+From: Joe Perches <joe@perches.com>
+
+
+[ Upstream commit 23456565acf6d452e0368f7380aecd584c019c67 ]
+
+Recent printk changes for KERN_CONT cause this logging to be defectively
+emitted on multiple lines. Fix it.
+
+Also reduces object size a trivial amount.
+
+$ size drivers/scsi/qla2xxx/qla_dbg.o*
+ text data bss dec hex filename
+ 39125 0 0 39125 98d5 drivers/scsi/qla2xxx/qla_dbg.o.new
+ 39164 0 0 39164 98fc drivers/scsi/qla2xxx/qla_dbg.o.old
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Acked-by: Himanshu Madhani <himanshu.madhani@cavium.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_dbg.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_dbg.c
++++ b/drivers/scsi/qla2xxx/qla_dbg.c
+@@ -2707,13 +2707,9 @@ ql_dump_buffer(uint32_t level, scsi_qla_
+ "%-+5d 0 1 2 3 4 5 6 7 8 9 A B C D E F\n", size);
+ ql_dbg(level, vha, id,
+ "----- -----------------------------------------------\n");
+- for (cnt = 0; cnt < size; cnt++, buf++) {
+- if (cnt % 16 == 0)
+- ql_dbg(level, vha, id, "%04x:", cnt & ~0xFU);
+- printk(" %02x", *buf);
+- if (cnt % 16 == 15)
+- printk("\n");
++ for (cnt = 0; cnt < size; cnt += 16) {
++ ql_dbg(level, vha, id, "%04x: ", cnt);
++ print_hex_dump(KERN_CONT, "", DUMP_PREFIX_NONE, 16, 1,
++ buf + cnt, min(16U, size - cnt), false);
+ }
+- if (cnt % 16 != 0)
+- printk("\n");
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:55:54 +0800
+Subject: sctp: do not free asoc when it is already dead in sctp_sendmsg
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ca3af4dd28cff4e7216e213ba3b671fbf9f84758 ]
+
+Now in sctp_sendmsg sctp_wait_for_sndbuf could schedule out without
+holding sock sk. It means the current asoc can be freed elsewhere,
+like when receiving an abort packet.
+
+If the asoc is just created in sctp_sendmsg and sctp_wait_for_sndbuf
+returns err, the asoc will be freed again due to new_asoc is not nil.
+An use-after-free issue would be triggered by this.
+
+This patch is to fix it by setting new_asoc with nil if the asoc is
+already dead when cpu schedules back, so that it will not be freed
+again in sctp_sendmsg.
+
+v1->v2:
+ set new_asoc as nil in sctp_sendmsg instead of sctp_wait_for_sndbuf.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1958,8 +1958,14 @@ static int sctp_sendmsg(struct sock *sk,
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+- if (err)
++ if (err) {
++ if (err == -ESRCH) {
++ /* asoc is already dead. */
++ new_asoc = NULL;
++ err = -EPIPE;
++ }
+ goto out_free;
++ }
+ }
+
+ /* If an address is passed with the sendto/sendmsg call, it is used
+@@ -7457,10 +7463,11 @@ static int sctp_wait_for_sndbuf(struct s
+ for (;;) {
+ prepare_to_wait_exclusive(&asoc->wait, &wait,
+ TASK_INTERRUPTIBLE);
++ if (asoc->base.dead)
++ goto do_dead;
+ if (!*timeo_p)
+ goto do_nonblock;
+- if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING ||
+- asoc->base.dead)
++ if (sk->sk_err || asoc->state >= SCTP_STATE_SHUTDOWN_PENDING)
+ goto do_error;
+ if (signal_pending(current))
+ goto do_interrupted;
+@@ -7485,6 +7492,10 @@ out:
+
+ return err;
+
++do_dead:
++ err = -ESRCH;
++ goto out;
++
+ do_error:
+ err = -EPIPE;
+ goto out;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 15 Nov 2017 16:57:26 +0800
+Subject: sctp: use the right sk after waking up from wait_buf sleep
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff ]
+
+Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads
+sleeping on it") fixed the race between peeloff and wait sndbuf by
+checking waitqueue_active(&asoc->wait) in sctp_do_peeloff().
+
+But it actually doesn't work, as even if waitqueue_active returns false
+the waiting sndbuf thread may still not yet hold sk lock. After asoc is
+peeled off, sk is not asoc->base.sk any more, then to hold the old sk
+lock couldn't make assoc safe to access.
+
+This patch is to fix this by changing to hold the new sk lock if sk is
+not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the
+new sk.
+
+With this fix, there is no more race between peeloff and waitbuf, the
+check 'waitqueue_active' in sctp_do_peeloff can be removed.
+
+Thanks Marcelo and Neil for making this clear.
+
+v1->v2:
+ fix it by changing to lock the new sock instead of adding a flag in asoc.
+
+Suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -82,8 +82,8 @@
+ /* Forward declarations for internal helper functions. */
+ static int sctp_writeable(struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+-static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p,
+- size_t msg_len);
++static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
++ size_t msg_len, struct sock **orig_sk);
+ static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p);
+ static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p);
+ static int sctp_wait_for_accept(struct sock *sk, long timeo);
+@@ -1957,7 +1957,8 @@ static int sctp_sendmsg(struct sock *sk,
+
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ if (!sctp_wspace(asoc)) {
+- err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
++ /* sk can be changed by peel off when waiting for buf. */
++ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk);
+ if (err) {
+ if (err == -ESRCH) {
+ /* asoc is already dead. */
+@@ -4777,12 +4778,6 @@ int sctp_do_peeloff(struct sock *sk, sct
+ if (!asoc)
+ return -EINVAL;
+
+- /* If there is a thread waiting on more sndbuf space for
+- * sending on this asoc, it cannot be peeled.
+- */
+- if (waitqueue_active(&asoc->wait))
+- return -EBUSY;
+-
+ /* An association cannot be branched off from an already peeled-off
+ * socket, nor is this supported for tcp style sockets.
+ */
+@@ -7446,7 +7441,7 @@ void sctp_sock_rfree(struct sk_buff *skb
+
+ /* Helper function to wait for space in the sndbuf. */
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+- size_t msg_len)
++ size_t msg_len, struct sock **orig_sk)
+ {
+ struct sock *sk = asoc->base.sk;
+ int err = 0;
+@@ -7480,11 +7475,17 @@ static int sctp_wait_for_sndbuf(struct s
+ release_sock(sk);
+ current_timeo = schedule_timeout(current_timeo);
+ lock_sock(sk);
++ if (sk != asoc->base.sk) {
++ release_sock(sk);
++ sk = asoc->base.sk;
++ lock_sock(sk);
++ }
+
+ *timeo_p = current_timeo;
+ }
+
+ out:
++ *orig_sk = sk;
+ finish_wait(&asoc->wait, &wait);
+
+ /* Release the association's refcnt. */
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Date: Sun, 26 Feb 2017 11:38:39 +0530
+Subject: selftest/powerpc: Fix false failures for skipped tests
+
+From: Sachin Sant <sachinp@linux.vnet.ibm.com>
+
+
+[ Upstream commit a6d8a21596df041f36f4c2ccc260c459e3e851f1 ]
+
+Tests under alignment subdirectory are skipped when executed on previous
+generation hardware, but harness still marks them as failed.
