--- /dev/null
+From 693bdaa164b40b7aa6018b98af6f7e40dbd52457 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Thu, 23 Mar 2017 13:21:38 -0700
+Subject: ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 693bdaa164b40b7aa6018b98af6f7e40dbd52457 upstream.
+
+If, while locating GPIOs by name, we get probe deferral, we should
+immediately report it to caller rather than trying to fall back to parsing
+unnamed GPIOs from _CRS block.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-and-Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-acpi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -572,8 +572,10 @@ struct gpio_desc *acpi_find_gpio(struct
+ }
+
+ desc = acpi_get_gpiod_by_index(adev, propname, idx, &info);
+- if (!IS_ERR(desc) || (PTR_ERR(desc) == -EPROBE_DEFER))
++ if (!IS_ERR(desc))
+ break;
++ if (PTR_ERR(desc) == -EPROBE_DEFER)
++ return ERR_CAST(desc);
+ }
+
+ /* Then from plain _CRS GPIOs */
--- /dev/null
+From fdad4e7a876a2cb3d2c1f04e5418c324e79fffef Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Sat, 1 Apr 2017 00:45:52 +0200
+Subject: ACPI / scan: Prefer devices without _HID for _ADR matching
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit fdad4e7a876a2cb3d2c1f04e5418c324e79fffef upstream.
+
+Commit c2a6bbaf0c5f (ACPI / scan: Prefer devices without _HID/_CID
+for _ADR matching) added a list_empty(&adev->pnp.ids) check to
+find_child_checks() so as to catch situations in which the ACPI
+core attempts to decode _ADR for a device having a _HID too which
+is strictly against the spec. However, it overlooked the fact that
+the adev->pnp.ids list for the devices taken into account by
+find_child_checks() may contain device IDs set internally by the
+kernel, like "LNXVIDEO" (thanks to Zhang Rui for that realization),
+and it broke the enumeration of those devices as a result.
+
+To unbreak it, replace the overly coarse grained list_empty()
+check with a much more precise check against the pnp.type.platform_id
+flag which is only set for devices having a _HID (that's how it
+should be done from the start, as having both _ADR and _CID is
+actually permitted).
+
+Fixes: c2a6bbaf0c5f (ACPI / scan: Prefer devices without _HID/_CID for _ADR matching)
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194889
+Reported-and-tested-by: Mike <mike@mikewilson.me.uk>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/glue.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/acpi/glue.c
++++ b/drivers/acpi/glue.c
+@@ -99,13 +99,13 @@ static int find_child_checks(struct acpi
+ return -ENODEV;
+
+ /*
+- * If the device has a _HID (or _CID) returning a valid ACPI/PNP
+- * device ID, it is better to make it look less attractive here, so that
+- * the other device with the same _ADR value (that may not have a valid
+- * device ID) can be matched going forward. [This means a second spec
+- * violation in a row, so whatever we do here is best effort anyway.]
++ * If the device has a _HID returning a valid ACPI/PNP device ID, it is
++ * better to make it look less attractive here, so that the other device
++ * with the same _ADR value (that may not have a valid device ID) can be
++ * matched going forward. [This means a second spec violation in a row,
++ * so whatever we do here is best effort anyway.]
+ */
+- return sta_present && list_empty(&adev->pnp.ids) ?
++ return sta_present && !adev->pnp.type.platform_id ?
+ FIND_CHILD_MAX_SCORE : FIND_CHILD_MIN_SCORE;
+ }
+
--- /dev/null
+From d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 28 Mar 2017 09:11:30 +0100
+Subject: brcmfmac: use local iftype avoiding use-after-free of virtual interface
+
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+
+commit d77facb88448cdeaaa3adba5b9704a48ac2ac8d6 upstream.
+
+A use-after-free was found using KASAN. In brcmf_p2p_del_if() the virtual
+interface is removed using call to brcmf_remove_interface(). After that
+the virtual interface instance has been freed and should not be referenced.
+Solve this by storing the nl80211 iftype in local variable, which is used
+in a couple of places anyway.
