--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 9 Mar 2017 13:29:13 +0100
+Subject: ALSA: hda - add support for docking station for HP 820 G2
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+
+[ Upstream commit 04d5466a976b096364a39a63ac264c1b3a5f8fa1 ]
+
+This tested patch adds missing initialization for Line-In/Out PINs for
+the docking station for HP 820 G2.
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4839,6 +4839,7 @@ enum {
+ ALC286_FIXUP_HP_GPIO_LED,
+ ALC280_FIXUP_HP_GPIO2_MIC_HOTKEY,
+ ALC280_FIXUP_HP_DOCK_PINS,
++ ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED,
+ ALC280_FIXUP_HP_9480M,
+ ALC288_FIXUP_DELL_HEADSET_MODE,
+ ALC288_FIXUP_DELL1_MIC_NO_PRESENCE,
+@@ -5377,6 +5378,16 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC280_FIXUP_HP_GPIO4
+ },
++ [ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x1b, 0x21011020 }, /* line-out */
++ { 0x18, 0x2181103f }, /* line-in */
++ { },
++ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_HP_GPIO_MIC1_LED
++ },
+ [ALC280_FIXUP_HP_9480M] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc280_fixup_hp_9480m,
+@@ -5629,7 +5640,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x2256, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
+ SND_PCI_QUIRK(0x103c, 0x2257, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
+ SND_PCI_QUIRK(0x103c, 0x2259, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
+- SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
++ SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED),
+ SND_PCI_QUIRK(0x103c, 0x2260, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x2263, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x2264, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+@@ -5794,6 +5805,7 @@ static const struct hda_model_fixup alc2
+ {.id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC, .name = "headset-mode-no-hp-mic"},
+ {.id = ALC269_FIXUP_LENOVO_DOCK, .name = "lenovo-dock"},
+ {.id = ALC269_FIXUP_HP_GPIO_LED, .name = "hp-gpio-led"},
++ {.id = ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, .name = "hp-dock-gpio-mic1-led"},
+ {.id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "dell-headset-multi"},
+ {.id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, .name = "dell-headset-dock"},
+ {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"},
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 9 Mar 2017 13:30:09 +0100
+Subject: ALSA: hda - add support for docking station for HP 840 G3
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+
+[ Upstream commit cc3a47a248d7791ef0d2c81a35c46769e55e4c6c ]
+
+This tested patch adds missing initialization for Line-In/Out PINs for
+the docking station for HP 840 G3.
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_conexant.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -261,6 +261,7 @@ enum {
+ CXT_FIXUP_HP_530,
+ CXT_FIXUP_CAP_MIX_AMP_5047,
+ CXT_FIXUP_MUTE_LED_EAPD,
++ CXT_FIXUP_HP_DOCK,
+ CXT_FIXUP_HP_SPECTRE,
+ CXT_FIXUP_HP_GATE_MIC,
+ };
+@@ -778,6 +779,14 @@ static const struct hda_fixup cxt_fixups
+ .type = HDA_FIXUP_FUNC,
+ .v.func = cxt_fixup_mute_led_eapd,
+ },
++ [CXT_FIXUP_HP_DOCK] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x16, 0x21011020 }, /* line-out */
++ { 0x18, 0x2181103f }, /* line-in */
++ { }
++ }
++ },
+ [CXT_FIXUP_HP_SPECTRE] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -839,6 +848,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC),
++ SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
+ SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
+@@ -872,6 +882,7 @@ static const struct hda_model_fixup cxt5
+ { .id = CXT_PINCFG_LEMOTE_A1205, .name = "lemote-a1205" },
+ { .id = CXT_FIXUP_OLPC_XO, .name = "olpc-xo" },
+ { .id = CXT_FIXUP_MUTE_LED_EAPD, .name = "mute-led-eapd" },
++ { .id = CXT_FIXUP_HP_DOCK, .name = "hp-dock" },
+ {}
+ };
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 29 Mar 2017 17:12:47 +0100
+Subject: ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+
+[ Upstream commit 916a008b4b8ecc02fbd035cfb133773dba1ff3d7 ]
+
+dma_get_sgtable() tries to create a scatterlist table containing valid
+struct page pointers for the coherent memory allocation passed in to it.
+
+However, memory can be declared via dma_declare_coherent_memory(), or
+via other reservation schemes which means that coherent memory is not
+guaranteed to be backed by struct pages. In such cases, the resulting
+scatterlist table contains pointers to invalid pages, which causes
+kernel oops later.
+
+This patch adds detection of such memory, and refuses to create a
+scatterlist table for such memory.
+
+Reported-by: Shuah Khan <shuahkhan@gmail.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/dma-mapping.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -774,13 +774,31 @@ static void arm_coherent_dma_free(struct
+ __arm_dma_free(dev, size, cpu_addr, handle, attrs, true);
+ }
+
++/*
++ * The whole dma_get_sgtable() idea is fundamentally unsafe - it seems
++ * that the intention is to allow exporting memory allocated via the
++ * coherent DMA APIs through the dma_buf API, which only accepts a
++ * scattertable. This presents a couple of problems:
++ * 1. Not all memory allocated via the coherent DMA APIs is backed by
++ * a struct page
++ * 2. Passing coherent DMA memory into the streaming APIs is not allowed
++ * as we will try to flush the memory through a different alias to that
++ * actually being used (and the flushes are redundant.)
++ */
+ int arm_dma_get_sgtable(struct device *dev, struct sg_table *sgt,
+ void *cpu_addr, dma_addr_t handle, size_t size,
+ struct dma_attrs *attrs)
+ {
+- struct page *page = pfn_to_page(dma_to_pfn(dev, handle));
++ unsigned long pfn = dma_to_pfn(dev, handle);
++ struct page *page;
+ int ret;
+
++ /* If the PFN is not valid, we do not have a struct page */
++ if (!pfn_valid(pfn))
++ return -ENXIO;
++
++ page = pfn_to_page(pfn);
++
+ ret = sg_alloc_table(sgt, 1, GFP_KERNEL);
+ if (unlikely(ret))
+ return ret;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: "Reizer, Eyal" <eyalr@ti.com>
+Date: Sun, 26 Mar 2017 08:53:10 +0000
+Subject: ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend
+
+From: "Reizer, Eyal" <eyalr@ti.com>
+
+
+[ Upstream commit 9bcf53f34a2c1cebc45cc12e273dcd5f51fbc099 ]
+
+mmc2 used for wl12xx was missing the keep-power-in suspend
+parameter. As a result the board couldn't reach suspend state.
+
+Signed-off-by: Eyal Reizer <eyalr@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/am335x-evmsk.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/am335x-evmsk.dts
++++ b/arch/arm/boot/dts/am335x-evmsk.dts
+@@ -668,6 +668,7 @@
+ ti,non-removable;
+ bus-width = <4>;
+ cap-power-off-card;
++ keep-power-in-suspend;
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc2_pins>;
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Rob Herring <robh@kernel.org>
+Date: Tue, 21 Mar 2017 21:03:01 -0500
+Subject: ARM: dts: ti: fix PCI bus dtc warnings
+
+From: Rob Herring <robh@kernel.org>
+
+
+[ Upstream commit 7d79f6098d82f8c09914d7799bc96891ad9c3baf ]
+
+dtc recently added PCI bus checks. Fix these warnings.
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Cc: "Benoît Cousson" <bcousson@baylibre.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: linux-omap@vger.kernel.org
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dra7.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -227,6 +227,7 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x20013000 0x13000 0 0xffed000>;
++ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
+ ti,hwmods = "pcie1";
+@@ -262,6 +263,7 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x30013000 0x13000 0 0xffed000>;
++ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
+ ti,hwmods = "pcie2";
--- /dev/null
+From ef0491ea17f8019821c7e9c8e801184ecf17f85a Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Fri, 13 May 2016 15:30:13 +0200
+Subject: ARM: Hide finish_arch_post_lock_switch() from modules
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit ef0491ea17f8019821c7e9c8e801184ecf17f85a upstream.
+
+The introduction of switch_mm_irqs_off() brought back an old bug
+regarding the use of preempt_enable_no_resched:
+
+As part of:
+
+ 62b94a08da1b ("sched/preempt: Take away preempt_enable_no_resched() from modules")
+
+the definition of preempt_enable_no_resched() is only available in
+built-in code, not in loadable modules, so we can't generally use
+it from header files.
+
+However, the ARM version of finish_arch_post_lock_switch()
+calls preempt_enable_no_resched() and is defined as a static
+inline function in asm/mmu_context.h. This in turn means we cannot
+include asm/mmu_context.h from modules.
+
+With today's tip tree, asm/mmu_context.h gets included from
+linux/mmu_context.h, which is normally the exact pattern one would
+expect, but unfortunately, linux/mmu_context.h can be included from
+the vhost driver that is a loadable module, now causing this compile
+time error with modular configs:
+
+ In file included from ../include/linux/mmu_context.h:4:0,
+ from ../drivers/vhost/vhost.c:18:
+ ../arch/arm/include/asm/mmu_context.h: In function 'finish_arch_post_lock_switch':
+ ../arch/arm/include/asm/mmu_context.h:88:3: error: implicit declaration of function 'preempt_enable_no_resched' [-Werror=implicit-function-declaration]
+ preempt_enable_no_resched();
+
+Andy already tried to fix the bug by including linux/preempt.h
+from asm/mmu_context.h, but that didn't help. Arnd suggested reordering
+the header files, which wasn't popular, so let's use this
+workaround instead:
+
+The finish_arch_post_lock_switch() definition is now also hidden
+inside of #ifdef MODULE, so we don't see anything referencing
+preempt_enable_no_resched() from a header file. I've built a
+few hundred randconfig kernels with this, and did not see any
+new problems.
+
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Russell King - ARM Linux <linux@armlinux.org.uk>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vince Weaver <vincent.weaver@maine.edu>
+Cc: linux-arm-kernel@lists.infradead.org
+Fixes: f98db6013c55 ("sched/core: Add switch_mm_irqs_off() and use it in the scheduler")
+Link: http://lkml.kernel.org/r/1463146234-161304-1-git-send-email-arnd@arndb.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/mmu_context.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/include/asm/mmu_context.h
++++ b/arch/arm/include/asm/mmu_context.h
+@@ -61,6 +61,7 @@ static inline void check_and_switch_cont
+ cpu_switch_mm(mm->pgd, mm);
+ }
+
++#ifndef MODULE
+ #define finish_arch_post_lock_switch \
+ finish_arch_post_lock_switch
+ static inline void finish_arch_post_lock_switch(void)
+@@ -82,6 +83,7 @@ static inline void finish_arch_post_lock
+ preempt_enable_no_resched();
+ }
+ }
++#endif /* !MODULE */
+
+ #endif /* CONFIG_MMU */
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Jon Medhurst <tixy@linaro.org>
+Date: Thu, 2 Mar 2017 13:04:09 +0000
+Subject: arm: kprobes: Align stack to 8-bytes in test code
+
+From: Jon Medhurst <tixy@linaro.org>
+
+
+[ Upstream commit 974310d047f3c7788a51d10c8d255eebdb1fa857 ]
+
+kprobes test cases need to have a stack that is aligned to an 8-byte
+boundary because they call other functions (and the ARM ABI mandates
+that alignment) and because test cases include 64-bit accesses to the
+stack. Unfortunately, GCC doesn't ensure this alignment for inline
+assembler and for the code in question seems to always misalign it by
+pushing just the LR register onto the stack. We therefore need to
+explicitly perform stack alignment at the start of each test case.