+
+ test: test_copy_unaligned
+ tags: git_version:unknown
+ [SKIP] Test skipped on line 26
+ skip: test_copy_unaligned
+ selftests: copy_unaligned [FAIL]
+
+The MAGIC_SKIP_RETURN_VALUE value assigned to rc variable is retained till
+the program exit which causes the test to be marked as failed.
+
+This patch resets the value before returning to the main() routine.
+With this patch the test o/p is as follows:
+
+ test: test_copy_unaligned
+ tags: git_version:unknown
+ [SKIP] Test skipped on line 26
+ skip: test_copy_unaligned
+ selftests: copy_unaligned [PASS]
+
+Signed-off-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/powerpc/harness.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/powerpc/harness.c
++++ b/tools/testing/selftests/powerpc/harness.c
+@@ -114,9 +114,11 @@ int test_harness(int (test_function)(voi
+
+ rc = run_test(test_function, name);
+
+- if (rc == MAGIC_SKIP_RETURN_VALUE)
++ if (rc == MAGIC_SKIP_RETURN_VALUE) {
+ test_skip(name);
+- else
++ /* so that skipped test is not marked as failed */
++ rc = 0;
++ } else
+ test_finish(name, rc);
+
+ return rc;
thp-reduce-indentation-level-in-change_huge_pmd.patch
thp-fix-madv_dontneed-vs.-numa-balancing-race.patch
mm-drop-unused-pmdp_huge_get_and_clear_notify.patch
+revert-drm-armada-fix-compile-fail.patch
+revert-spi-spi_fsl_dspi-should-depend-on-has_dma.patch
+arm-8657-1-uaccess-consistently-check-object-sizes.patch
+vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch
+arm-omap2-gpmc-onenand-propagate-error-on-initialization-failure.patch
+x86-selftests-add-clobbers-for-int80-on-x86_64.patch
+x86-platform-uv-bau-fix-hub-errors-by-remove-initial-write-to-sw-ack-register.patch
+sched-fair-make-select_idle_cpu-more-aggressive.patch
+x86-hpet-prevent-might-sleep-splat-on-resume.patch
+powerpc-64-invalidate-process-table-caching-after-setting-process-table.patch
+selftest-powerpc-fix-false-failures-for-skipped-tests.patch
+powerpc-fix-compiling-a-be-kernel-with-a-powerpc64le-toolchain.patch
+lirc-fix-dead-lock-between-open-and-wakeup_filter.patch
+module-set-__jump_table-alignment-to-8.patch
+powerpc-64-fix-checksum-folding-in-csum_add.patch
+arm-omap2-fix-device-node-reference-counts.patch
+arm-omap2-release-device-node-after-it-is-no-longer-needed.patch
+asoc-rcar-avoid-ssi_modex-settings-for-ssi8.patch
+gpio-altera-use-handle_level_irq-when-configured-as-a-level_high.patch
+hid-chicony-add-support-for-another-asus-zen-aio-keyboard.patch
+usb-gadget-configs-plug-memory-leak.patch
+usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch
+usb-dwc3-gadget-fix-system-suspend-resume-on-ti-platforms.patch
+usb-gadget-pxa27x-test-for-a-valid-argument-pointer.patch
+usb-gadget-udc-net2280-fix-tmp-reusage-in-net2280-driver.patch
+kvm-nvmx-vmclear-should-not-cause-the-vcpu-to-shut-down.patch
+libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch
+workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch
+scsi-qla2xxx-fix-ql_dump_buffer.patch
+scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch
+irqchip-crossbar-fix-incorrect-type-of-register-size.patch
+kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch
+arm-kvm-survive-unknown-traps-from-guests.patch
+arm64-kvm-survive-unknown-traps-from-guests.patch
+kvm-arm-arm64-vgic-fix-command-handling-while-its-being-disabled.patch
+spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch
+spi_ks8995-regs_size-incorrect-for-some-devices.patch
+bnx2x-prevent-crash-when-accessing-ptp-with-interface-down.patch
+bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch
+bnx2x-fix-detection-of-vlan-filtering-feature-for-vf.patch
+bnx2x-do-not-rollback-vf-mac-vlan-filters-we-did-not-configure.patch
+rds-tcp-sequence-teardown-of-listen-and-acceptor-sockets-to-avoid-races.patch
+ibmvnic-fix-overflowing-firmware-hardware-tx-queue.patch
+ibmvnic-allocate-number-of-rx-tx-buffers-agreed-on-by-firmware.patch
+ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch
+crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch
+i2c-riic-fix-restart-condition.patch
+blk-mq-initialize-mq-kobjects-in-blk_mq_init_allocated_queue.patch
+zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch
+netfilter-don-t-track-fragmented-packets.patch
+axonram-fix-gendisk-handling.patch
+drm-amd-amdgpu-fix-console-deadlock-if-late-init-failed.patch
+powerpc-powernv-ioda2-gracefully-fail-if-too-many-tce-levels-requested.patch
+edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch
+edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch
+kbuild-pkg-use-transform-option-to-prefix-paths-in-tar.patch
+coccinelle-fix-parallel-build-with-check-scripts-coccicheck.patch
+x86-mpx-selftests-fix-up-weird-arrays.patch
+mac80211_hwsim-fix-memory-leak-in-hwsim_new_radio_nl.patch
+gre6-use-log_ecn_error-module-parameter-in-ip6_tnl_rcv.patch
+route-also-update-fnhe_genid-when-updating-a-route-cache.patch
+route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch
+drivers-rapidio-devices-rio_mport_cdev.c-fix-resource-leak-in-error-handling-path-in-rio_dma_transfer.patch
+lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch
+dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch
+nfs-fix-a-typo-in-nfs_rename.patch
+sunrpc-fix-rpc_task_begin-trace-point.patch
+xfs-fix-forgotten-rcu-read-unlock-when-skipping-inode-reclaim.patch
+dt-bindings-usb-fix-reg-property-port-number-range.patch
+block-wake-up-all-tasks-blocked-in-get_request.patch
+sparc64-mm-set-fields-in-deferred-pages.patch
+zsmalloc-calling-zs_map_object-from-irq-is-a-bug.patch
+sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch
+sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch
+bpf-fix-lockdep-splat.patch
+clk-uniphier-fix-dapll2-clock-rate-of-pro5.patch
+atm-horizon-fix-irq-release-error.patch
+jump_label-invoke-jump_label_test-via-early_initcall.patch
+xfrm-copy-policy-family-in-clone_policy.patch
+ib-mlx4-increase-maximal-message-size-under-ud-qp.patch
+ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch
+afs-connect-up-the-cb.probeuuid.patch
+kbuild-do-not-call-cc-option-before-kbuild_cflags-initialization.patch
+ipvlan-fix-ipv6-outbound-device.patch
+audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch
+md-free-unused-memory-after-bitmap-resize.patch
+rdma-cxgb4-annotate-r2-and-stag-as-__be32.patch
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+Date: Wed, 15 Nov 2017 17:36:18 -0800
+Subject: sparc64/mm: set fields in deferred pages
+
+From: Pavel Tatashin <pasha.tatashin@oracle.com>
+
+
+[ Upstream commit 2a20aa171071a334d80c4e5d5af719d8374702fc ]
+
+Without deferred struct page feature (CONFIG_DEFERRED_STRUCT_PAGE_INIT),
+flags and other fields in "struct page"es are never changed prior to
+first initializing struct pages by going through __init_single_page().