+
+Reported-by: Daniel J Blueman <daniel@quora.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -2238,14 +2238,16 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy);
+ struct brcmf_p2p_info *p2p = &cfg->p2p;
+ struct brcmf_cfg80211_vif *vif;
++ enum nl80211_iftype iftype;
+ bool wait_for_disable = false;
+ int err;
+
+ brcmf_dbg(TRACE, "delete P2P vif\n");
+ vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev);
+
++ iftype = vif->wdev.iftype;
+ brcmf_cfg80211_arm_vif_event(cfg, vif);
+- switch (vif->wdev.iftype) {
++ switch (iftype) {
+ case NL80211_IFTYPE_P2P_CLIENT:
+ if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state))
+ wait_for_disable = true;
+@@ -2275,7 +2277,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ BRCMF_P2P_DISABLE_TIMEOUT);
+
+ err = 0;
+- if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) {
++ if (iftype != NL80211_IFTYPE_P2P_DEVICE) {
+ brcmf_vif_clear_mgmt_ies(vif);
+ err = brcmf_p2p_release_p2p_if(vif);
+ }
+@@ -2291,7 +2293,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ brcmf_remove_interface(vif->ifp, true);
+
+ brcmf_cfg80211_arm_vif_event(cfg, NULL);
+- if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE)
++ if (iftype != NL80211_IFTYPE_P2P_DEVICE)
+ p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL;
+
+ return err;
--- /dev/null
+From e11f8b7b6c4ea13bf8af6b8f42b45e15b554a92b Mon Sep 17 00:00:00 2001
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+Date: Fri, 7 Apr 2017 16:04:57 -0700
+Subject: dax: fix radix tree insertion race
+
+From: Ross Zwisler <ross.zwisler@linux.intel.com>
+
+commit e11f8b7b6c4ea13bf8af6b8f42b45e15b554a92b upstream.
+
+While running generic/340 in my test setup I hit the following race. It
+can happen with kernels that support FS DAX PMDs, so v4.10 thru
+v4.11-rc5.
+
+Thread 1 Thread 2
+-------- --------
+dax_iomap_pmd_fault()
+ grab_mapping_entry()
+ spin_lock_irq()
+ get_unlocked_mapping_entry()
+ 'entry' is NULL, can't call lock_slot()
+ spin_unlock_irq()
+ radix_tree_preload()
+ dax_iomap_pmd_fault()
+ grab_mapping_entry()
+ spin_lock_irq()
+ get_unlocked_mapping_entry()
+ ...
+ lock_slot()
+ spin_unlock_irq()
+ dax_pmd_insert_mapping()
+ <inserts a PMD mapping>
+ spin_lock_irq()
+ __radix_tree_insert() fails with -EEXIST
+ <fall back to 4k fault, and die horribly
+ when inserting a 4k entry where a PMD exists>
+
+The issue is that we have to drop mapping->tree_lock while calling
+radix_tree_preload(), but since we didn't have a radix tree entry to
+lock (unlike in the pmd_downgrade case) we have no protection against
+Thread 2 coming along and inserting a PMD at the same index. For 4k
+entries we handled this with a special-case response to -EEXIST coming
+from the __radix_tree_insert(), but this doesn't save us for PMDs
+because the -EEXIST case can also mean that we collided with a 4k entry
+in the radix tree at a different index, but one that is covered by our
+PMD range.
+
+So, correctly handle both the 4k and 2M collision cases by explicitly
+re-checking the radix tree for an entry at our index once we reacquire
+mapping->tree_lock.
+
+This patch has made it through a clean xfstests run with the current
+v4.11-rc5 based linux/master, and it also ran generic/340 500 times in a
+loop. It used to fail within the first 10 iterations.
+
+Link: http://lkml.kernel.org/r/20170406212944.2866-1-ross.zwisler@linux.intel.com
+Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
+Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dax.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+--- a/fs/dax.c
++++ b/fs/dax.c
+@@ -369,6 +369,22 @@ restart:
+ }
+ spin_lock_irq(&mapping->tree_lock);
+
++ if (!entry) {
++ /*
++ * We needed to drop the page_tree lock while calling
++ * radix_tree_preload() and we didn't have an entry to
++ * lock. See if another thread inserted an entry at
++ * our index during this time.