+
+Without this fix, some test cases will generate alignment faults on
+systems where alignment is enforced. Even if the kernel is configured to
+handle these faults in software, triggering them is ugly. It also
+exposes limitations in the fault handling code which doesn't cope with
+writes to the stack. E.g. when handling this instruction
+
+ strd r6, [sp, #-64]!
+
+the fault handling code will write to a stack location below the SP
+value at the point the fault occurred, which coincides with where the
+exception handler has pushed the saved register context. This results in
+corruption of those registers.
+
+Signed-off-by: Jon Medhurst <tixy@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/probes/kprobes/test-core.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/probes/kprobes/test-core.c
++++ b/arch/arm/probes/kprobes/test-core.c
+@@ -976,7 +976,10 @@ static void coverage_end(void)
+ void __naked __kprobes_test_case_start(void)
+ {
+ __asm__ __volatile__ (
+- "stmdb sp!, {r4-r11} \n\t"
++ "mov r2, sp \n\t"
++ "bic r3, r2, #7 \n\t"
++ "mov sp, r3 \n\t"
++ "stmdb sp!, {r2-r11} \n\t"
+ "sub sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t"
+ "bic r0, lr, #1 @ r0 = inline data \n\t"
+ "mov r1, sp \n\t"
+@@ -996,7 +999,8 @@ void __naked __kprobes_test_case_end_32(
+ "movne pc, r0 \n\t"
+ "mov r0, r4 \n\t"
+ "add sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t"
+- "ldmia sp!, {r4-r11} \n\t"
++ "ldmia sp!, {r2-r11} \n\t"
++ "mov sp, r2 \n\t"
+ "mov pc, r0 \n\t"
+ );
+ }
+@@ -1012,7 +1016,8 @@ void __naked __kprobes_test_case_end_16(
+ "bxne r0 \n\t"
+ "mov r0, r4 \n\t"
+ "add sp, sp, #"__stringify(TEST_MEMORY_SIZE)"\n\t"
+- "ldmia sp!, {r4-r11} \n\t"
++ "ldmia sp!, {r2-r11} \n\t"
++ "mov sp, r2 \n\t"
+ "bx r0 \n\t"
+ );
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Tue, 14 Feb 2017 00:05:59 +0900
+Subject: arm: kprobes: Fix the return address of multiple kretprobes
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+
+[ Upstream commit 06553175f585b52509c7df37d6f4a50aacb7b211 ]
+
+This is arm port of commit 737480a0d525 ("kprobes/x86:
+Fix the return address of multiple kretprobes").
+
+Fix the return address of subsequent kretprobes when multiple
+kretprobes are set on the same function.
+
+For example:
+
+ # cd /sys/kernel/debug/tracing
+ # echo "r:event1 sys_symlink" > kprobe_events
+ # echo "r:event2 sys_symlink" >> kprobe_events
+ # echo 1 > events/kprobes/enable
+ # ln -s /tmp/foo /tmp/bar
+
+ (without this patch)
+
+ # cat trace | grep -v ^#
+ ln-82 [000] dn.2 68.446525: event1: (kretprobe_trampoline+0x0/0x18 <- SyS_symlink)
+ ln-82 [000] dn.2 68.447831: event2: (ret_fast_syscall+0x0/0x1c <- SyS_symlink)
+
+ (with this patch)
+
+ # cat trace | grep -v ^#
+ ln-81 [000] dn.1 39.463469: event1: (ret_fast_syscall+0x0/0x1c <- SyS_symlink)
+ ln-81 [000] dn.1 39.464701: event2: (ret_fast_syscall+0x0/0x1c <- SyS_symlink)
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: KUMANO Syuhei <kumano.prog@gmail.com>
+Signed-off-by: Jon Medhurst <tixy@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/probes/kprobes/core.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/probes/kprobes/core.c
++++ b/arch/arm/probes/kprobes/core.c
+@@ -433,6 +433,7 @@ static __used __kprobes void *trampoline
+ struct hlist_node *tmp;
+ unsigned long flags, orig_ret_address = 0;
+ unsigned long trampoline_address = (unsigned long)&kretprobe_trampoline;
++ kprobe_opcode_t *correct_ret_addr = NULL;
+
+ INIT_HLIST_HEAD(&empty_rp);
+ kretprobe_hash_lock(current, &head, &flags);
+@@ -455,14 +456,34 @@ static __used __kprobes void *trampoline
+ /* another task is sharing our hash bucket */
+ continue;
+
++ orig_ret_address = (unsigned long)ri->ret_addr;
++
++ if (orig_ret_address != trampoline_address)
++ /*
++ * This is the real return address. Any other
++ * instances associated with this task are for
++ * other calls deeper on the call stack
++ */
++ break;
++ }
++
++ kretprobe_assert(ri, orig_ret_address, trampoline_address);
++
++ correct_ret_addr = ri->ret_addr;
++ hlist_for_each_entry_safe(ri, tmp, head, hlist) {
++ if (ri->task != current)
++ /* another task is sharing our hash bucket */
++ continue;
++
++ orig_ret_address = (unsigned long)ri->ret_addr;
+ if (ri->rp && ri->rp->handler) {
+ __this_cpu_write(current_kprobe, &ri->rp->kp);
+ get_kprobe_ctlblk()->kprobe_status = KPROBE_HIT_ACTIVE;
++ ri->ret_addr = correct_ret_addr;
+ ri->rp->handler(ri, regs);
+ __this_cpu_write(current_kprobe, NULL);
+ }
+
+- orig_ret_address = (unsigned long)ri->ret_addr;
+ recycle_rp_inst(ri, &empty_rp);
+
+ if (orig_ret_address != trampoline_address)
+@@ -474,7 +495,6 @@ static __used __kprobes void *trampoline
+ break;
+ }
+
+- kretprobe_assert(ri, orig_ret_address, trampoline_address);
+ kretprobe_hash_unlock(current, &flags);
+
+ hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) {
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Derek Basehore <dbasehore@chromium.org>
+Date: Tue, 29 Aug 2017 13:34:34 -0700
+Subject: backlight: pwm_bl: Fix overflow condition
+
+From: Derek Basehore <dbasehore@chromium.org>
+
+
+[ Upstream commit 5d0c49acebc9488e37db95f1d4a55644e545ffe7 ]
+
+This fixes an overflow condition that can happen with high max
+brightness and period values in compute_duty_cycle. This fixes it by
+using a 64 bit variable for computing the duty cycle.
+
+Signed-off-by: Derek Basehore <dbasehore@chromium.org>
+Acked-by: Thierry Reding <thierry.reding@gmail.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/backlight/pwm_bl.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/backlight/pwm_bl.c
++++ b/drivers/video/backlight/pwm_bl.c
+@@ -79,14 +79,17 @@ static void pwm_backlight_power_off(stru
+ static int compute_duty_cycle(struct pwm_bl_data *pb, int brightness)
+ {
+ unsigned int lth = pb->lth_brightness;
+- int duty_cycle;
++ u64 duty_cycle;
+
+ if (pb->levels)
+ duty_cycle = pb->levels[brightness];
+ else
+ duty_cycle = brightness;
+
+- return (duty_cycle * (pb->period - lth) / pb->scale) + lth;
++ duty_cycle *= pb->period - lth;
++ do_div(duty_cycle, pb->scale);
++
++ return duty_cycle + lth;
+ }
+
+ static int pwm_backlight_update_status(struct backlight_device *bl)
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 23 Mar 2017 17:07:26 +0100
+Subject: bna: avoid writing uninitialized data into hw registers
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit a5af83925363eb85d467933e3d6ec5a87001eb7c ]
+
+The latest gcc-7 snapshot warns about bfa_ioc_send_enable/bfa_ioc_send_disable
+writing undefined values into the hardware registers:
+
+drivers/net/ethernet/brocade/bna/bfa_ioc.c: In function 'bfa_iocpf_sm_disabling_entry':
+arch/arm/include/asm/io.h:109:22: error: '*((void *)&disable_req+4)' is used uninitialized in this function [-Werror=uninitialized]
+arch/arm/include/asm/io.h:109:22: error: '*((void *)&disable_req+8)' is used uninitialized in this function [-Werror=uninitialized]
+
+The two functions look like they should do the same thing, but only one
+of them initializes the time stamp and clscode field. The fact that we
+only get a warning for one of the two functions seems to be arbitrary,
+based on the inlining decisions in the compiler.
+
+To address this, I'm making both functions do the same thing:
+
+- set the clscode from the ioc structure in both
+- set the time stamp from ktime_get_real_seconds (which also
+ avoids the signed-integer overflow in 2038 and extends the
+ well-defined behavior until 2106).
+- zero-fill the reserved field
+
+Fixes: 8b230ed8ec96 ("bna: Brocade 10Gb Ethernet device driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/brocade/bna/bfa_ioc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
+@@ -1930,13 +1930,13 @@ static void
+ bfa_ioc_send_enable(struct bfa_ioc *ioc)
+ {
+ struct bfi_ioc_ctrl_req enable_req;
+- struct timeval tv;
+
+ bfi_h2i_set(enable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_ENABLE_REQ,
+ bfa_ioc_portid(ioc));
+ enable_req.clscode = htons(ioc->clscode);
+- do_gettimeofday(&tv);
+- enable_req.tv_sec = ntohl(tv.tv_sec);
++ enable_req.rsvd = htons(0);
++ /* overflow in 2106 */
++ enable_req.tv_sec = ntohl(ktime_get_real_seconds());
+ bfa_ioc_mbox_send(ioc, &enable_req, sizeof(struct bfi_ioc_ctrl_req));
+ }
+
+@@ -1947,6 +1947,10 @@ bfa_ioc_send_disable(struct bfa_ioc *ioc
+
+ bfi_h2i_set(disable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_DISABLE_REQ,
+ bfa_ioc_portid(ioc));
++ disable_req.clscode = htons(ioc->clscode);
++ disable_req.rsvd = htons(0);
++ /* overflow in 2106 */
++ disable_req.tv_sec = ntohl(ktime_get_real_seconds());
+ bfa_ioc_mbox_send(ioc, &disable_req, sizeof(struct bfi_ioc_ctrl_req));
+ }
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 17 Mar 2017 23:52:35 +0300
+Subject: bna: integer overflow bug in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit 13e2d5187f6b965ba3556caedb914baf81b98ed2 ]
+
+We could allocate less memory than intended because we do:
+
+ bnad->regdata = kzalloc(len << 2, GFP_KERNEL);
+
+The shift can overflow leading to a crash. This is debugfs code so the
+impact is very small.