+
+With deferred struct page feature enabled there is a case where we set
+some fields prior to initializing:
+
+mem_init() {
+ register_page_bootmem_info();
+ free_all_bootmem();
+ ...
+}
+
+When register_page_bootmem_info() is called only non-deferred struct
+pages are initialized. But, this function goes through some reserved
+pages which might be part of the deferred, and thus are not yet
+initialized.
+
+mem_init
+register_page_bootmem_info
+register_page_bootmem_info_node
+ get_page_bootmem
+ .. setting fields here ..
+ such as: page->freelist = (void *)type;
+
+free_all_bootmem()
+free_low_memory_core_early()
+ for_each_reserved_mem_region()
+ reserve_bootmem_region()
+ init_reserved_page() <- Only if this is deferred reserved page
+ __init_single_pfn()
+ __init_single_page()
+ memset(0) <-- Loose the set fields here
+
+We end up with similar issue as in the previous patch, where currently
+we do not observe problem as memory is zeroed. But, if flag asserts are
+changed we can start hitting issues.
+
+Also, because in this patch series we will stop zeroing struct page
+memory during allocation, we must make sure that struct pages are
+properly initialized prior to using them.
+
+The deferred-reserved pages are initialized in free_all_bootmem().
+Therefore, the fix is to switch the above calls.
+
+Link: http://lkml.kernel.org/r/20171013173214.27300-4-pasha.tatashin@oracle.com
+Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
+Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
+Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Reviewed-by: Bob Picco <bob.picco@oracle.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/mm/init_64.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/sparc/mm/init_64.c
++++ b/arch/sparc/mm/init_64.c
+@@ -2391,10 +2391,17 @@ void __init mem_init(void)
+ {
+ high_memory = __va(last_valid_pfn << PAGE_SHIFT);
+
+- register_page_bootmem_info();
+ free_all_bootmem();
+
+ /*
++ * Must be done after boot memory is put on freelist, because here we
++ * might set fields in deferred struct pages that have not yet been
++ * initialized, and free_all_bootmem() initializes all the reserved
++ * deferred pages for us.
++ */
++ register_page_bootmem_info();
++
++ /*
+ * Set up the zero page, mark it reserved, so that page count
+ * is not manipulated when freeing the page from user ptes.
+ */
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+Date: Thu, 2 Mar 2017 13:08:36 +0100
+Subject: spi_ks8995: fix "BUG: key accdaa28 not in .data!"
+
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+
+
+[ Upstream commit 4342696df764ec65dcdfbd0c10d90ea52505f8ba ]
+
+Signed-off-by: Maarten Blomme <Maarten.Blomme@flir.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/spi_ks8995.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -498,6 +498,7 @@ static int ks8995_probe(struct spi_devic
+ if (err)
+ return err;
+
++ sysfs_attr_init(&ks->regs_attr.attr);
+ err = sysfs_create_bin_file(&spi->dev.kobj, &ks->regs_attr);
+ if (err) {
+ dev_err(&spi->dev, "unable to create sysfs file, err=%d\n",
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+Date: Thu, 2 Mar 2017 13:08:49 +0100
+Subject: spi_ks8995: regs_size incorrect for some devices
+
+From: "Blomme, Maarten" <Maarten.Blomme@flir.com>
+
+
+[ Upstream commit 239870f2a0ebf75cc8f6d987dc528c5243f93d69 ]
+
+Signed-off-by: Maarten Blomme <Maarten.Blomme@flir.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/spi_ks8995.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/spi_ks8995.c
++++ b/drivers/net/phy/spi_ks8995.c
+@@ -491,8 +491,8 @@ static int ks8995_probe(struct spi_devic
+ if (err)
+ return err;
+
+- ks->regs_attr.size = ks->chip->regs_size;
+ memcpy(&ks->regs_attr, &ks8995_registers_attr, sizeof(ks->regs_attr));
++ ks->regs_attr.size = ks->chip->regs_size;
+
+ err = ks8995_reset(ks);
+ if (err)
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 3 Nov 2017 13:46:06 -0400
+Subject: sunrpc: Fix rpc_task_begin trace point
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+
+[ Upstream commit b2bfe5915d5fe7577221031a39ac722a0a2a1199 ]
+
+The rpc_task_begin trace point always display a task ID of zero.
+Move the trace point call site so that it picks up the new task ID.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/sched.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -274,10 +274,9 @@ static inline void rpc_task_set_debuginf
+
+ static void rpc_set_active(struct rpc_task *task)
+ {
+- trace_rpc_task_begin(task->tk_client, task, NULL);
+-
+ rpc_task_set_debuginfo(task);
+ set_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
++ trace_rpc_task_begin(task->tk_client, task, NULL);
+ }
+
+ /*
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Roger Quadros <rogerq@ti.com>
+Date: Wed, 15 Feb 2017 14:16:26 +0200
+Subject: usb: dwc3: gadget: Fix system suspend/resume on TI platforms
+
+From: Roger Quadros <rogerq@ti.com>
+
+
+[ Upstream commit 1551e35ea4189c1f7199fe278395fc94196715f2 ]
+
+On TI platforms (dra7, am437x), the DWC3_DSTS_DEVCTRLHLT bit is not set
+after the device controller is stopped via DWC3_DCTL_RUN_STOP.