++ */
++ entry = __radix_tree_lookup(&mapping->page_tree, index,
++ NULL, &slot);
++ if (entry) {
++ radix_tree_preload_end();
++ spin_unlock_irq(&mapping->tree_lock);
++ goto restart;
++ }
++ }
++
+ if (pmd_downgrade) {
+ radix_tree_delete(&mapping->page_tree, index);
+ mapping->nrexceptional--;
+@@ -384,19 +400,12 @@ restart:
+ if (err) {
+ spin_unlock_irq(&mapping->tree_lock);
+ /*
+- * Someone already created the entry? This is a
+- * normal failure when inserting PMDs in a range
+- * that already contains PTEs. In that case we want
+- * to return -EEXIST immediately.
+- */
+- if (err == -EEXIST && !(size_flag & RADIX_DAX_PMD))
+- goto restart;
+- /*
+- * Our insertion of a DAX PMD entry failed, most
+- * likely because it collided with a PTE sized entry
+- * at a different index in the PMD range. We haven't
+- * inserted anything into the radix tree and have no
+- * waiters to wake.
++ * Our insertion of a DAX entry failed, most likely
++ * because we were inserting a PMD entry and it
++ * collided with a PTE sized entry at a different
++ * index in the PMD range. We haven't inserted
++ * anything into the radix tree and have no waiters to
++ * wake.
+ */
+ return ERR_PTR(err);
+ }
--- /dev/null
+From 86e3e83b443669dd2bcc5c8a83b23e3aa0694c0d Mon Sep 17 00:00:00 2001
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Fri, 31 Mar 2017 12:32:45 -0700
+Subject: dm verity fec: fix bufio leaks
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+commit 86e3e83b443669dd2bcc5c8a83b23e3aa0694c0d upstream.
+
+Buffers read through dm_bufio_read() were not released in all code paths.
+
+Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-verity-fec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -146,8 +146,6 @@ static int fec_decode_bufs(struct dm_ver
+ block = fec_buffer_rs_block(v, fio, n, i);
+ res = fec_decode_rs8(v, fio, block, &par[offset], neras);
+ if (res < 0) {
+- dm_bufio_release(buf);
+-
+ r = res;
+ goto error;
+ }
+@@ -172,6 +170,8 @@ static int fec_decode_bufs(struct dm_ver
+ done:
+ r = corrected;
+ error:
++ dm_bufio_release(buf);
++
+ if (r < 0 && neras)
+ DMERR_LIMIT("%s: FEC %llu: failed to correct: %d",
+ v->data_dev->name, (unsigned long long)rsb, r);
+@@ -269,7 +269,7 @@ static int fec_read_bufs(struct dm_verit
+ &is_zero) == 0) {
+ /* skip known zero blocks entirely */
+ if (is_zero)
+- continue;
++ goto done;
+
+ /*
+ * skip if we have already found the theoretical
--- /dev/null
+From f1a880a93baaadb14c10a348fd199f1cdb6bcccd Mon Sep 17 00:00:00 2001
+From: Sami Tolvanen <samitolvanen@google.com>
+Date: Wed, 15 Mar 2017 15:12:23 -0700
+Subject: dm verity fec: limit error correction recursion
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+commit f1a880a93baaadb14c10a348fd199f1cdb6bcccd upstream.
+
+If the hash tree itself is sufficiently corrupt in addition to data blocks,
+it's possible for error correction to end up in a deep recursive loop,
+which eventually causes a kernel panic. This change limits the
+recursion to a reasonable level during a single I/O operation.