+
+Fixes: 7afc5dbde091 ("bna: Add debugfs interface.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Rasesh Mody <rasesh.mody@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
++++ b/drivers/net/ethernet/brocade/bna/bnad_debugfs.c
+@@ -324,7 +324,7 @@ bnad_debugfs_write_regrd(struct file *fi
+ return PTR_ERR(kern_buf);
+
+ rc = sscanf(kern_buf, "%x:%x", &addr, &len);
+- if (rc < 2) {
++ if (rc < 2 || len > UINT_MAX >> 2) {
+ netdev_warn(bnad->netdev, "failed to read user buffer\n");
+ kfree(kern_buf);
+ return -EINVAL;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Sankar Patchineelam <sankar.patchineelam@broadcom.com>
+Date: Tue, 28 Mar 2017 19:47:29 -0400
+Subject: bnxt_en: Fix NULL pointer dereference in reopen failure path
+
+From: Sankar Patchineelam <sankar.patchineelam@broadcom.com>
+
+
+[ Upstream commit 2247925f0942dc4e7c09b1cde45ca18461d94c5f ]
+
+Net device reset can fail when the h/w or f/w is in a bad state.
+Subsequent netdevice open fails in bnxt_hwrm_stat_ctx_alloc().
+The cleanup invokes bnxt_hwrm_resource_free() which inturn
+calls bnxt_disable_int(). In this routine, the code segment
+
+if (ring->fw_ring_id != INVALID_HW_RING_ID)
+ BNXT_CP_DB(cpr->cp_doorbell, cpr->cp_raw_cons);
+
+results in NULL pointer dereference as cpr->cp_doorbell is not yet
+initialized, and fw_ring_id is zero.
+
+The fix is to initialize cpr fw_ring_id to INVALID_HW_RING_ID before
+bnxt_init_chip() is invoked.
+
+Signed-off-by: Sankar Patchineelam <sankar.patchineelam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -2014,6 +2014,18 @@ static int bnxt_init_one_rx_ring(struct
+ return 0;
+ }
+
++static void bnxt_init_cp_rings(struct bnxt *bp)
++{
++ int i;
++
++ for (i = 0; i < bp->cp_nr_rings; i++) {
++ struct bnxt_cp_ring_info *cpr = &bp->bnapi[i]->cp_ring;
++ struct bnxt_ring_struct *ring = &cpr->cp_ring_struct;
++
++ ring->fw_ring_id = INVALID_HW_RING_ID;
++ }
++}
++
+ static int bnxt_init_rx_rings(struct bnxt *bp)
+ {
+ int i, rc = 0;
+@@ -3977,6 +3989,7 @@ static int bnxt_shutdown_nic(struct bnxt
+
+ static int bnxt_init_nic(struct bnxt *bp, bool irq_re_init)
+ {
++ bnxt_init_cp_rings(bp);
+ bnxt_init_rx_rings(bp);
+ bnxt_init_tx_rings(bp);
+ bnxt_init_ring_grps(bp, irq_re_init);
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 1 Sep 2017 14:29:56 +1000
+Subject: cpuidle: fix broadcast control when broadcast can not be entered
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+
+[ Upstream commit f187851b9b4a76952b1158b86434563dd2031103 ]
+
+When failing to enter broadcast timer mode for an idle state that
+requires it, a new state is selected that does not require broadcast,
+but the broadcast variable remains set. This causes
+tick_broadcast_exit to be called despite not having entered broadcast
+mode.
+
+This causes the WARN_ON_ONCE(!irqs_disabled()) to trigger in some
+cases. It does not appear to cause problems for code today, but seems
+to violate the interface so should be fixed.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/cpuidle/cpuidle.c
++++ b/drivers/cpuidle/cpuidle.c
+@@ -189,6 +189,7 @@ int cpuidle_enter_state(struct cpuidle_d
+ return -EBUSY;
+ }
+ target_state = &drv->states[index];
++ broadcast = false;
+ }
+
+ /* Take note of the planned idle state. */
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2017 20:52:46 +0530
+Subject: cpuidle: powernv: Pass correct drv->cpumask for registration
+
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+
+
+[ Upstream commit 293d264f13cbde328d5477f49e3103edbc1dc191 ]
+
+drv->cpumask defaults to cpu_possible_mask in __cpuidle_driver_init().
+On PowerNV platform cpu_present could be less than cpu_possible in cases
+where firmware detects the cpu, but it is not available to the OS. When
+CONFIG_HOTPLUG_CPU=n, such cpus are not hotplugable at runtime and hence
+we skip creating cpu_device.
+
+This breaks cpuidle on powernv where register_cpu() is not called for
+cpus in cpu_possible_mask that cannot be hot-added at runtime.
+
+Trying cpuidle_register_device() on cpu without cpu_device will cause
+crash like this:
+
+cpu 0xf: Vector: 380 (Data SLB Access) at [c000000ff1503490]
+ pc: c00000000022c8bc: string+0x34/0x60
+ lr: c00000000022ed78: vsnprintf+0x284/0x42c
+ sp: c000000ff1503710
+ msr: 9000000000009033
+ dar: 6000000060000000
+ current = 0xc000000ff1480000
+ paca = 0xc00000000fe82d00 softe: 0 irq_happened: 0x01
+ pid = 1, comm = swapper/8
+Linux version 4.11.0-rc2 (sv@sagarika) (gcc version 4.9.4
+(Buildroot 2017.02-00004-gc28573e) ) #15 SMP Fri Mar 17 19:32:02 IST 2017
+enter ? for help
+[link register ] c00000000022ed78 vsnprintf+0x284/0x42c
+[c000000ff1503710] c00000000022ebb8 vsnprintf+0xc4/0x42c (unreliable)
+[c000000ff1503800] c00000000022ef40 vscnprintf+0x20/0x44
+[c000000ff1503830] c0000000000ab61c vprintk_emit+0x94/0x2cc
+[c000000ff15038a0] c0000000000acc9c vprintk_func+0x60/0x74
+[c000000ff15038c0] c000000000619694 printk+0x38/0x4c
+[c000000ff15038e0] c000000000224950 kobject_get+0x40/0x60
+[c000000ff1503950] c00000000022507c kobject_add_internal+0x60/0x2c4
+[c000000ff15039e0] c000000000225350 kobject_init_and_add+0x70/0x78
+[c000000ff1503a60] c00000000053c288 cpuidle_add_sysfs+0x9c/0xe0
+[c000000ff1503ae0] c00000000053aeac cpuidle_register_device+0xd4/0x12c
+[c000000ff1503b30] c00000000053b108 cpuidle_register+0x98/0xcc
+[c000000ff1503bc0] c00000000085eaf0 powernv_processor_idle_init+0x140/0x1e0
+[c000000ff1503c60] c00000000000cd60 do_one_initcall+0xc0/0x15c
+[c000000ff1503d20] c000000000833e84 kernel_init_freeable+0x1a0/0x25c
+[c000000ff1503dc0] c00000000000d478 kernel_init+0x24/0x12c
+[c000000ff1503e30] c00000000000b564 ret_from_kernel_thread+0x5c/0x78
+
+This patch fixes the bug by passing correct cpumask from
+powernv-cpuidle driver.
+
+Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+[ rjw: Comment massage ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle-powernv.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -160,6 +160,24 @@ static int powernv_cpuidle_driver_init(v
+ drv->state_count += 1;
+ }
+
++ /*
++ * On the PowerNV platform cpu_present may be less than cpu_possible in
++ * cases when firmware detects the CPU, but it is not available to the
++ * OS. If CONFIG_HOTPLUG_CPU=n, then such CPUs are not hotplugable at
++ * run time and hence cpu_devices are not created for those CPUs by the
++ * generic topology_init().
++ *
++ * drv->cpumask defaults to cpu_possible_mask in
++ * __cpuidle_driver_init(). This breaks cpuidle on PowerNV where
++ * cpu_devices are not created for CPUs in cpu_possible_mask that
++ * cannot be hot-added later at run time.
++ *
++ * Trying cpuidle_register_device() on a CPU without a cpu_device is
++ * incorrect, so pass a correct CPU mask to the generic cpuidle driver.
++ */
++
++ drv->cpumask = (struct cpumask *)cpu_present_mask;
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Date: Sun, 19 Mar 2017 00:51:59 +0530
+Subject: cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
+
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+
+
+[ Upstream commit ad0a45fd9c14feebd000b6e84189d0edff265170 ]
+
+If a given cpu is not in cpu_present and cpu hotplug
+is disabled, arch can skip setting up the cpu_dev.
+
+Arch cpuidle driver should pass correct cpu mask
+for registration, but failing to do so by the driver
+causes error to propagate and crash like this:
+
+[ 30.076045] Unable to handle kernel paging request for data at address 0x00000048
+[ 30.076100] Faulting instruction address: 0xc0000000007b2f30
+cpu 0x4d: Vector: 300 (Data Access) at [c000003feb18b670]
+ pc: c0000000007b2f30: kobject_get+0x20/0x70
+ lr: c0000000007b3c94: kobject_add_internal+0x54/0x3f0
+ sp: c000003feb18b8f0
+ msr: 9000000000009033
+ dar: 48
+ dsisr: 40000000
+ current = 0xc000003fd2ed8300
+ paca = 0xc00000000fbab500 softe: 0 irq_happened: 0x01
+ pid = 1, comm = swapper/0
+Linux version 4.11.0-rc2-svaidy+ (sv@sagarika) (gcc version 6.2.0
+20161005 (Ubuntu 6.2.0-5ubuntu12) ) #10 SMP Sun Mar 19 00:08:09 IST 2017
+enter ? for help
+[c000003feb18b960] c0000000007b3c94 kobject_add_internal+0x54/0x3f0
+[c000003feb18b9f0] c0000000007b43a4 kobject_init_and_add+0x64/0xa0
+[c000003feb18ba70] c000000000e284f4 cpuidle_add_sysfs+0xb4/0x130
+[c000003feb18baf0] c000000000e26038 cpuidle_register_device+0x118/0x1c0
+[c000003feb18bb30] c000000000e26c48 cpuidle_register+0x78/0x120
+[c000003feb18bbc0] c00000000168fd9c powernv_processor_idle_init+0x110/0x1c4
+[c000003feb18bc40] c00000000000cff8 do_one_initcall+0x68/0x1d0
+[c000003feb18bd00] c0000000016242f4 kernel_init_freeable+0x280/0x360
+[c000003feb18bdc0] c00000000000d864 kernel_init+0x24/0x160
+[c000003feb18be30] c00000000000b4e8 ret_from_kernel_thread+0x5c/0x74
+
+Validating cpu_dev fixes the crash and reports correct error message like:
+
+[ 30.163506] Failed to register cpuidle device for cpu136
+[ 30.173329] Registration of powernv driver failed.