+
+If we don't disconnect and stop the gadget, it stops working after a
+system resume with the trace below.
+
+There is no point in preventing gadget disconnect and gadget stop during
+system suspend/resume as we're going to suspend in any case, whether
+DEVCTRLHLT timed out or not.
+
+[ 141.727480] ------------[ cut here ]------------
+[ 141.732349] WARNING: CPU: 1 PID: 2135 at drivers/usb/dwc3/gadget.c:2384 dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3]
+[ 141.744299] Modules linked in: usb_f_ss_lb g_zero libcomposite xhci_plat_hcd xhci_hcd usbcore dwc3 evdev udc_core m25p80 usb_common spi_nor snd_soc_davinci_mcasp snd_soc_simple_card snd_soc_edma snd_soc_tlv3e
+[ 141.792163] CPU: 1 PID: 2135 Comm: irq/456-dwc3 Not tainted 4.10.0-rc8 #1138
+[ 141.799547] Hardware name: Generic DRA74X (Flattened Device Tree)
+[ 141.805940] [<c01101b4>] (unwind_backtrace) from [<c010c31c>] (show_stack+0x10/0x14)
+[ 141.814066] [<c010c31c>] (show_stack) from [<c04a0918>] (dump_stack+0xac/0xe0)
+[ 141.821648] [<c04a0918>] (dump_stack) from [<c013708c>] (__warn+0xd8/0x104)
+[ 141.828955] [<c013708c>] (__warn) from [<c0137164>] (warn_slowpath_null+0x20/0x28)
+[ 141.836902] [<c0137164>] (warn_slowpath_null) from [<bf27784c>] (dwc3_stop_active_transfer.constprop.4+0xc4/0xe4 [dwc3])
+[ 141.848329] [<bf27784c>] (dwc3_stop_active_transfer.constprop.4 [dwc3]) from [<bf27ab14>] (__dwc3_gadget_ep_disable+0x64/0x528 [dwc3])
+[ 141.861034] [<bf27ab14>] (__dwc3_gadget_ep_disable [dwc3]) from [<bf27c27c>] (dwc3_gadget_ep_disable+0x3c/0xc8 [dwc3])
+[ 141.872280] [<bf27c27c>] (dwc3_gadget_ep_disable [dwc3]) from [<bf23b428>] (usb_ep_disable+0x11c/0x18c [udc_core])
+[ 141.883160] [<bf23b428>] (usb_ep_disable [udc_core]) from [<bf342774>] (disable_ep+0x18/0x54 [usb_f_ss_lb])
+[ 141.893408] [<bf342774>] (disable_ep [usb_f_ss_lb]) from [<bf3437b0>] (disable_endpoints+0x18/0x50 [usb_f_ss_lb])
+[ 141.904168] [<bf3437b0>] (disable_endpoints [usb_f_ss_lb]) from [<bf343814>] (disable_source_sink+0x2c/0x34 [usb_f_ss_lb])
+[ 141.915771] [<bf343814>] (disable_source_sink [usb_f_ss_lb]) from [<bf329a9c>] (reset_config+0x48/0x7c [libcomposite])
+[ 141.927012] [<bf329a9c>] (reset_config [libcomposite]) from [<bf329afc>] (composite_disconnect+0x2c/0x54 [libcomposite])
+[ 141.938444] [<bf329afc>] (composite_disconnect [libcomposite]) from [<bf23d7dc>] (usb_gadget_udc_reset+0x10/0x34 [udc_core])
+[ 141.950237] [<bf23d7dc>] (usb_gadget_udc_reset [udc_core]) from [<bf276d70>] (dwc3_gadget_reset_interrupt+0x64/0x698 [dwc3])
+[ 141.962022] [<bf276d70>] (dwc3_gadget_reset_interrupt [dwc3]) from [<bf27952c>] (dwc3_thread_interrupt+0x618/0x1a3c [dwc3])
+[ 141.973723] [<bf27952c>] (dwc3_thread_interrupt [dwc3]) from [<c01a7ce8>] (irq_thread_fn+0x1c/0x54)
+[ 141.983215] [<c01a7ce8>] (irq_thread_fn) from [<c01a7fbc>] (irq_thread+0x120/0x1f0)
+[ 141.991247] [<c01a7fbc>] (irq_thread) from [<c015ba14>] (kthread+0xf8/0x138)
+[ 141.998641] [<c015ba14>] (kthread) from [<c01078f0>] (ret_from_fork+0x14/0x24)
+[ 142.006213] ---[ end trace b4ecfe9f175b9a9c ]---
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -3092,15 +3092,10 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
+
+ int dwc3_gadget_suspend(struct dwc3 *dwc)
+ {
+- int ret;
+-
+ if (!dwc->gadget_driver)
+ return 0;
+
+- ret = dwc3_gadget_run_stop(dwc, false, false);
+- if (ret < 0)
+- return ret;
+-
++ dwc3_gadget_run_stop(dwc, false, false);
+ dwc3_disconnect_gadget(dwc);
+ __dwc3_gadget_stop(dwc);
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: John Keeping <john@metanate.com>
+Date: Tue, 28 Feb 2017 10:55:30 +0000
+Subject: usb: gadget: configs: plug memory leak
+
+From: John Keeping <john@metanate.com>
+
+
+[ Upstream commit 38355b2a44776c25b0f2ad466e8c51bb805b3032 ]
+
+When binding a gadget to a device, "name" is stored in gi->udc_name, but
+this does not happen when unregistering and the string is leaked.
+
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -269,6 +269,7 @@ static ssize_t gadget_dev_desc_UDC_store
+ ret = unregister_gadget(gi);
+ if (ret)
+ goto err;
++ kfree(name);
+ } else {
+ if (gi->composite.gadget_driver.udc_name) {
+ ret = -EBUSY;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Petr Cvek <petr.cvek@tul.cz>
+Date: Fri, 24 Feb 2017 02:54:56 +0100
+Subject: usb: gadget: pxa27x: Test for a valid argument pointer
+
+From: Petr Cvek <petr.cvek@tul.cz>
+
+
+[ Upstream commit df7545719a14fa7b481896fb8689e23d0a00f682 ]
+
+A call usb_put_phy(udc->transceiver) must be tested for a valid pointer.
+Use an already existing test for usb_unregister_notifier call.