+
+Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-verity-fec.c | 12 +++++++++++-
+ drivers/md/dm-verity-fec.h | 4 ++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -439,6 +439,13 @@ int verity_fec_decode(struct dm_verity *
+ if (!verity_fec_is_enabled(v))
+ return -EOPNOTSUPP;
+
++ if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) {
++ DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name);
++ return -EIO;
++ }
++
++ fio->level++;
++
+ if (type == DM_VERITY_BLOCK_TYPE_METADATA)
+ block += v->data_blocks;
+
+@@ -470,7 +477,7 @@ int verity_fec_decode(struct dm_verity *
+ if (r < 0) {
+ r = fec_decode_rsb(v, io, fio, rsb, offset, true);
+ if (r < 0)
+- return r;
++ goto done;
+ }
+
+ if (dest)
+@@ -480,6 +487,8 @@ int verity_fec_decode(struct dm_verity *
+ r = verity_for_bv_block(v, io, iter, fec_bv_copy);
+ }
+
++done:
++ fio->level--;
+ return r;
+ }
+
+@@ -520,6 +529,7 @@ void verity_fec_init_io(struct dm_verity
+ memset(fio->bufs, 0, sizeof(fio->bufs));
+ fio->nbufs = 0;
+ fio->output = NULL;
++ fio->level = 0;
+ }
+
+ /*
+--- a/drivers/md/dm-verity-fec.h
++++ b/drivers/md/dm-verity-fec.h
+@@ -27,6 +27,9 @@
+ #define DM_VERITY_FEC_BUF_MAX \
+ (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS))
+
++/* maximum recursion level for verity_fec_decode */
++#define DM_VERITY_FEC_MAX_RECURSION 4
++
+ #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device"
+ #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks"
+ #define DM_VERITY_OPT_FEC_START "fec_start"
+@@ -58,6 +61,7 @@ struct dm_verity_fec_io {
+ unsigned nbufs; /* number of buffers allocated */
+ u8 *output; /* buffer for corrected output */
+ size_t output_pos;
++ unsigned level; /* recursion level */
+ };
+
+ #ifdef CONFIG_DM_VERITY_FEC
--- /dev/null
+From 7292ae3d5a18fb922be496e6bb687647193569b4 Mon Sep 17 00:00:00 2001
+From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Date: Mon, 20 Mar 2017 20:15:53 +0300
+Subject: jump label: fix passing kbuild_cflags when checking for asm goto support
+
+From: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+
+commit 7292ae3d5a18fb922be496e6bb687647193569b4 upstream.
+
+The latest change of asm goto support check added passing of KBUILD_CFLAGS
+to compiler. When these flags reference gcc plugins that are not built yet,
+the check fails.
+
+When one runs "make bzImage" followed by "make modules", the kernel is always
+built with HAVE_JUMP_LABEL disabled, while the modules are built depending on
+CONFIG_JUMP_LABEL. If HAVE_JUMP_LABEL macro happens to be different, modules
+are built with undefined references, e.g.:
+
+ERROR: "static_key_slow_inc" [net/netfilter/xt_TEE.ko] undefined!
+ERROR: "static_key_slow_dec" [net/netfilter/xt_TEE.ko] undefined!
+ERROR: "static_key_slow_dec" [net/netfilter/nft_meta.ko] undefined!
+ERROR: "static_key_slow_inc" [net/netfilter/nft_meta.ko] undefined!
+ERROR: "nf_hooks_needed" [net/netfilter/ipvs/ip_vs.ko] undefined!
+ERROR: "nf_hooks_needed" [net/ipv6/ipv6.ko] undefined!
+ERROR: "static_key_count" [net/ipv6/ipv6.ko] undefined!
+ERROR: "static_key_slow_inc" [net/ipv6/ipv6.ko] undefined!
+
+This change moves the check before all these references are added
+to KBUILD_CFLAGS. This is correct because subsequent KBUILD_CFLAGS
+modifications are not relevant to this check.
+
+Reported-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
+Fixes: 35f860f9ba6a ("jump label: pass kbuild_cflags when checking for asm goto support")
+Signed-off-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Acked-by: David Lin <dtwlin@google.com>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Makefile | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -651,6 +651,12 @@ KBUILD_CFLAGS += $(call cc-ifversion, -l
+ # Tell gcc to never replace conditional load with a non-conditional one
+ KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
+
++# check for 'asm goto'
++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y)
++ KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO
++ KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO
++endif
++
+ include scripts/Makefile.gcc-plugins
+
+ ifdef CONFIG_READABLE_ASM
+@@ -796,12 +802,6 @@ KBUILD_CFLAGS += $(call cc-option,-Wer
+ # use the deterministic mode of AR if available
+ KBUILD_ARFLAGS := $(call ar-option,D)
+
+-# check for 'asm goto'
+-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y)
+- KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO
+- KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO
+-endif
+-
+ include scripts/Makefile.kasan
+ include scripts/Makefile.extrawarn
+ include scripts/Makefile.ubsan
--- /dev/null
+From b334e19ae9381f12a7521976883022385d2b7eef Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 13 Jan 2017 16:40:01 +0100
+Subject: Kbuild: use cc-disable-warning consistently for maybe-uninitialized
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit b334e19ae9381f12a7521976883022385d2b7eef upstream.