+
+Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+[ rjw: Comment massage ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/sysfs.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/cpuidle/sysfs.c
++++ b/drivers/cpuidle/sysfs.c
+@@ -613,6 +613,18 @@ int cpuidle_add_sysfs(struct cpuidle_dev
+ struct device *cpu_dev = get_cpu_device((unsigned long)dev->cpu);
+ int error;
+
++ /*
++ * Return if cpu_device is not setup for this CPU.
++ *
++ * This could happen if the arch did not set up cpu_device
++ * since this CPU is not in cpu_present mask and the
++ * driver did not send a correct CPU mask during registration.
++ * Without this check we would end up passing bogus
++ * value for &cpu_dev->kobj in kobject_init_and_add()
++ */
++ if (!cpu_dev)
++ return -ENODEV;
++
+ kdev = kzalloc(sizeof(*kdev), GFP_KERNEL);
+ if (!kdev)
+ return -ENOMEM;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Wed, 4 Oct 2017 01:00:08 +0200
+Subject: crypto: crypto4xx - increase context and scatter ring buffer elements
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+
+[ Upstream commit 778f81d6cdb7d25360f082ac0384d5103f04eca5 ]
+
+If crypto4xx is used in conjunction with dm-crypt, the available
+ring buffer elements are not enough to handle the load properly.
+
+On an aes-cbc-essiv:sha256 encrypted swap partition the read
+performance is abyssal: (tested with hdparm -t)
+
+/dev/mapper/swap_crypt:
+ Timing buffered disk reads: 14 MB in 3.68 seconds = 3.81 MB/sec
+
+The patch increases both PPC4XX_NUM_SD and PPC4XX_NUM_PD to 256.
+This improves the performance considerably:
+
+/dev/mapper/swap_crypt:
+ Timing buffered disk reads: 104 MB in 3.03 seconds = 34.31 MB/sec
+
+Furthermore, PPC4XX_LAST_SD, PPC4XX_LAST_GD and PPC4XX_LAST_PD
+can be easily calculated from their respective PPC4XX_NUM_*
+constant.
+
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/amcc/crypto4xx_core.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/amcc/crypto4xx_core.h
++++ b/drivers/crypto/amcc/crypto4xx_core.h
+@@ -32,12 +32,12 @@
+ #define PPC405EX_CE_RESET 0x00000008
+
+ #define CRYPTO4XX_CRYPTO_PRIORITY 300
+-#define PPC4XX_LAST_PD 63
+-#define PPC4XX_NUM_PD 64
+-#define PPC4XX_LAST_GD 1023
++#define PPC4XX_NUM_PD 256
++#define PPC4XX_LAST_PD (PPC4XX_NUM_PD - 1)
+ #define PPC4XX_NUM_GD 1024
+-#define PPC4XX_LAST_SD 63
+-#define PPC4XX_NUM_SD 64
++#define PPC4XX_LAST_GD (PPC4XX_NUM_GD - 1)
++#define PPC4XX_NUM_SD 256
++#define PPC4XX_LAST_SD (PPC4XX_NUM_SD - 1)
+ #define PPC4XX_SD_BUFFER_SIZE 2048
+
+ #define PD_ENTRY_INUSE 1
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 14 Mar 2017 18:25:57 +0800
+Subject: crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+
+[ Upstream commit 8a0f5ccfb33b0b8b51de65b7b3bf342ba10b4fb6 ]
+
+On Tue, Mar 14, 2017 at 10:44:10AM +0100, Dmitry Vyukov wrote:
+>
+> Yes, please.
+> Disregarding some reports is not a good way long term.
+
+Please try this patch.
+
+---8<---
+Subject: netlink: Annotate nlk cb_mutex by protocol
+
+Currently all occurences of nlk->cb_mutex are annotated by lockdep
+as a single class. This causes a false lcokdep cycle involving
+genl and crypto_user.
+
+This patch fixes it by dividing cb_mutex into individual classes
+based on the netlink protocol. As genl and crypto_user do not
+use the same netlink protocol this breaks the false dependency
+loop.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -96,6 +96,44 @@ EXPORT_SYMBOL_GPL(nl_table);
+
+ static DECLARE_WAIT_QUEUE_HEAD(nl_table_wait);
+
++static struct lock_class_key nlk_cb_mutex_keys[MAX_LINKS];
++
++static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = {
++ "nlk_cb_mutex-ROUTE",
++ "nlk_cb_mutex-1",
++ "nlk_cb_mutex-USERSOCK",
++ "nlk_cb_mutex-FIREWALL",
++ "nlk_cb_mutex-SOCK_DIAG",
++ "nlk_cb_mutex-NFLOG",
++ "nlk_cb_mutex-XFRM",
++ "nlk_cb_mutex-SELINUX",
++ "nlk_cb_mutex-ISCSI",
++ "nlk_cb_mutex-AUDIT",
++ "nlk_cb_mutex-FIB_LOOKUP",
++ "nlk_cb_mutex-CONNECTOR",
++ "nlk_cb_mutex-NETFILTER",
++ "nlk_cb_mutex-IP6_FW",
++ "nlk_cb_mutex-DNRTMSG",
++ "nlk_cb_mutex-KOBJECT_UEVENT",
++ "nlk_cb_mutex-GENERIC",
++ "nlk_cb_mutex-17",
++ "nlk_cb_mutex-SCSITRANSPORT",
++ "nlk_cb_mutex-ECRYPTFS",
++ "nlk_cb_mutex-RDMA",
++ "nlk_cb_mutex-CRYPTO",
++ "nlk_cb_mutex-SMC",
++ "nlk_cb_mutex-23",
++ "nlk_cb_mutex-24",
++ "nlk_cb_mutex-25",
++ "nlk_cb_mutex-26",
++ "nlk_cb_mutex-27",
++ "nlk_cb_mutex-28",
++ "nlk_cb_mutex-29",
++ "nlk_cb_mutex-30",
++ "nlk_cb_mutex-31",
++ "nlk_cb_mutex-MAX_LINKS"
++};
++
+ static int netlink_dump(struct sock *sk);
+ static void netlink_skb_destructor(struct sk_buff *skb);
+
+@@ -585,6 +623,9 @@ static int __netlink_create(struct net *
+ } else {
+ nlk->cb_mutex = &nlk->cb_def_mutex;
+ mutex_init(nlk->cb_mutex);
++ lockdep_set_class_and_name(nlk->cb_mutex,
++ nlk_cb_mutex_keys + protocol,
++ nlk_cb_mutex_key_strings[protocol]);
+ }
+ init_waitqueue_head(&nlk->wait);
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Mon, 2 Oct 2017 07:17:50 -0700
+Subject: fm10k: ensure we process SM mbx when processing VF mbx
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+
+[ Upstream commit 17a91809942ca32c70026d2d5ba3348a2c4fdf8f ]
+
+When we process VF mailboxes, the driver is likely going to also queue
+up messages to the switch manager. This process merely queues up the
+FIFO, but doesn't actually begin the transmission process. Because we
+hold the mailbox lock during this VF processing, the PF<->SM mailbox is
+not getting processed at this time. Ensure that we actually process the
+PF<->SM mailbox in between each PF<->VF mailbox.
+
+This should ensure prompt transmission of the messages queued up after
+each VF message is received and handled.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_iov.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
+@@ -126,6 +126,9 @@ process_mbx:
+ struct fm10k_mbx_info *mbx = &vf_info->mbx;
+ u16 glort = vf_info->glort;
+
++ /* process the SM mailbox first to drain outgoing messages */
++ hw->mbx.ops.process(hw, &hw->mbx);
++
+ /* verify port mapping is valid, if not reset port */
+ if (vf_info->vf_flags && !fm10k_glort_valid_pf(hw, glort))
+ hw->iov.ops.reset_lport(hw, vf_info);
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Peter Stein <peter@stuntstein.dk>
+Date: Fri, 17 Feb 2017 00:00:50 -0800
+Subject: HID: xinmo: fix for out of range for THT 2P arcade controller.
+
+From: Peter Stein <peter@stuntstein.dk>
+
+
+[ Upstream commit 9257821c5a1dc57ef3a37f7cbcebaf548395c964 ]
+
+There is a new clone of the XIN MO arcade controller which has same issue with
+out of range like the original. This fix will solve the issue where 2
+directions on the joystick are not recognized by the new THT 2P arcade
+controller with device ID 0x75e1. In details the new device ID is added the
+hid-id list and the hid-xinmo source code.
+
+Signed-off-by: Peter Stein <peter@stuntstein.dk>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 1 +
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-xinmo.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -2053,6 +2053,7 @@ static const struct hid_device_id hid_ha
+ { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_SIRIUS_BATTERY_FREE_TABLET) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_X_TENSIONS, USB_DEVICE_ID_SPEEDLINK_VAD_CEZANNE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0005) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0030) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZYDACRON, USB_DEVICE_ID_ZYDACRON_REMOTE_CONTROL) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1021,6 +1021,7 @@
+
+ #define USB_VENDOR_ID_XIN_MO 0x16c0
+ #define USB_DEVICE_ID_XIN_MO_DUAL_ARCADE 0x05e1
++#define USB_DEVICE_ID_THT_2P_ARCADE 0x75e1
+
+ #define USB_VENDOR_ID_XIROKU 0x1477
+ #define USB_DEVICE_ID_XIROKU_SPX 0x1006
+--- a/drivers/hid/hid-xinmo.c
++++ b/drivers/hid/hid-xinmo.c
+@@ -46,6 +46,7 @@ static int xinmo_event(struct hid_device
+
+ static const struct hid_device_id xinmo_devices[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) },
+ { }
+ };
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 23 Mar 2017 16:03:11 +0100
+Subject: hwmon: (asus_atk0110) fix uninitialized data access
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit a2125d02443e9a4e68bcfd9f8004fa23239e8329 ]
+
+The latest gcc-7 snapshot adds a warning to point out that when
+atk_read_value_old or atk_read_value_new fails, we copy
+uninitialized data into sensor->cached_value:
+
+drivers/hwmon/asus_atk0110.c: In function 'atk_input_show':
+drivers/hwmon/asus_atk0110.c:651:26: error: 'value' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+
+Adding an error check avoids this. All versions of the driver
+are affected.
+
+Fixes: 2c03d07ad54d ("hwmon: Add Asus ATK0110 support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Luca Tettamanti <kronos.it@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/asus_atk0110.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hwmon/asus_atk0110.c
++++ b/drivers/hwmon/asus_atk0110.c
+@@ -646,6 +646,9 @@ static int atk_read_value(struct atk_sen
+ else
+ err = atk_read_value_new(sensor, value);
+
++ if (err)
++ return err;
++
+ sensor->is_valid = true;
+ sensor->last_updated = jiffies;
+ sensor->cached_value = *value;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Mike Looijmans <mike.looijmans@topic.nl>
+Date: Thu, 23 Mar 2017 10:00:36 +0100
+Subject: i2c: mux: pca954x: Add missing pca9546 definition to chip_desc
+
+From: Mike Looijmans <mike.looijmans@topic.nl>
+
+
+[ Upstream commit dbe4d69d252e9e65c6c46826980b77b11a142065 ]
+
+The spec for the pca9546 was missing. This chip is the same as the pca9545
+except that it lacks interrupt lines. While the i2c_device_id table mapped
+the pca9546 to the pca9545 definition the compatible table did not.