+
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Reported-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Petr Cvek <petr.cvek@tul.cz>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/pxa27x_udc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/udc/pxa27x_udc.c
++++ b/drivers/usb/gadget/udc/pxa27x_udc.c
+@@ -2534,9 +2534,10 @@ static int pxa_udc_remove(struct platfor
+ usb_del_gadget_udc(&udc->gadget);
+ pxa_cleanup_debugfs(udc);
+
+- if (!IS_ERR_OR_NULL(udc->transceiver))
++ if (!IS_ERR_OR_NULL(udc->transceiver)) {
+ usb_unregister_notifier(udc->transceiver, &pxa27x_udc_phy);
+- usb_put_phy(udc->transceiver);
++ usb_put_phy(udc->transceiver);
++ }
+
+ udc->transceiver = NULL;
+ the_controller = NULL;
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Raz Manor <Raz.Manor@valens.com>
+Date: Thu, 9 Feb 2017 09:41:08 +0200
+Subject: usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver
+
+From: Raz Manor <Raz.Manor@valens.com>
+
+
+[ Upstream commit ef5e2fa9f65befa12f1113c734602d2c1964d2a5 ]
+
+In the function scan_dma_completions() there is a reusage of tmp
+variable. That coused a wrong value being used in some case when
+reading a short packet terminated transaction from an endpoint,
+in 2 concecutive reads.
+
+This was my logic for the patch:
+
+The req->td->dmadesc equals to 0 iff:
+-- There was a transaction ending with a short packet, and
+-- The read() to read it was shorter than the transaction length, and
+-- The read() to complete it is longer than the residue.
+I believe this is true from the printouts of various cases,
+but I can't be positive it is correct.
+
+Entering this if, there should be no more data in the endpoint
+(a short packet terminated the transaction).
+If there is, the transaction wasn't really done and we should exit and
+wait for it to finish entirely. That is the inner if.
+That inner if should never happen, but it is there to be on the safe
+side. That is why it is marked with the comment /* paranoia */.
+The size of the data available in the endpoint is ep->dma->dmacount
+and it is read to tmp.
+This entire clause is based on my own educated guesses.
+
+If we passed that inner if without breaking in the original code,
+than tmp & DMA_BYTE_MASK_COUNT== 0.
+That means we will always pass dma bytes count of 0 to dma_done(),
+meaning all the requested bytes were read.
+
+dma_done() reports back to the upper layer that the request (read())
+was done and how many bytes were read.
+In the original code that would always be the request size,
+regardless of the actual size of the data.
+That did not make sense to me at all.
+
+However, the original value of tmp is req->td->dmacount,
+which is the dmacount value when the request's dma transaction was
+finished. And that is a much more reasonable value to report back to
+the caller.
+
+To recreate the problem:
+Read from a bulk out endpoint in a loop, 1024 * n bytes in each
+iteration.
+Connect the PLX to a host you can control.
+Send to that endpoint 1024 * n + x bytes,
+such that 0 < x < 1024 * n and (x % 1024) != 0
+You would expect the first read() to return 1024 * n
+and the second read() to return x.
+But you will get the first read to return 1024 * n
+and the second one to return 1024 * n.
+That is true for every positive integer n.
+
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Signed-off-by: Raz Manor <Raz.Manor@valens.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/net2280.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/gadget/udc/net2280.c
++++ b/drivers/usb/gadget/udc/net2280.c
+@@ -1146,15 +1146,15 @@ static int scan_dma_completions(struct n
+ */
+ while (!list_empty(&ep->queue)) {
+ struct net2280_request *req;
+- u32 tmp;
++ u32 req_dma_count;
+
+ req = list_entry(ep->queue.next,
+ struct net2280_request, queue);
+ if (!req->valid)
+ break;
+ rmb();
+- tmp = le32_to_cpup(&req->td->dmacount);
+- if ((tmp & BIT(VALID_BIT)) != 0)
++ req_dma_count = le32_to_cpup(&req->td->dmacount);
++ if ((req_dma_count & BIT(VALID_BIT)) != 0)
+ break;
+
+ /* SHORT_PACKET_TRANSFERRED_INTERRUPT handles "usb-short"
+@@ -1163,40 +1163,41 @@ static int scan_dma_completions(struct n
+ */
+ if (unlikely(req->td->dmadesc == 0)) {
+ /* paranoia */
+- tmp = readl(&ep->dma->dmacount);
+- if (tmp & DMA_BYTE_COUNT_MASK)
++ u32 const ep_dmacount = readl(&ep->dma->dmacount);
++
++ if (ep_dmacount & DMA_BYTE_COUNT_MASK)
+ break;
+ /* single transfer mode */
+- dma_done(ep, req, tmp, 0);
++ dma_done(ep, req, req_dma_count, 0);
+ num_completed++;
+ break;
+ } else if (!ep->is_in &&
+ (req->req.length % ep->ep.maxpacket) &&
+ !(ep->dev->quirks & PLX_PCIE)) {
+
+- tmp = readl(&ep->regs->ep_stat);
++ u32 const ep_stat = readl(&ep->regs->ep_stat);
+ /* AVOID TROUBLE HERE by not issuing short reads from
+ * your gadget driver. That helps avoids errata 0121,
+ * 0122, and 0124; not all cases trigger the warning.
+ */
+- if ((tmp & BIT(NAK_OUT_PACKETS)) == 0) {
++ if ((ep_stat & BIT(NAK_OUT_PACKETS)) == 0) {
+ ep_warn(ep->dev, "%s lost packet sync!\n",
+ ep->ep.name);
+ req->req.status = -EOVERFLOW;
+ } else {
+- tmp = readl(&ep->regs->ep_avail);
+- if (tmp) {
++ u32 const ep_avail = readl(&ep->regs->ep_avail);
++ if (ep_avail) {
+ /* fifo gets flushed later */
+ ep->out_overflow = 1;
+ ep_dbg(ep->dev,
+ "%s dma, discard %d len %d\n",
+- ep->ep.name, tmp,
++ ep->ep.name, ep_avail,
+ req->req.length);
+ req->req.status = -EOVERFLOW;
+ }
+ }
+ }
+- dma_done(ep, req, tmp, 0);
++ dma_done(ep, req, req_dma_count, 0);
+ num_completed++;
+ }
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 21 Feb 2017 22:33:11 +0100
+Subject: USB: gadgetfs: Fix a potential memory leak in 'dev_config()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit b6e7aeeaf235901c42ec35de4633c7c69501d303 ]
+
+'kbuf' is allocated just a few lines above using 'memdup_user()'.