+
+In commit a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning
+for "make W=1""), I reverted another change that happened to fix a problem
+with old compilers, and now we get this report again with old compilers
+(prior to gcc-4.8) and GCOV enabled:
+
+ cc1: warnings being treated as errors
+ drivers/gpu/drm/i915/intel_ringbuffer.c: In function 'intel_ring_setup_status_page':
+ drivers/gpu/drm/i915/intel_ringbuffer.c:438: error: 'mmio.reg' may be used uninitialized in this function
+ At top level:
+>> cc1: error: unrecognized command line option "-Wno-maybe-uninitialized"
+
+The problem is that we turn off the warning conditionally in a number
+of places as we should, but one of them does it unconditionally.
+Instead, change it to call cc-disable-warning as we do elsewhere.
+
+The original patch that caused it was merged into linux-4.7, then
+4.8 removed the change and 4.9 brought it back, so we probably want
+a backport to 4.9 once this is merged.
+
+Use a ':=' assignment instead of '=' to force the cc-disable-warning
+call to only be evaluated once instead of every time.
+
+Fixes: a76bcf557ef4 ("Kbuild: enable -Wmaybe-uninitialized warning for "make W=1"")
+Fixes: e72e2dfe7c16 ("gcov: disable -Wmaybe-uninitialized warning")
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -370,7 +370,7 @@ LDFLAGS_MODULE =
+ CFLAGS_KERNEL =
+ AFLAGS_KERNEL =
+ LDFLAGS_vmlinux =
+-CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized
++CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
+ CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
+
+
--- /dev/null
+From 7d65f82954dadbbe7b6e1aec7e07ad17bc6d958b Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 29 Mar 2017 14:15:24 +0200
+Subject: mac80211: unconditionally start new netdev queues with iTXQ support
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 7d65f82954dadbbe7b6e1aec7e07ad17bc6d958b upstream.
+
+When internal mac80211 TXQs aren't supported, netdev queues must
+always started out started even when driver queues are stopped
+while the interface is added. This is necessary because with the
+internal TXQ support netdev queues are never stopped and packet
+scheduling/dropping is done in mac80211.
+
+Fixes: 80a83cfc434b1 ("mac80211: skip netdev queue control with software queuing")
+Reported-and-tested-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -718,7 +718,8 @@ int ieee80211_do_open(struct wireless_de
+ ieee80211_recalc_ps(local);
+
+ if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
+- sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
++ sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
++ local->ops->wake_tx_queue) {
+ /* XXX: for AP_VLAN, actually track AP queues */
+ netif_tx_start_all_queues(dev);
+ } else if (dev) {
--- /dev/null
+From 1f06b81aea5ecba2c1f8afd87e0ba1b9f8f90160 Mon Sep 17 00:00:00 2001
+From: Alexander Polakov <apolyakov@beget.ru>
+Date: Fri, 7 Apr 2017 16:04:45 -0700
+Subject: mm/page_alloc.c: fix print order in show_free_areas()
+
+From: Alexander Polakov <apolyakov@beget.ru>
+
+commit 1f06b81aea5ecba2c1f8afd87e0ba1b9f8f90160 upstream.
+
+Fixes: 11fb998986a72a ("mm: move most file-based accounting to the node")
+Link: http://lkml.kernel.org/r/1490377730.30219.2.camel@beget.ru
+Signed-off-by: Alexander Polyakov <apolyakov@beget.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -4381,13 +4381,13 @@ void show_free_areas(unsigned int filter
+ K(node_page_state(pgdat, NR_FILE_MAPPED)),
+ K(node_page_state(pgdat, NR_FILE_DIRTY)),
+ K(node_page_state(pgdat, NR_WRITEBACK)),
++ K(node_page_state(pgdat, NR_SHMEM)),
+ #ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ K(node_page_state(pgdat, NR_SHMEM_THPS) * HPAGE_PMD_NR),
+ K(node_page_state(pgdat, NR_SHMEM_PMDMAPPED)
+ * HPAGE_PMD_NR),
+ K(node_page_state(pgdat, NR_ANON_THPS) * HPAGE_PMD_NR),
+ #endif
+- K(node_page_state(pgdat, NR_SHMEM)),
+ K(node_page_state(pgdat, NR_WRITEBACK_TEMP)),
+ K(node_page_state(pgdat, NR_UNSTABLE_NFS)),
+ node_page_state(pgdat, NR_PAGES_SCANNED),
--- /dev/null
+From cefdc26e86728812aea54248a534fd4a5da2a43d Mon Sep 17 00:00:00 2001
+From: Martin Brandenburg <martin@omnibond.com>
+Date: Thu, 6 Apr 2017 18:11:00 -0400
+Subject: orangefs: move features validation to fix filesystem hang
+
+From: Martin Brandenburg <martin@omnibond.com>
+
+commit cefdc26e86728812aea54248a534fd4a5da2a43d upstream.