+
+Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/muxes/i2c-mux-pca954x.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
+@@ -94,6 +94,10 @@ static const struct chip_desc chips[] =
+ .nchans = 4,
+ .muxtype = pca954x_isswi,
+ },
++ [pca_9546] = {
++ .nchans = 4,
++ .muxtype = pca954x_isswi,
++ },
+ [pca_9547] = {
+ .nchans = 8,
+ .enable = 0x8,
+@@ -111,7 +115,7 @@ static const struct i2c_device_id pca954
+ { "pca9543", pca_9543 },
+ { "pca9544", pca_9544 },
+ { "pca9545", pca_9545 },
+- { "pca9546", pca_9545 },
++ { "pca9546", pca_9546 },
+ { "pca9547", pca_9547 },
+ { "pca9548", pca_9548 },
+ { }
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 24 Mar 2017 15:01:42 -0700
+Subject: i40e: Do not enable NAPI on q_vectors that have no rings
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+
+[ Upstream commit 13a8cd191a2b470cfd435b3b57dbd21aa65ff78c ]
+
+When testing the epoll w/ busy poll code I found that I could get into a
+state where the i40e driver had q_vectors w/ active NAPI that had no rings.
+This was resulting in a divide by zero error. To correct it I am updating
+the driver code so that we only support NAPI on q_vectors that have 1 or
+more rings allocated to them.
+
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -4201,8 +4201,12 @@ static void i40e_napi_enable_all(struct
+ if (!vsi->netdev)
+ return;
+
+- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
+- napi_enable(&vsi->q_vectors[q_idx]->napi);
++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
++
++ if (q_vector->rx.ring || q_vector->tx.ring)
++ napi_enable(&q_vector->napi);
++ }
+ }
+
+ /**
+@@ -4216,8 +4220,12 @@ static void i40e_napi_disable_all(struct
+ if (!vsi->netdev)
+ return;
+
+- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
+- napi_disable(&vsi->q_vectors[q_idx]->napi);
++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
++
++ if (q_vector->rx.ring || q_vector->tx.ring)
++ napi_disable(&q_vector->napi);
++ }
+ }
+
+ /**
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 27 Aug 2017 08:39:51 +0200
+Subject: igb: check memory allocation failure
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 18eb86362a52f0af933cc0fd5e37027317eb2d1c ]
+
+Check memory allocation failures and return -ENOMEM in such cases, as
+already done for other memory allocations in this function.
+
+This avoids NULL pointers dereference.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com
+Acked-by: PJ Waskiewicz <peter.waskiewicz.jr@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3005,6 +3005,8 @@ static int igb_sw_init(struct igb_adapte
+ /* Setup and initialize a copy of the hw vlan table array */
+ adapter->shadow_vfta = kcalloc(E1000_VLAN_FILTER_TBL_SIZE, sizeof(u32),
+ GFP_ATOMIC);
++ if (!adapter->shadow_vfta)
++ return -ENOMEM;
+
+ /* This call may decrease the number of queues */
+ if (igb_init_interrupt_scheme(adapter, true)) {
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 22 Mar 2017 08:57:15 -0700
+Subject: inet: frag: release spinlock before calling icmp_send()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit ec4fbd64751de18729eaa816ec69e4b504b5a7a2 ]
+
+Dmitry reported a lockdep splat [1] (false positive) that we can fix
+by releasing the spinlock before calling icmp_send() from ip_expire()
+
+This is a false positive because sending an ICMP message can not
+possibly re-enter the IP frag engine.
+
+[1]
+[ INFO: possible circular locking dependency detected ]
+4.10.0+ #29 Not tainted
+-------------------------------------------------------
+modprobe/12392 is trying to acquire lock:
+ (_xmit_ETHER#2){+.-...}, at: [<ffffffff837a8182>] spin_lock
+include/linux/spinlock.h:299 [inline]
+ (_xmit_ETHER#2){+.-...}, at: [<ffffffff837a8182>] __netif_tx_lock
+include/linux/netdevice.h:3486 [inline]
+ (_xmit_ETHER#2){+.-...}, at: [<ffffffff837a8182>]
+sch_direct_xmit+0x282/0x6d0 net/sched/sch_generic.c:180
+
+but task is already holding lock:
+ (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>] spin_lock
+include/linux/spinlock.h:299 [inline]
+ (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>]
+ip_expire+0x51/0x6c0 net/ipv4/ip_fragment.c:201
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (&(&q->lock)->rlock){+.-...}:
+ validate_chain kernel/locking/lockdep.c:2267 [inline]
+ __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3340
+ lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x33/0x50 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:299 [inline]
+ ip_defrag+0x3a2/0x4130 net/ipv4/ip_fragment.c:669
+ ip_check_defrag+0x4e3/0x8b0 net/ipv4/ip_fragment.c:713
+ packet_rcv_fanout+0x282/0x800 net/packet/af_packet.c:1459
+ deliver_skb net/core/dev.c:1834 [inline]
+ dev_queue_xmit_nit+0x294/0xa90 net/core/dev.c:1890
+ xmit_one net/core/dev.c:2903 [inline]
+ dev_hard_start_xmit+0x16b/0xab0 net/core/dev.c:2923
+ sch_direct_xmit+0x31f/0x6d0 net/sched/sch_generic.c:182
+ __dev_xmit_skb net/core/dev.c:3092 [inline]
+ __dev_queue_xmit+0x13e5/0x1e60 net/core/dev.c:3358
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
+ neigh_resolve_output+0x6b9/0xb10 net/core/neighbour.c:1308
+ neigh_output include/net/neighbour.h:478 [inline]
+ ip_finish_output2+0x8b8/0x15a0 net/ipv4/ip_output.c:228
+ ip_do_fragment+0x1d93/0x2720 net/ipv4/ip_output.c:672
+ ip_fragment.constprop.54+0x145/0x200 net/ipv4/ip_output.c:545
+ ip_finish_output+0x82d/0xe10 net/ipv4/ip_output.c:314
+ NF_HOOK_COND include/linux/netfilter.h:246 [inline]
+ ip_output+0x1f0/0x7a0 net/ipv4/ip_output.c:404
+ dst_output include/net/dst.h:486 [inline]
+ ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
+ ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1492
+ ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1512
+ raw_sendmsg+0x26de/0x3a00 net/ipv4/raw.c:655
+ inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:761
+ sock_sendmsg_nosec net/socket.c:633 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:643
+ ___sys_sendmsg+0x4a3/0x9f0 net/socket.c:1985
+ __sys_sendmmsg+0x25c/0x750 net/socket.c:2075
+ SYSC_sendmmsg net/socket.c:2106 [inline]
+ SyS_sendmmsg+0x35/0x60 net/socket.c:2101
+ do_syscall_64+0x2e8/0x930 arch/x86/entry/common.c:281
+ return_from_SYSCALL_64+0x0/0x7a
+
+-> #0 (_xmit_ETHER#2){+.-...}:
+ check_prev_add kernel/locking/lockdep.c:1830 [inline]
+ check_prevs_add+0xa8f/0x19f0 kernel/locking/lockdep.c:1940
+ validate_chain kernel/locking/lockdep.c:2267 [inline]
+ __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3340
+ lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x33/0x50 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:299 [inline]
+ __netif_tx_lock include/linux/netdevice.h:3486 [inline]
+ sch_direct_xmit+0x282/0x6d0 net/sched/sch_generic.c:180
+ __dev_xmit_skb net/core/dev.c:3092 [inline]
+ __dev_queue_xmit+0x13e5/0x1e60 net/core/dev.c:3358
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
+ neigh_hh_output include/net/neighbour.h:468 [inline]
+ neigh_output include/net/neighbour.h:476 [inline]
+ ip_finish_output2+0xf6c/0x15a0 net/ipv4/ip_output.c:228
+ ip_finish_output+0xa29/0xe10 net/ipv4/ip_output.c:316
+ NF_HOOK_COND include/linux/netfilter.h:246 [inline]
+ ip_output+0x1f0/0x7a0 net/ipv4/ip_output.c:404
+ dst_output include/net/dst.h:486 [inline]
+ ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
+ ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1492
+ ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1512
+ icmp_push_reply+0x372/0x4d0 net/ipv4/icmp.c:394
+ icmp_send+0x156c/0x1c80 net/ipv4/icmp.c:754
+ ip_expire+0x40e/0x6c0 net/ipv4/ip_fragment.c:239
+ call_timer_fn+0x241/0x820 kernel/time/timer.c:1268
+ expire_timers kernel/time/timer.c:1307 [inline]
+ __run_timers+0x960/0xcf0 kernel/time/timer.c:1601
+ run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614
+ __do_softirq+0x31f/0xbe7 kernel/softirq.c:284
+ invoke_softirq kernel/softirq.c:364 [inline]
+ irq_exit+0x1cc/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:657 [inline]
+ smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:962
+ apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:707
+ __read_once_size include/linux/compiler.h:254 [inline]
+ atomic_read arch/x86/include/asm/atomic.h:26 [inline]
+ rcu_dynticks_curr_cpu_in_eqs kernel/rcu/tree.c:350 [inline]
+ __rcu_is_watching kernel/rcu/tree.c:1133 [inline]
+ rcu_is_watching+0x83/0x110 kernel/rcu/tree.c:1147
+ rcu_read_lock_held+0x87/0xc0 kernel/rcu/update.c:293
+ radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
+ filemap_map_pages+0x6d4/0x1570 mm/filemap.c:2335
+ do_fault_around mm/memory.c:3231 [inline]
+ do_read_fault mm/memory.c:3265 [inline]
+ do_fault+0xbd5/0x2080 mm/memory.c:3370
+ handle_pte_fault mm/memory.c:3600 [inline]
+ __handle_mm_fault+0x1062/0x2cb0 mm/memory.c:3714
+ handle_mm_fault+0x1e2/0x480 mm/memory.c:3751
+ __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1397
+ do_page_fault+0x54/0x70 arch/x86/mm/fault.c:1460
+ page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1011
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&(&q->lock)->rlock);
+ lock(_xmit_ETHER#2);
+ lock(&(&q->lock)->rlock);
+ lock(_xmit_ETHER#2);
+
+ *** DEADLOCK ***
+
+10 locks held by modprobe/12392:
+ #0: (&mm->mmap_sem){++++++}, at: [<ffffffff81329758>]
+__do_page_fault+0x2b8/0xb60 arch/x86/mm/fault.c:1336
+ #1: (rcu_read_lock){......}, at: [<ffffffff8188cab6>]
+filemap_map_pages+0x1e6/0x1570 mm/filemap.c:2324