+If the 'if (dev->buf)' test fails, this memory is never released.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1819,8 +1819,10 @@ dev_config (struct file *fd, const char
+
+ spin_lock_irq (&dev->lock);
+ value = -EINVAL;
+- if (dev->buf)
++ if (dev->buf) {
++ kfree(kbuf);
+ goto fail;
++ }
+ dev->buf = kbuf;
+
+ /* full or low speed config */
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Wed, 15 Feb 2017 11:38:58 +0100
+Subject: vti6: Don't report path MTU below IPV6_MIN_MTU.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+
+[ Upstream commit e3dc847a5f85b43ee2bfc8eae407a7e383483228 ]
+
+In vti6_xmit(), the check for IPV6_MIN_MTU before we
+send a ICMPV6_PKT_TOOBIG message is missing. So we might
+report a PMTU below 1280. Fix this by adding the required
+check.
+
+Fixes: ccd740cbc6e ("vti6: Add pmtu handling to vti6_xmit.")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -485,11 +485,15 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ if (!skb->ignore_df && skb->len > mtu) {
+ skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
+
+- if (skb->protocol == htons(ETH_P_IPV6))
++ if (skb->protocol == htons(ETH_P_IPV6)) {
++ if (mtu < IPV6_MIN_MTU)
++ mtu = IPV6_MIN_MTU;
++
+ icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
+- else
++ } else {
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
+ htonl(mtu));
++ }
+
+ return -EMSGSIZE;
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 6 Mar 2017 15:33:42 -0500
+Subject: workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq
+
+From: Tejun Heo <tj@kernel.org>
+
+
+[ Upstream commit 637fdbae60d6cb9f6e963c1079d7e0445c86ff7d ]
+
+If queue_delayed_work() gets called with NULL @wq, the kernel will
+oops asynchronuosly on timer expiration which isn't too helpful in
+tracking down the offender. This actually happened with smc.
+
+__queue_delayed_work() already does several input sanity checks
+synchronously. Add NULL @wq check.
+
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Link: http://lkml.kernel.org/r/20170227171439.jshx3qplflyrgcv7@codemonkey.org.uk
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/workqueue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -1506,6 +1506,7 @@ static void __queue_delayed_work(int cpu
+ struct timer_list *timer = &dwork->timer;
+ struct work_struct *work = &dwork->work;
+
++ WARN_ON_ONCE(!wq);
+ WARN_ON_ONCE(timer->function != delayed_work_timer_fn ||
+ timer->data != (unsigned long)dwork);
+ WARN_ON_ONCE(timer_pending(timer));
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 1 Mar 2017 21:10:17 +0100
+Subject: x86/hpet: Prevent might sleep splat on resume
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+
+[ Upstream commit bb1a2c26165640ba2cbcfe06c81e9f9d6db4e643 ]
+
+Sergey reported a might sleep warning triggered from the hpet resume
+path. It's caused by the call to disable_irq() from interrupt disabled
+context.
+
+The problem with the low level resume code is that it is not accounted as a
+special system_state like we do during the boot process. Calling the same
+code during system boot would not trigger the warning. That's inconsistent
+at best.
+
+In this particular case it's trivial to replace the disable_irq() with
+disable_hardirq() because this particular code path is solely used from
+system resume and the involved hpet interrupts can never be force threaded.
+
+Reported-and-tested-by: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1703012108460.3684@nanos
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/hpet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/hpet.c
++++ b/arch/x86/kernel/hpet.c
+@@ -354,7 +354,7 @@ static int hpet_resume(struct clock_even
+
+ irq_domain_deactivate_irq(irq_get_irq_data(hdev->irq));
+ irq_domain_activate_irq(irq_get_irq_data(hdev->irq));
+- disable_irq(hdev->irq);
++ disable_hardirq(hdev->irq);
+ irq_set_affinity(hdev->irq, cpumask_of(hdev->cpu));
+ enable_irq(hdev->irq);
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Fri, 10 Nov 2017 16:12:29 -0800
+Subject: x86/mpx/selftests: Fix up weird arrays
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+
+[ Upstream commit a6400120d042397675fcf694060779d21e9e762d ]
+
+The MPX hardware data structurse are defined in a weird way: they define
+their size in bytes and then union that with the type with which we want
+to access them.
+
+Yes, this is weird, but it does work. But, new GCC's complain that we
+are accessing the array out of bounds. Just make it a zero-sized array
+so gcc will stop complaining. There was not really a bug here.
+
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lkml.kernel.org/r/20171111001229.58A7933D@viggo.jf.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/mpx-hw.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/x86/mpx-hw.h
++++ b/tools/testing/selftests/x86/mpx-hw.h
+@@ -51,14 +51,14 @@
+ struct mpx_bd_entry {
+ union {
+ char x[MPX_BOUNDS_DIR_ENTRY_SIZE_BYTES];
+- void *contents[1];
++ void *contents[0];
+ };
+ } __attribute__((packed));
+
+ struct mpx_bt_entry {
+ union {
+ char x[MPX_BOUNDS_TABLE_ENTRY_SIZE_BYTES];
+- unsigned long contents[1];
++ unsigned long contents[0];
+ };
+ } __attribute__((packed));
+
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Andrew Banman <abanman@hpe.com>
+Date: Fri, 17 Feb 2017 11:07:49 -0600
+Subject: x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register
+
+From: Andrew Banman <abanman@hpe.com>
+
+
+[ Upstream commit 1b17c6df852851b40c3c27c66b8fa2fd99cf25d8 ]
+
+Writing to the software acknowledge clear register when there are no
+pending messages causes a HUB error to assert. The original intent of this
+write was to clear the pending bits before start of operation, but this is
+an incorrect method and has been determined to be unnecessary.
+
+Signed-off-by: Andrew Banman <abanman@hpe.com>
+Acked-by: Mike Travis <mike.travis@hpe.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: akpm@linux-foundation.org
+Cc: rja@hpe.com
+Cc: sivanich@hpe.com
+Link: http://lkml.kernel.org/r/1487351269-181133-1-git-send-email-abanman@hpe.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/platform/uv/tlb_uv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/platform/uv/tlb_uv.c
++++ b/arch/x86/platform/uv/tlb_uv.c
+@@ -1848,7 +1848,6 @@ static void pq_init(int node, int pnode)
+
+ ops.write_payload_first(pnode, first);
+ ops.write_payload_last(pnode, last);
+- ops.write_g_sw_ack(pnode, 0xffffUL);
+
+ /* in effect, all msg_type's are set to MSG_NOOP */
+ memset(pqp, 0, sizeof(struct bau_pq_entry) * DEST_Q_SIZE);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Dmitry Safonov <dsafonov@virtuozzo.com>
+Date: Mon, 13 Feb 2017 13:13:36 +0300
+Subject: x86/selftests: Add clobbers for int80 on x86_64
+
+From: Dmitry Safonov <dsafonov@virtuozzo.com>
+
+
+[ Upstream commit 2a4d0c627f5374f365a873dea4e10ae0bb437680 ]
+
+Kernel erases R8..R11 registers prior returning to userspace
+from int80:
+
+ https://lkml.org/lkml/2009/10/1/164
+
+GCC can reuse these registers and doesn't expect them to change
+during syscall invocation. I met this kind of bug in CRIU once
+GCC 6.1 and CLANG stored local variables in those registers
+and the kernel zerofied them during syscall:
+
+ https://github.com/xemul/criu/commit/990d33f1a1cdd17bca6c2eb059ab3be2564f7fa2
+
+By that reason I suggest to add those registers to clobbers
+in selftests. Also, as noted by Andy - removed unneeded clobber
+for flags in INT $0x80 inline asm.