+
+Without this fix (and another to the userspace component itself
+described later), the kernel will be unable to process any OrangeFS
+requests after the userspace component is restarted (due to a crash or
+at the administrator's behest).
+
+The bug here is that inside orangefs_remount, the orangefs_request_mutex
+is locked. When the userspace component restarts while the filesystem
+is mounted, it sends a ORANGEFS_DEV_REMOUNT_ALL ioctl to the device,
+which causes the kernel to send it a few requests aimed at synchronizing
+the state between the two. While this is happening the
+orangefs_request_mutex is locked to prevent any other requests going
+through.
+
+This is only half of the bugfix. The other half is in the userspace
+component which outright ignores(!) requests made before it considers
+the filesystem remounted, which is after the ioctl returns. Of course
+the ioctl doesn't return until after the userspace component responds to
+the request it ignores. The userspace component has been changed to
+allow ORANGEFS_VFS_OP_FEATURES regardless of the mount status.
+
+Mike Marshall says:
+ "I've tested this patch against the fixed userspace part. This patch is
+ real important, I hope it can make it into 4.11...
+
+ Here's what happens when the userspace daemon is restarted, without
+ the patch:
+
+ =============================================
+ [ INFO: possible recursive locking detected ]
+ [ 4.10.0-00007-ge98bdb3 #1 Not tainted ]
+ ---------------------------------------------
+ pvfs2-client-co/29032 is trying to acquire lock:
+ (orangefs_request_mutex){+.+.+.}, at: service_operation+0x3c7/0x7b0 [orangefs]
+ but task is already holding lock:
+ (orangefs_request_mutex){+.+.+.}, at: dispatch_ioctl_command+0x1bf/0x330 [orangefs]
+
+ CPU: 0 PID: 29032 Comm: pvfs2-client-co Not tainted 4.10.0-00007-ge98bdb3 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.fc25 04/01/2014
+ Call Trace:
+ __lock_acquire+0x7eb/0x1290
+ lock_acquire+0xe8/0x1d0
+ mutex_lock_killable_nested+0x6f/0x6e0
+ service_operation+0x3c7/0x7b0 [orangefs]
+ orangefs_remount+0xea/0x150 [orangefs]
+ dispatch_ioctl_command+0x227/0x330 [orangefs]
+ orangefs_devreq_ioctl+0x29/0x70 [orangefs]
+ do_vfs_ioctl+0xa3/0x6e0
+ SyS_ioctl+0x79/0x90"
+
+Signed-off-by: Martin Brandenburg <martin@omnibond.com>
+Acked-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/orangefs/super.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/orangefs/super.c
++++ b/fs/orangefs/super.c
+@@ -263,8 +263,13 @@ int orangefs_remount(struct orangefs_sb_
+ if (!new_op)
+ return -ENOMEM;
+ new_op->upcall.req.features.features = 0;
+- ret = service_operation(new_op, "orangefs_features", 0);
+- orangefs_features = new_op->downcall.resp.features.features;
++ ret = service_operation(new_op, "orangefs_features",
++ ORANGEFS_OP_PRIORITY | ORANGEFS_OP_NO_MUTEX);
++ if (!ret)
++ orangefs_features =
++ new_op->downcall.resp.features.features;
++ else
++ orangefs_features = 0;
+ op_release(new_op);
+ } else {
+ orangefs_features = 0;
--- /dev/null
+From 5402e97af667e35e54177af8f6575518bf251d51 Mon Sep 17 00:00:00 2001
+From: "bsegall@google.com" <bsegall@google.com>
+Date: Fri, 7 Apr 2017 16:04:51 -0700
+Subject: ptrace: fix PTRACE_LISTEN race corrupting task->state
+
+From: bsegall@google.com <bsegall@google.com>
+
+commit 5402e97af667e35e54177af8f6575518bf251d51 upstream.