+ #2: (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff81984a78>]
+spin_lock include/linux/spinlock.h:299 [inline]
+ #2: (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff81984a78>]
+pte_alloc_one_map mm/memory.c:2944 [inline]
+ #2: (&(ptlock_ptr(page))->rlock#2){+.+...}, at: [<ffffffff81984a78>]
+alloc_set_pte+0x13b8/0x1b90 mm/memory.c:3072
+ #3: (((&q->timer))){+.-...}, at: [<ffffffff81627e72>]
+lockdep_copy_map include/linux/lockdep.h:175 [inline]
+ #3: (((&q->timer))){+.-...}, at: [<ffffffff81627e72>]
+call_timer_fn+0x1c2/0x820 kernel/time/timer.c:1258
+ #4: (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>] spin_lock
+include/linux/spinlock.h:299 [inline]
+ #4: (&(&q->lock)->rlock){+.-...}, at: [<ffffffff8389a4d1>]
+ip_expire+0x51/0x6c0 net/ipv4/ip_fragment.c:201
+ #5: (rcu_read_lock){......}, at: [<ffffffff8389a633>]
+ip_expire+0x1b3/0x6c0 net/ipv4/ip_fragment.c:216
+ #6: (slock-AF_INET){+.-...}, at: [<ffffffff839b3313>] spin_trylock
+include/linux/spinlock.h:309 [inline]
+ #6: (slock-AF_INET){+.-...}, at: [<ffffffff839b3313>] icmp_xmit_lock
+net/ipv4/icmp.c:219 [inline]
+ #6: (slock-AF_INET){+.-...}, at: [<ffffffff839b3313>]
+icmp_send+0x803/0x1c80 net/ipv4/icmp.c:681
+ #7: (rcu_read_lock_bh){......}, at: [<ffffffff838ab9a1>]
+ip_finish_output2+0x2c1/0x15a0 net/ipv4/ip_output.c:198
+ #8: (rcu_read_lock_bh){......}, at: [<ffffffff836d1dee>]
+__dev_queue_xmit+0x23e/0x1e60 net/core/dev.c:3324
+ #9: (dev->qdisc_running_key ?: &qdisc_running_key){+.....}, at:
+[<ffffffff836d3a27>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
+
+stack backtrace:
+CPU: 0 PID: 12392 Comm: modprobe Not tainted 4.10.0+ #29
+Hardware name: Google Google Compute Engine/Google Compute Engine,
+BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x2ee/0x3ef lib/dump_stack.c:52
+ print_circular_bug+0x307/0x3b0 kernel/locking/lockdep.c:1204
+ check_prev_add kernel/locking/lockdep.c:1830 [inline]
+ check_prevs_add+0xa8f/0x19f0 kernel/locking/lockdep.c:1940
+ validate_chain kernel/locking/lockdep.c:2267 [inline]
+ __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3340
+ lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x33/0x50 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:299 [inline]
+ __netif_tx_lock include/linux/netdevice.h:3486 [inline]
+ sch_direct_xmit+0x282/0x6d0 net/sched/sch_generic.c:180
+ __dev_xmit_skb net/core/dev.c:3092 [inline]
+ __dev_queue_xmit+0x13e5/0x1e60 net/core/dev.c:3358
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3423
+ neigh_hh_output include/net/neighbour.h:468 [inline]
+ neigh_output include/net/neighbour.h:476 [inline]
+ ip_finish_output2+0xf6c/0x15a0 net/ipv4/ip_output.c:228
+ ip_finish_output+0xa29/0xe10 net/ipv4/ip_output.c:316
+ NF_HOOK_COND include/linux/netfilter.h:246 [inline]
+ ip_output+0x1f0/0x7a0 net/ipv4/ip_output.c:404
+ dst_output include/net/dst.h:486 [inline]
+ ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
+ ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1492
+ ip_push_pending_frames+0x64/0x80 net/ipv4/ip_output.c:1512
+ icmp_push_reply+0x372/0x4d0 net/ipv4/icmp.c:394
+ icmp_send+0x156c/0x1c80 net/ipv4/icmp.c:754
+ ip_expire+0x40e/0x6c0 net/ipv4/ip_fragment.c:239
+ call_timer_fn+0x241/0x820 kernel/time/timer.c:1268
+ expire_timers kernel/time/timer.c:1307 [inline]
+ __run_timers+0x960/0xcf0 kernel/time/timer.c:1601
+ run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614
+ __do_softirq+0x31f/0xbe7 kernel/softirq.c:284
+ invoke_softirq kernel/softirq.c:364 [inline]
+ irq_exit+0x1cc/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:657 [inline]
+ smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:962
+ apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:707
+RIP: 0010:__read_once_size include/linux/compiler.h:254 [inline]
+RIP: 0010:atomic_read arch/x86/include/asm/atomic.h:26 [inline]
+RIP: 0010:rcu_dynticks_curr_cpu_in_eqs kernel/rcu/tree.c:350 [inline]
+RIP: 0010:__rcu_is_watching kernel/rcu/tree.c:1133 [inline]
+RIP: 0010:rcu_is_watching+0x83/0x110 kernel/rcu/tree.c:1147
+RSP: 0000:ffff8801c391f120 EFLAGS: 00000a03 ORIG_RAX: ffffffffffffff10
+RAX: dffffc0000000000 RBX: ffff8801c391f148 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 000055edd4374000 RDI: ffff8801dbe1ae0c
+RBP: ffff8801c391f1a0 R08: 0000000000000002 R09: 0000000000000000
+R10: dffffc0000000000 R11: 0000000000000002 R12: 1ffff10038723e25
+R13: ffff8801dbe1ae00 R14: ffff8801c391f680 R15: dffffc0000000000
+ </IRQ>
+ rcu_read_lock_held+0x87/0xc0 kernel/rcu/update.c:293
+ radix_tree_deref_slot include/linux/radix-tree.h:238 [inline]
+ filemap_map_pages+0x6d4/0x1570 mm/filemap.c:2335
+ do_fault_around mm/memory.c:3231 [inline]
+ do_read_fault mm/memory.c:3265 [inline]
+ do_fault+0xbd5/0x2080 mm/memory.c:3370
+ handle_pte_fault mm/memory.c:3600 [inline]
+ __handle_mm_fault+0x1062/0x2cb0 mm/memory.c:3714
+ handle_mm_fault+0x1e2/0x480 mm/memory.c:3751
+ __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1397
+ do_page_fault+0x54/0x70 arch/x86/mm/fault.c:1460
+ page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1011
+RIP: 0033:0x7f83172f2786
+RSP: 002b:00007fffe859ae80 EFLAGS: 00010293
+RAX: 000055edd4373040 RBX: 00007f83175111c8 RCX: 000055edd4373238
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f8317510970
+RBP: 00007fffe859afd0 R08: 0000000000000009 R09: 0000000000000000
+R10: 0000000000000064 R11: 0000000000000000 R12: 000055edd4373040
+R13: 0000000000000000 R14: 00007fffe859afe8 R15: 0000000000000000
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_fragment.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -200,6 +200,7 @@ static void ip_expire(unsigned long arg)
+ qp = container_of((struct inet_frag_queue *) arg, struct ipq, q);
+ net = container_of(qp->q.net, struct net, ipv4.frags);
+
++ rcu_read_lock();
+ spin_lock(&qp->q.lock);
+
+ if (qp->q.flags & INET_FRAG_COMPLETE)
+@@ -209,7 +210,7 @@ static void ip_expire(unsigned long arg)
+ IP_INC_STATS_BH(net, IPSTATS_MIB_REASMFAILS);
+
+ if (!inet_frag_evicting(&qp->q)) {
+- struct sk_buff *head = qp->q.fragments;
++ struct sk_buff *clone, *head = qp->q.fragments;
+ const struct iphdr *iph;
+ int err;
+
+@@ -218,32 +219,40 @@ static void ip_expire(unsigned long arg)
+ if (!(qp->q.flags & INET_FRAG_FIRST_IN) || !qp->q.fragments)
+ goto out;
+
+- rcu_read_lock();
+ head->dev = dev_get_by_index_rcu(net, qp->iif);
+ if (!head->dev)
+- goto out_rcu_unlock;
++ goto out;
++
+
+ /* skb has no dst, perform route lookup again */
+ iph = ip_hdr(head);
+ err = ip_route_input_noref(head, iph->daddr, iph->saddr,
+ iph->tos, head->dev);
+ if (err)
+- goto out_rcu_unlock;
++ goto out;
+
+ /* Only an end host needs to send an ICMP
+ * "Fragment Reassembly Timeout" message, per RFC792.
+ */
+ if (frag_expire_skip_icmp(qp->user) &&
+ (skb_rtable(head)->rt_type != RTN_LOCAL))
+- goto out_rcu_unlock;
++ goto out;
++
++ clone = skb_clone(head, GFP_ATOMIC);
+
+ /* Send an ICMP "Fragment Reassembly Timeout" message. */
+- icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
+-out_rcu_unlock:
+- rcu_read_unlock();
++ if (clone) {
++ spin_unlock(&qp->q.lock);
++ icmp_send(clone, ICMP_TIME_EXCEEDED,
++ ICMP_EXC_FRAGTIME, 0);
++ consume_skb(clone);
++ goto out_rcu_unlock;
++ }
+ }
+ out:
+ spin_unlock(&qp->q.lock);
++out_rcu_unlock:
++ rcu_read_unlock();
+ ipq_put(qp);
+ }
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 25 Mar 2017 01:48:08 +0300
+Subject: irda: vlsi_ir: fix check for DMA mapping errors
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+
+[ Upstream commit 6ac3b77a6ffff7513ff86b684aa256ea01c0e5b5 ]
+
+vlsi_alloc_ring() checks for DMA mapping errors by comparing
+returned address with zero, while pci_dma_mapping_error() should be used.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/irda/vlsi_ir.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/irda/vlsi_ir.c
++++ b/drivers/net/irda/vlsi_ir.c
+@@ -418,8 +418,9 @@ static struct vlsi_ring *vlsi_alloc_ring
+ memset(rd, 0, sizeof(*rd));
+ rd->hw = hwmap + i;
+ rd->buf = kmalloc(len, GFP_KERNEL|GFP_DMA);
+- if (rd->buf == NULL ||
+- !(busaddr = pci_map_single(pdev, rd->buf, len, dir))) {
++ if (rd->buf)
++ busaddr = pci_map_single(pdev, rd->buf, len, dir);
++ if (rd->buf == NULL || pci_dma_mapping_error(pdev, busaddr)) {
+ if (rd->buf) {
+ net_err_ratelimited("%s: failed to create PCI-MAP for %p\n",
+ __func__, rd->buf);
+@@ -430,8 +431,7 @@ static struct vlsi_ring *vlsi_alloc_ring
+ rd = r->rd + j;
+ busaddr = rd_get_addr(rd);
+ rd_set_addr_status(rd, 0, 0);
+- if (busaddr)
+- pci_unmap_single(pdev, busaddr, len, dir);
++ pci_unmap_single(pdev, busaddr, len, dir);
+ kfree(rd->buf);
+ rd->buf = NULL;
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 28 Mar 2017 12:11:07 +0200
+Subject: isdn: kcapi: avoid uninitialized data
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit af109a2cf6a9a6271fa420ae2d64d72d86c92b7d ]
+
+gcc-7 points out that the AVMB1_ADDCARD ioctl results in an unintialized
+value ending up in the cardnr parameter:
+
+drivers/isdn/capi/kcapi.c: In function 'old_capi_manufacturer':
+drivers/isdn/capi/kcapi.c:1042:24: error: 'cdef.cardnr' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ cparams.cardnr = cdef.cardnr;
+
+This has been broken since before the start of the git history, so
+either the value is not used for anything important, or the ioctl
+command doesn't get called in practice.