+
+Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
+Acked-by: Andy Lutomirski <luto@kernel.org>
+Cc: 0x7f454c46@gmail.com
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kselftest@vger.kernel.org
+Link: http://lkml.kernel.org/r/20170213101336.20486-1-dsafonov@virtuozzo.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/fsgsbase.c | 2 +-
+ tools/testing/selftests/x86/ldt_gdt.c | 16 +++++++++++-----
+ tools/testing/selftests/x86/ptrace_syscall.c | 3 ++-
+ tools/testing/selftests/x86/single_step_syscall.c | 5 ++++-
+ 4 files changed, 18 insertions(+), 8 deletions(-)
+
+--- a/tools/testing/selftests/x86/fsgsbase.c
++++ b/tools/testing/selftests/x86/fsgsbase.c
+@@ -245,7 +245,7 @@ void do_unexpected_base(void)
+ long ret;
+ asm volatile ("int $0x80"
+ : "=a" (ret) : "a" (243), "b" (low_desc)
+- : "flags");
++ : "r8", "r9", "r10", "r11");
+ memcpy(&desc, low_desc, sizeof(desc));
+ munmap(low_desc, sizeof(desc));
+
+--- a/tools/testing/selftests/x86/ldt_gdt.c
++++ b/tools/testing/selftests/x86/ldt_gdt.c
+@@ -45,6 +45,12 @@
+ #define AR_DB (1 << 22)
+ #define AR_G (1 << 23)
+
++#ifdef __x86_64__
++# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
++#else
++# define INT80_CLOBBERS
++#endif
++
+ static int nerrs;
+
+ /* Points to an array of 1024 ints, each holding its own index. */
+@@ -649,7 +655,7 @@ static int invoke_set_thread_area(void)
+ asm volatile ("int $0x80"
+ : "=a" (ret), "+m" (low_user_desc) :
+ "a" (243), "b" (low_user_desc)
+- : "flags");
++ : INT80_CLOBBERS);
+ return ret;
+ }
+
+@@ -718,7 +724,7 @@ static void test_gdt_invalidation(void)
+ "+a" (eax)
+ : "m" (low_user_desc_clear),
+ [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
+- : "flags");
++ : INT80_CLOBBERS);
+
+ if (sel != 0) {
+ result = "FAIL";
+@@ -749,7 +755,7 @@ static void test_gdt_invalidation(void)
+ "+a" (eax)
+ : "m" (low_user_desc_clear),
+ [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
+- : "flags");
++ : INT80_CLOBBERS);
+
+ if (sel != 0) {
+ result = "FAIL";
+@@ -782,7 +788,7 @@ static void test_gdt_invalidation(void)
+ "+a" (eax)
+ : "m" (low_user_desc_clear),
+ [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
+- : "flags");
++ : INT80_CLOBBERS);
+
+ #ifdef __x86_64__
+ syscall(SYS_arch_prctl, ARCH_GET_FS, &new_base);
+@@ -835,7 +841,7 @@ static void test_gdt_invalidation(void)
+ "+a" (eax)
+ : "m" (low_user_desc_clear),
+ [arg1] "r" ((unsigned int)(unsigned long)low_user_desc_clear)
+- : "flags");
++ : INT80_CLOBBERS);
+
+ #ifdef __x86_64__
+ syscall(SYS_arch_prctl, ARCH_GET_GS, &new_base);
+--- a/tools/testing/selftests/x86/ptrace_syscall.c
++++ b/tools/testing/selftests/x86/ptrace_syscall.c
+@@ -58,7 +58,8 @@ static void do_full_int80(struct syscall
+ asm volatile ("int $0x80"
+ : "+a" (args->nr),
+ "+b" (args->arg0), "+c" (args->arg1), "+d" (args->arg2),
+- "+S" (args->arg3), "+D" (args->arg4), "+r" (bp));
++ "+S" (args->arg3), "+D" (args->arg4), "+r" (bp)
++ : : "r8", "r9", "r10", "r11");
+ args->arg5 = bp;
+ #else
+ sys32_helper(args, int80_and_ret);
+--- a/tools/testing/selftests/x86/single_step_syscall.c
++++ b/tools/testing/selftests/x86/single_step_syscall.c
+@@ -56,9 +56,11 @@ static volatile sig_atomic_t sig_traps;
+ #ifdef __x86_64__
+ # define REG_IP REG_RIP
+ # define WIDTH "q"
++# define INT80_CLOBBERS "r8", "r9", "r10", "r11"
+ #else
+ # define REG_IP REG_EIP
+ # define WIDTH "l"
++# define INT80_CLOBBERS
+ #endif
+
+ static unsigned long get_eflags(void)
+@@ -140,7 +142,8 @@ int main()
+
+ printf("[RUN]\tSet TF and check int80\n");
+ set_eflags(get_eflags() | X86_EFLAGS_TF);
+- asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid));
++ asm volatile ("int $0x80" : "=a" (tmp) : "a" (SYS_getpid)
++ : INT80_CLOBBERS);
+ check_result();
+
+ /*
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 10 Nov 2017 14:14:06 +1100
+Subject: xfrm: Copy policy family in clone_policy
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+
+[ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ]
+
+The syzbot found an ancient bug in the IPsec code. When we cloned
+a socket policy (for example, for a child TCP socket derived from a
+listening socket), we did not copy the family field. This results
+in a live policy with a zero family field. This triggers a BUG_ON
+check in the af_key code when the cloned policy is retrieved.