+
+In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against
+__TASK_TRACED. If this races with the ptrace_unfreeze_traced at the end
+of a PTRACE_LISTEN, this can wake the task /after/ the check against
+__TASK_TRACED, but before the reset of state to TASK_TRACED. This
+causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup
+against TRACED while the task is still on the rq wake_list, corrupting
+it.
+
+Oleg said:
+ "The kernel can crash or this can lead to other hard-to-debug problems.
+ In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced()
+ assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the
+ contract. Obviusly it is very wrong to manipulate task->state if this
+ task is already running, or WAKING, or it sleeps again"
+
+[akpm@linux-foundation.org: coding-style fixes]
+Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL")
+Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com
+Signed-off-by: Ben Segall <bsegall@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/ptrace.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -181,11 +181,17 @@ static void ptrace_unfreeze_traced(struc
+
+ WARN_ON(!task->ptrace || task->parent != current);
+
++ /*
++ * PTRACE_LISTEN can allow ptrace_trap_notify to wake us up remotely.
++ * Recheck state under the lock to close this race.
++ */
+ spin_lock_irq(&task->sighand->siglock);
+- if (__fatal_signal_pending(task))
+- wake_up_state(task, __TASK_TRACED);
+- else
+- task->state = TASK_TRACED;
++ if (task->state == __TASK_TRACED) {
++ if (__fatal_signal_pending(task))
++ wake_up_state(task, __TASK_TRACED);
++ else
++ task->state = TASK_TRACED;
++ }
+ spin_unlock_irq(&task->sighand->siglock);
+ }
+
--- /dev/null
+From 806a28efe9b78ffae5e2757e1ee924b8e50c08ab Mon Sep 17 00:00:00 2001
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+Date: Mon, 20 Feb 2017 12:25:58 +0100
+Subject: Reset TreeId to zero on SMB2 TREE_CONNECT
+
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+
+commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream.
+
+Currently the cifs module breaks the CIFS specs on reconnect as
+described in http://msdn.microsoft.com/en-us/library/cc246529.aspx:
+
+"TreeId (4 bytes): Uniquely identifies the tree connect for the
+command. This MUST be 0 for the SMB2 TREE_CONNECT Request."
+
+Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Tested-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1104,6 +1104,10 @@ SMB2_tcon(const unsigned int xid, struct
+ return -EINVAL;
+ }
+
++ /* SMB2 TREE_CONNECT request must be called with TreeId == 0 */
++ if (tcon)
++ tcon->tid = 0;
++
+ rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req);
+ if (rc) {
+ kfree(unc_path);
--- /dev/null
+From 62277de758b155dc04b78f195a1cb5208c37b2df Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Date: Fri, 17 Jun 2016 17:33:59 +0000
+Subject: ring-buffer: Fix return value check in test_ringbuffer()
+
+From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+
+commit 62277de758b155dc04b78f195a1cb5208c37b2df upstream.
+
+In case of error, the function kthread_run() returns ERR_PTR()
+and never returns NULL. The NULL test in the return value check
+should be replaced with IS_ERR().