+
+Setting the cardnr to zero avoids the warning and makes sure
+we have consistent behavior.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/capi/kcapi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -1032,6 +1032,7 @@ static int old_capi_manufacturer(unsigne
+ sizeof(avmb1_carddef))))
+ return -EFAULT;
+ cdef.cardtype = AVM_CARDTYPE_B1;
++ cdef.cardnr = 0;
+ } else {
+ if ((retval = copy_from_user(&cdef, data,
+ sizeof(avmb1_extcarddef))))
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+Date: Mon, 11 Sep 2017 14:21:31 -0700
+Subject: ixgbe: fix use of uninitialized padding
+
+From: Emil Tantilov <emil.s.tantilov@intel.com>
+
+
+[ Upstream commit dcfd6b839c998bc9838e2a47f44f37afbdf3099c ]
+
+This patch is resolving Coverity hits where padding in a structure could
+be used uninitialized.
+
+- Initialize fwd_cmd.pad/2 before ixgbe_calculate_checksum()
+
+- Initialize buffer.pad2/3 before ixgbe_hic_unlocked()
+
+Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 4 ++--
+ drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+@@ -3620,10 +3620,10 @@ s32 ixgbe_set_fw_drv_ver_generic(struct
+ fw_cmd.ver_build = build;
+ fw_cmd.ver_sub = sub;
+ fw_cmd.hdr.checksum = 0;
+- fw_cmd.hdr.checksum = ixgbe_calculate_checksum((u8 *)&fw_cmd,
+- (FW_CEM_HDR_LEN + fw_cmd.hdr.buf_len));
+ fw_cmd.pad = 0;
+ fw_cmd.pad2 = 0;
++ fw_cmd.hdr.checksum = ixgbe_calculate_checksum((u8 *)&fw_cmd,
++ (FW_CEM_HDR_LEN + fw_cmd.hdr.buf_len));
+
+ for (i = 0; i <= FW_CEM_MAX_RETRIES; i++) {
+ ret_val = ixgbe_host_interface_command(hw, (u32 *)&fw_cmd,
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+@@ -564,6 +564,8 @@ static s32 ixgbe_read_ee_hostif_buffer_X
+ /* convert offset from words to bytes */
+ buffer.address = cpu_to_be32((offset + current_word) * 2);
+ buffer.length = cpu_to_be16(words_to_read * 2);
++ buffer.pad2 = 0;
++ buffer.pad3 = 0;
+
+ status = ixgbe_host_interface_command(hw, (u32 *)&buffer,
+ sizeof(buffer),
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: "Herongguang (Stephen)" <herongguang.he@huawei.com>
+Date: Mon, 27 Mar 2017 15:21:17 +0800
+Subject: KVM: pci-assign: do not map smm memory slot pages in vt-d page tables
+
+From: "Herongguang (Stephen)" <herongguang.he@huawei.com>
+
+
+[ Upstream commit 0292e169b2d9c8377a168778f0b16eadb1f578fd ]
+
+or VM memory are not put thus leaked in kvm_iommu_unmap_memslots() when
+destroy VM.
+
+This is consistent with current vfio implementation.
+
+Signed-off-by: herongguang <herongguang.he@huawei.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -986,7 +986,7 @@ int __kvm_set_memory_region(struct kvm *
+ * changes) is disallowed above, so any other attribute changes getting
+ * here can be skipped.
+ */
+- if ((change == KVM_MR_CREATE) || (change == KVM_MR_MOVE)) {
++ if (as_id == 0 && (change == KVM_MR_CREATE || change == KVM_MR_MOVE)) {
+ r = kvm_iommu_map_pages(kvm, &new);
+ return r;
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Thu, 23 Mar 2017 05:30:08 -0700
+Subject: KVM: VMX: Fix enable VPID conditions
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 08d839c4b134b8328ec42f2157a9ca4b93227c03 ]
+
+This can be reproduced by running L2 on L1, and disable VPID on L0
+if w/o commit "KVM: nVMX: Fix nested VPID vmx exec control", the L2
+crash as below:
+
+KVM: entry failed, hardware error 0x7
+EAX=00000000 EBX=00000000 ECX=00000000 EDX=000306c3
+ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
+EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
+ES =0000 00000000 0000ffff 00009300
+CS =f000 ffff0000 0000ffff 00009b00
+SS =0000 00000000 0000ffff 00009300
+DS =0000 00000000 0000ffff 00009300
+FS =0000 00000000 0000ffff 00009300
+GS =0000 00000000 0000ffff 00009300
+LDT=0000 00000000 0000ffff 00008200
+TR =0000 00000000 0000ffff 00008b00
+GDT= 00000000 0000ffff
+IDT= 00000000 0000ffff
+CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000
+DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
+DR6=00000000ffff0ff0 DR7=0000000000000400
+EFER=0000000000000000
+
+Reference SDM 30.3 INVVPID:
+
+Protected Mode Exceptions
+- #UD
+ - If not in VMX operation.
+ - If the logical processor does not support VPIDs (IA32_VMX_PROCBASED_CTLS2[37]=0).
+ - If the logical processor supports VPIDs (IA32_VMX_PROCBASED_CTLS2[37]=1) but does
+ not support the INVVPID instruction (IA32_VMX_EPT_VPID_CAP[32]=0).
+
+So we should check both VPID enable bit in vmx exec control and INVVPID support bit
+in vmx capability MSRs to enable VPID. This patch adds the guarantee to not enable
+VPID if either INVVPID or single-context/all-context invalidation is not exposed in
+vmx capability MSRs.
+
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -1107,6 +1107,11 @@ static inline bool cpu_has_vmx_invvpid_g
+ return vmx_capability.vpid & VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT;
+ }
+
++static inline bool cpu_has_vmx_invvpid(void)
++{
++ return vmx_capability.vpid & VMX_VPID_INVVPID_BIT;
++}
++
+ static inline bool cpu_has_vmx_ept(void)
+ {
+ return vmcs_config.cpu_based_2nd_exec_ctrl &
+@@ -6199,8 +6204,10 @@ static __init int hardware_setup(void)
+ if (boot_cpu_has(X86_FEATURE_NX))
+ kvm_enable_efer_bits(EFER_NX);
+
+- if (!cpu_has_vmx_vpid())
++ if (!cpu_has_vmx_vpid() || !cpu_has_vmx_invvpid() ||
++ !(cpu_has_vmx_invvpid_single() || cpu_has_vmx_invvpid_global()))
+ enable_vpid = 0;
++
+ if (!cpu_has_vmx_shadow_vmcs())
+ enable_shadow_vmcs = 0;
+ if (enable_shadow_vmcs)
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 20 Mar 2017 21:18:55 -0700
+Subject: KVM: x86: correct async page present tracepoint
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 24dccf83a121b8a4ad5c2ad383a8184ef6c266ee ]
+
+After async pf setup successfully, there is a broadcast wakeup w/ special
+token 0xffffffff which tells vCPU that it should wake up all processes
+waiting for APFs though there is no real process waiting at the moment.
+
+The async page present tracepoint print prematurely and fails to catch the
+special token setup. This patch fixes it by moving the async page present
+tracepoint after the special token setup.
+
+Before patch:
+
+qemu-system-x86-8499 [006] ...1 5973.473292: kvm_async_pf_ready: token 0x0 gva 0x0
+
+After patch:
+
+qemu-system-x86-8499 [006] ...1 5973.473292: kvm_async_pf_ready: token 0xffffffff gva 0x0
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8230,11 +8230,11 @@ void kvm_arch_async_page_present(struct
+ {
+ struct x86_exception fault;
+
+- trace_kvm_async_pf_ready(work->arch.token, work->gva);
+ if (work->wakeup_all)
+ work->arch.token = ~0; /* broadcast wakeup */
+ else
+ kvm_del_async_pf_gfn(vcpu, work->arch.gfn);
++ trace_kvm_async_pf_ready(work->arch.token, work->gva);
+
+ if ((vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) &&
+ !apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) {
--- /dev/null
+From 8efd755ac2fe262d4c8d5c9bbe054bb67dae93da Mon Sep 17 00:00:00 2001
+From: Ingo Molnar <mingo@kernel.org>
+Date: Thu, 28 Apr 2016 11:39:12 +0200
+Subject: mm/mmu_context, sched/core: Fix mmu_context.h assumption
+
+From: Ingo Molnar <mingo@kernel.org>
+
+commit 8efd755ac2fe262d4c8d5c9bbe054bb67dae93da upstream.
+
+Some architectures (such as Alpha) rely on include/linux/sched.h definitions
+in their mmu_context.h files.
+
+So include sched.h before mmu_context.h.
+
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-kernel@vger.kernel.org
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmu_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/mmu_context.c
++++ b/mm/mmu_context.c
+@@ -4,9 +4,9 @@
+ */
+
+ #include <linux/mm.h>
++#include <linux/sched.h>
+ #include <linux/mmu_context.h>
+ #include <linux/export.h>
+-#include <linux/sched.h>
+
+ #include <asm/mmu_context.h>
+
--- /dev/null
+From 858eaaa711700ce4595e039441e239e56d7b9514 Mon Sep 17 00:00:00 2001
+From: Nadav Amit <namit@vmware.com>
+Date: Fri, 1 Apr 2016 14:31:26 -0700
+Subject: mm/rmap: batched invalidations should use existing api
+
+From: Nadav Amit <namit@vmware.com>
+
+commit 858eaaa711700ce4595e039441e239e56d7b9514 upstream.
+
+The recently introduced batched invalidations mechanism uses its own
+mechanism for shootdown. However, it does wrong accounting of
+interrupts (e.g., inc_irq_stat is called for local invalidations),
+trace-points (e.g., TLB_REMOTE_SHOOTDOWN for local invalidations) and
+may break some platforms as it bypasses the invalidation mechanisms of
+Xen and SGI UV.
+
+This patch reuses the existing TLB flushing mechnaisms instead. We use
+NULL as mm to indicate a global invalidation is required.