+
+This patch fixes it by copying the family field over.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1393,6 +1393,7 @@ static struct xfrm_policy *clone_policy(
+ newp->xfrm_nr = old->xfrm_nr;
+ newp->index = old->index;
+ newp->type = old->type;
++ newp->family = old->family;
+ memcpy(newp->xfrm_vec, old->xfrm_vec,
+ newp->xfrm_nr*sizeof(struct xfrm_tmpl));
+ spin_lock_bh(&net->xfrm.xfrm_policy_lock);
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Tue, 14 Nov 2017 16:34:44 -0800
+Subject: xfs: fix forgotten rcu read unlock when skipping inode reclaim
+
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+
+
+[ Upstream commit 962cc1ad6caddb5abbb9f0a43e5abe7131a71f18 ]
+
+In commit f2e9ad21 ("xfs: check for race with xfs_reclaim_inode"), we
+skip an inode if we're racing with freeing the inode via
+xfs_reclaim_inode, but we forgot to release the rcu read lock when
+dumping the inode, with the result that we exit to userspace with a lock
+held. Don't do that; generic/320 with a 1k block size fails this
+very occasionally.
+
+================================================
+WARNING: lock held when returning to user space!
+4.14.0-rc6-djwong #4 Tainted: G W
+------------------------------------------------
+rm/30466 is leaving the kernel with locks still held!
+1 lock held by rm/30466:
+ #0: (rcu_read_lock){....}, at: [<ffffffffa01364d3>] xfs_ifree_cluster.isra.17+0x2c3/0x6f0 [xfs]
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 30466 at kernel/rcu/tree_plugin.h:329 rcu_note_context_switch+0x71/0x700
+Modules linked in: deadline_iosched dm_snapshot dm_bufio ext4 mbcache jbd2 dm_flakey xfs libcrc32c dax_pmem device_dax nd_pmem sch_fq_codel af_packet [last unloaded: scsi_debug]
+CPU: 1 PID: 30466 Comm: rm Tainted: G W 4.14.0-rc6-djwong #4
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-1ubuntu1djwong0 04/01/2014
+task: ffff880037680000 task.stack: ffffc90001064000
+RIP: 0010:rcu_note_context_switch+0x71/0x700
+RSP: 0000:ffffc90001067e50 EFLAGS: 00010002
+RAX: 0000000000000001 RBX: ffff880037680000 RCX: ffff88003e73d200
+RDX: 0000000000000002 RSI: ffffffff819e53e9 RDI: ffffffff819f4375
+RBP: 0000000000000000 R08: 0000000000000000 R09: ffff880062c900d0
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff880037680000
+R13: 0000000000000000 R14: ffffc90001067eb8 R15: ffff880037680690
+FS: 00007fa3b8ce8700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f69bf77c000 CR3: 000000002450a000 CR4: 00000000000006e0
+Call Trace:
+ __schedule+0xb8/0xb10
+ schedule+0x40/0x90
+ exit_to_usermode_loop+0x6b/0xa0
+ prepare_exit_to_usermode+0x7a/0x90
+ retint_user+0x8/0x20
+RIP: 0033:0x7fa3b87fda87
+RSP: 002b:00007ffe41206568 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff02
+RAX: 0000000000000000 RBX: 00000000010e88c0 RCX: 00007fa3b87fda87
+RDX: 0000000000000000 RSI: 00000000010e89c8 RDI: 0000000000000005
+RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
+R10: 000000000000015e R11: 0000000000000246 R12: 00000000010c8060
+R13: 00007ffe41206690 R14: 0000000000000000 R15: 0000000000000000
+---[ end trace e88f83bf0cfbd07d ]---
+
+Fixes: f2e9ad212def50bcf4c098c6288779dd97fff0f0
+Cc: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/xfs/xfs_inode.c
++++ b/fs/xfs/xfs_inode.c
+@@ -2386,6 +2386,7 @@ retry:
+ */
+ if (ip->i_ino != inum + i) {
+ xfs_iunlock(ip, XFS_ILOCK_EXCL);
++ rcu_read_unlock();
+ continue;
+ }
+ }
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Mon, 6 Mar 2017 11:23:35 +0100
+Subject: zram: set physical queue limits to avoid array out of bounds accesses
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+
+[ Upstream commit 0bc315381fe9ed9fb91db8b0e82171b645ac008f ]
+
+zram can handle at most SECTORS_PER_PAGE sectors in a bio's bvec. When using
+the NVMe over Fabrics loopback target which potentially sends a huge bulk of
+pages attached to the bio's bvec this results in a kernel panic because of
+array out of bounds accesses in zram_decompress_page().
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1286,6 +1286,8 @@ static int zram_add(void)
+ blk_queue_io_min(zram->disk->queue, PAGE_SIZE);
+ blk_queue_io_opt(zram->disk->queue, PAGE_SIZE);
+ zram->disk->queue->limits.discard_granularity = PAGE_SIZE;
++ zram->disk->queue->limits.max_sectors = SECTORS_PER_PAGE;
++ zram->disk->queue->limits.chunk_sectors = 0;
+ blk_queue_max_discard_sectors(zram->disk->queue, UINT_MAX);
+ /*
+ * zram_bio_discard() will clear all logical blocks if logical block
--- /dev/null
+From foo@baz Tue Dec 12 13:26:17 CET 2017
+From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Date: Wed, 15 Nov 2017 17:34:03 -0800
+Subject: zsmalloc: calling zs_map_object() from irq is a bug
+
+From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+
+
+[ Upstream commit 1aedcafbf32b3f232c159b14cd0d423fcfe2b861 ]
+
+Use BUG_ON(in_interrupt()) in zs_map_object(). This is not a new
+BUG_ON(), it's always been there, but was recently changed to
+VM_BUG_ON(). There are several problems there. First, we use use
+per-CPU mappings both in zsmalloc and in zram, and interrupt may easily
+corrupt those buffers. Second, and more importantly, we believe it's
+possible to start leaking sensitive information. Consider the following
+case:
+
+-> process P
+ swap out
+ zram
+ per-cpu mapping CPU1
+ compress page A
+-> IRQ
+
+ swap out
+ zram
+ per-cpu mapping CPU1
+ compress page B
+ write page from per-cpu mapping CPU1 to zsmalloc pool
+ iret
+
+-> process P
+ write page from per-cpu mapping CPU1 to zsmalloc pool [*]
+ return
+
+* so we store overwritten data that actually belongs to another
+ page (task) and potentially contains sensitive data. And when
+ process P will page fault it's going to read (swap in) that
+ other task's data.
+
+Link: http://lkml.kernel.org/r/20170929045140.4055-1-sergey.senozhatsky@gmail.com
+Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Acked-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zsmalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1407,7 +1407,7 @@ void *zs_map_object(struct zs_pool *pool
+ * pools/users, we can't allow mapping in interrupt context
+ * because it can corrupt another users mappings.
+ */
+- WARN_ON_ONCE(in_interrupt());
++ BUG_ON(in_interrupt());
+
+ /* From now on, migration cannot move the object */
+ pin_tag(handle);
projects / thirdparty / kernel / stable-queue.git / commitdiff