+
+Link: http://lkml.kernel.org/r/1466184839-14927-1-git-send-email-weiyj_lk@163.com
+
+Fixes: 6c43e554a ("ring-buffer: Add ring buffer startup selftest")
+Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ring_buffer.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -4825,9 +4825,9 @@ static __init int test_ringbuffer(void)
+ rb_data[cpu].cnt = cpu;
+ rb_threads[cpu] = kthread_create(rb_test, &rb_data[cpu],
+ "rbtester/%d", cpu);
+- if (WARN_ON(!rb_threads[cpu])) {
++ if (WARN_ON(IS_ERR(rb_threads[cpu]))) {
+ pr_cont("FAILED\n");
+- ret = -1;
++ ret = PTR_ERR(rb_threads[cpu]);
+ goto out_free;
+ }
+
+@@ -4837,9 +4837,9 @@ static __init int test_ringbuffer(void)
+
+ /* Now create the rb hammer! */
+ rb_hammer = kthread_run(rb_hammer_test, NULL, "rbhammer");
+- if (WARN_ON(!rb_hammer)) {
++ if (WARN_ON(IS_ERR(rb_hammer))) {
+ pr_cont("FAILED\n");
+- ret = -1;
++ ret = PTR_ERR(rb_hammer);
+ goto out_free;
+ }
+
iio-bmg160-reset-chip-when-probing.patch
arm64-mm-unaligned-access-by-user-land-should-be-received-as-sigbus.patch
cfg80211-check-rdev-resume-callback-only-for-registered-wiphy.patch
+reset-treeid-to-zero-on-smb2-tree_connect.patch
+mm-page_alloc.c-fix-print-order-in-show_free_areas.patch
+ptrace-fix-ptrace_listen-race-corrupting-task-state.patch
+dax-fix-radix-tree-insertion-race.patch
+dm-verity-fec-limit-error-correction-recursion.patch
+dm-verity-fec-fix-bufio-leaks.patch
+acpi-gpio-do-not-fall-back-to-parsing-_crs-when-we-get-a-deferral.patch
+acpi-scan-prefer-devices-without-_hid-for-_adr-matching.patch
+kbuild-use-cc-disable-warning-consistently-for-maybe-uninitialized.patch
+jump-label-fix-passing-kbuild_cflags-when-checking-for-asm-goto-support.patch
+orangefs-move-features-validation-to-fix-filesystem-hang.patch
+xfs-honor-falloc_fl_keep_size-when-punching-ends-of-files.patch
+ring-buffer-fix-return-value-check-in-test_ringbuffer.patch
+mac80211-unconditionally-start-new-netdev-queues-with-itxq-support.patch
+brcmfmac-use-local-iftype-avoiding-use-after-free-of-virtual-interface.patch
--- /dev/null
+From 3dd09d5a8589c640abb49cfcf92b4ed669eafad1 Mon Sep 17 00:00:00 2001
+From: Calvin Owens <calvinowens@fb.com>
+Date: Mon, 3 Apr 2017 12:22:29 -0700
+Subject: xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files
+
+From: Calvin Owens <calvinowens@fb.com>
+
+commit 3dd09d5a8589c640abb49cfcf92b4ed669eafad1 upstream.
+
+When punching past EOF on XFS, fallocate(mode=PUNCH_HOLE|KEEP_SIZE) will
+round the file size up to the nearest multiple of PAGE_SIZE:
+
+ calvinow@vm-disks/generic-xfs-1 ~$ dd if=/dev/urandom of=test bs=2048 count=1
+ calvinow@vm-disks/generic-xfs-1 ~$ stat test
+ Size: 2048 Blocks: 8 IO Block: 4096 regular file
+ calvinow@vm-disks/generic-xfs-1 ~$ fallocate -n -l 2048 -o 2048 -p test
+ calvinow@vm-disks/generic-xfs-1 ~$ stat test
+ Size: 4096 Blocks: 8 IO Block: 4096 regular file
+
+Commit 3c2bdc912a1cc050 ("xfs: kill xfs_zero_remaining_bytes") replaced
+xfs_zero_remaining_bytes() with calls to iomap helpers. The new helpers
+don't enforce that [pos,offset) lies strictly on [0,i_size) when being
+called from xfs_free_file_space(), so by "leaking" these ranges into
+xfs_zero_range() we get this buggy behavior.
+
+Fix this by reintroducing the checks xfs_zero_remaining_bytes() did
+against i_size at the bottom of xfs_free_file_space().
+
+Reported-by: Aaron Gao <gzh@fb.com>
+Fixes: 3c2bdc912a1cc050 ("xfs: kill xfs_zero_remaining_bytes")
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Calvin Owens <calvinowens@fb.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_bmap_util.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_bmap_util.c
++++ b/fs/xfs/xfs_bmap_util.c
+@@ -1318,8 +1318,16 @@ xfs_free_file_space(
+ /*
+ * Now that we've unmap all full blocks we'll have to zero out any
+ * partial block at the beginning and/or end. xfs_zero_range is
+- * smart enough to skip any holes, including those we just created.
++ * smart enough to skip any holes, including those we just created,
++ * but we must take care not to zero beyond EOF and enlarge i_size.
+ */
++
++ if (offset >= XFS_ISIZE(ip))
++ return 0;
++
++ if (offset + len > XFS_ISIZE(ip))
++ len = XFS_ISIZE(ip) - offset;
++
+ return xfs_zero_range(ip, offset, len, NULL);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