+
+Fixes 72b252aed506b8 ("mm: send one IPI per CPU to TLB flush all entries after unmapping pages")
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/tlbflush.h | 6 ------
+ arch/x86/mm/tlb.c | 2 +-
+ mm/rmap.c | 28 +++++++---------------------
+ 3 files changed, 8 insertions(+), 28 deletions(-)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -325,12 +325,6 @@ static inline void reset_lazy_tlbstate(v
+
+ #endif /* SMP */
+
+-/* Not inlined due to inc_irq_stat not being defined yet */
+-#define flush_tlb_local() { \
+- inc_irq_stat(irq_tlb_count); \
+- local_flush_tlb(); \
+-}
+-
+ #ifndef CONFIG_PARAVIRT
+ #define flush_tlb_others(mask, mm, start, end) \
+ native_flush_tlb_others(mask, mm, start, end)
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -104,7 +104,7 @@ static void flush_tlb_func(void *info)
+
+ inc_irq_stat(irq_tlb_count);
+
+- if (f->flush_mm != this_cpu_read(cpu_tlbstate.active_mm))
++ if (f->flush_mm && f->flush_mm != this_cpu_read(cpu_tlbstate.active_mm))
+ return;
+
+ count_vm_tlb_event(NR_TLB_REMOTE_FLUSH_RECEIVED);
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -587,19 +587,6 @@ vma_address(struct page *page, struct vm
+ }
+
+ #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH
+-static void percpu_flush_tlb_batch_pages(void *data)
+-{
+- /*
+- * All TLB entries are flushed on the assumption that it is
+- * cheaper to flush all TLBs and let them be refilled than
+- * flushing individual PFNs. Note that we do not track mm's
+- * to flush as that might simply be multiple full TLB flushes
+- * for no gain.
+- */
+- count_vm_tlb_event(NR_TLB_REMOTE_FLUSH_RECEIVED);
+- flush_tlb_local();
+-}
+-
+ /*
+ * Flush TLB entries for recently unmapped pages from remote CPUs. It is
+ * important if a PTE was dirty when it was unmapped that it's flushed
+@@ -616,15 +603,14 @@ void try_to_unmap_flush(void)
+
+ cpu = get_cpu();
+
+- trace_tlb_flush(TLB_REMOTE_SHOOTDOWN, -1UL);
+-
+- if (cpumask_test_cpu(cpu, &tlb_ubc->cpumask))
+- percpu_flush_tlb_batch_pages(&tlb_ubc->cpumask);
+-
+- if (cpumask_any_but(&tlb_ubc->cpumask, cpu) < nr_cpu_ids) {
+- smp_call_function_many(&tlb_ubc->cpumask,
+- percpu_flush_tlb_batch_pages, (void *)tlb_ubc, true);
++ if (cpumask_test_cpu(cpu, &tlb_ubc->cpumask)) {
++ count_vm_tlb_event(NR_TLB_LOCAL_FLUSH_ALL);
++ local_flush_tlb();
++ trace_tlb_flush(TLB_LOCAL_SHOOTDOWN, TLB_FLUSH_ALL);
+ }
++
++ if (cpumask_any_but(&tlb_ubc->cpumask, cpu) < nr_cpu_ids)
++ flush_tlb_others(&tlb_ubc->cpumask, NULL, 0, TLB_FLUSH_ALL);
+ cpumask_clear(&tlb_ubc->cpumask);
+ tlb_ubc->flush_required = false;
+ tlb_ubc->writable = false;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 24 Mar 2017 09:38:03 -0700
+Subject: net: Do not allow negative values for busy_read and busy_poll sysctl interfaces
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+
+[ Upstream commit 95f255211396958c718aef8c45e3923b5211ea7b ]
+
+This change basically codifies what I think was already the limitations on
+the busy_poll and busy_read sysctl interfaces. We weren't checking the
+lower bounds and as such could input negative values. The behavior when
+that was used was dependent on the architecture. In order to prevent any
+issues with that I am just disabling support for values less than 0 since
+this way we don't have to worry about any odd behaviors.
+
+By limiting the sysctl values this way it also makes it consistent with how
+we handle the SO_BUSY_POLL socket option since the value appears to be
+reported as a signed integer value and negative values are rejected.
+
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sysctl_net_core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -360,14 +360,16 @@ static struct ctl_table net_core_table[]
+ .data = &sysctl_net_busy_poll,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &zero,
+ },
+ {
+ .procname = "busy_read",
+ .data = &sysctl_net_busy_read,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &zero,
+ },
+ #endif
+ #ifdef CONFIG_NET_SCHED
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Dan Murphy <dmurphy@ti.com>
+Date: Tue, 10 Oct 2017 12:42:56 -0500
+Subject: net: phy: at803x: Change error to EINVAL for invalid MAC
+
+From: Dan Murphy <dmurphy@ti.com>
+
+
+[ Upstream commit fc7556877d1748ac00958822a0a3bba1d4bd9e0d ]
+
+Change the return error code to EINVAL if the MAC
+address is not valid in the set_wol function.
+
+Signed-off-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/at803x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/at803x.c
++++ b/drivers/net/phy/at803x.c
+@@ -105,7 +105,7 @@ static int at803x_set_wol(struct phy_dev
+ mac = (const u8 *) ndev->dev_addr;
+
+ if (!is_valid_ether_addr(mac))
+- return -EFAULT;
++ return -EINVAL;
+
+ for (i = 0; i < 3; i++) {
+ phy_write(phydev, AT803X_MMD_ACCESS_CONTROL,
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Tony Lindgren <tony@atomide.com>
+Date: Sun, 19 Mar 2017 09:19:57 -0700
+Subject: net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4
+
+From: Tony Lindgren <tony@atomide.com>
+
+
+[ Upstream commit 4071898bf0f4d79ff353db327af2a15123272548 ]
+
+This gets qmicli working with the MDM6600 modem.
+
+Cc: Bjørn Mork <bjorn@mork.no>
+Reviewed-by: Sebastian Reichel <sre@kernel.org>
+Tested-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -410,6 +410,10 @@ static const struct usb_device_id produc
+ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, USB_CLASS_VENDOR_SPEC, 0x01, 0x69),
+ .driver_info = (unsigned long)&qmi_wwan_info,
+ },
++ { /* Motorola Mapphone devices with MDM6600 */
++ USB_VENDOR_AND_INTERFACE_INFO(0x22b8, USB_CLASS_VENDOR_SPEC, 0xfb, 0xff),
++ .driver_info = (unsigned long)&qmi_wwan_info,
++ },
+
+ /* 2. Combined interface devices matching on class+protocol */
+ { /* Huawei E367 and possibly others in "Windows mode" */
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Gao Feng <fgao@ikuai8.com>
+Date: Sat, 25 Mar 2017 18:24:36 +0800
+Subject: netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
+
+From: Gao Feng <fgao@ikuai8.com>
+
+
+[ Upstream commit 75c689dca98851d65ef5a27e5ce26b625b68751c ]
+
+In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
+helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
+snmp_helper is never registered. But it still tries to unregister the
+snmp_helper, it could cause the panic.
+
+Now remove the useless snmp_helper and the unregister call in the
+error handler.
+
+Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper")
+Signed-off-by: Gao Feng <fgao@ikuai8.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -1260,16 +1260,6 @@ static const struct nf_conntrack_expect_
+ .timeout = 180,
+ };
+
+-static struct nf_conntrack_helper snmp_helper __read_mostly = {
+- .me = THIS_MODULE,
+- .help = help,
+- .expect_policy = &snmp_exp_policy,
+- .name = "snmp",
+- .tuple.src.l3num = AF_INET,
+- .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT),
+- .tuple.dst.protonum = IPPROTO_UDP,
+-};
+-
+ static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
+ .me = THIS_MODULE,
+ .help = help,
+@@ -1288,17 +1278,10 @@ static struct nf_conntrack_helper snmp_t
+
+ static int __init nf_nat_snmp_basic_init(void)
+ {
+- int ret = 0;
+-
+ BUG_ON(nf_nat_snmp_hook != NULL);
+ RCU_INIT_POINTER(nf_nat_snmp_hook, help);
+
+- ret = nf_conntrack_helper_register(&snmp_trap_helper);
+- if (ret < 0) {
+- nf_conntrack_helper_unregister(&snmp_helper);
+- return ret;
+- }
+- return ret;
++ return nf_conntrack_helper_register(&snmp_trap_helper);
+ }
+
+ static void __exit nf_nat_snmp_basic_fini(void)
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Tue, 28 Mar 2017 22:59:25 +0800
+Subject: netfilter: nfnetlink_queue: fix secctx memory leak
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit 77c1c03c5b8ef28e55bb0aff29b1e006037ca645 ]
+
+We must call security_release_secctx to free the memory returned by
+security_secid_to_secctx, otherwise memory may be leaked forever.
+
+Fixes: ef493bd930ae ("netfilter: nfnetlink_queue: add security context information")
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_queue.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -390,7 +390,7 @@ nfqnl_build_packet_message(struct net *n
+ GFP_ATOMIC);
+ if (!skb) {
+ skb_tx_error(entskb);
+- return NULL;
++ goto nlmsg_failure;
+ }
+
+ nlh = nlmsg_put(skb, 0, 0,
+@@ -399,7 +399,7 @@ nfqnl_build_packet_message(struct net *n
+ if (!nlh) {
+ skb_tx_error(entskb);
+ kfree_skb(skb);
+- return NULL;
++ goto nlmsg_failure;
+ }
+ nfmsg = nlmsg_data(nlh);
+ nfmsg->nfgen_family = entry->state.pf;
+@@ -542,12 +542,17 @@ nfqnl_build_packet_message(struct net *n
+ }
+
+ nlh->nlmsg_len = skb->len;
++ if (seclen)
++ security_release_secctx(secdata, seclen);
+ return skb;
+
+ nla_put_failure:
+ skb_tx_error(entskb);
+ kfree_skb(skb);
+ net_err_ratelimited("nf_queue: error creating packet message\n");
++nlmsg_failure:
++ if (seclen)
++ security_release_secctx(secdata, seclen);
+ return NULL;
+ }
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sat, 25 Mar 2017 12:09:15 +0800
+Subject: netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit 83d90219a5df8d950855ce73229a97b63605c317 ]
+
+The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while
+nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER).
+So it's possible that one CPU is walking the nf_ct_helper_hash for
+cthelper add/get/del, another cpu is doing nf_conntrack_helpers_unregister
+at the same time. This is dangrous, and may cause use after free error.
+
+Note, delete operation will flush all cthelpers added via nfnetlink, so
+using rcu to do protect is not easy.
+
+Now introduce a dummy list to record all the cthelpers added via
+nfnetlink, then we can walk the dummy list instead of walking the
+nf_ct_helper_hash. Also, keep nfnl_cthelper_dump_table unchanged, it
+may be invoked without nfnl_lock(NFNL_SUBSYS_CTHELPER) held.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 185 +++++++++++++++++--------------------
+ 1 file changed, 85 insertions(+), 100 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -32,6 +32,13 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+ MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
+
++struct nfnl_cthelper {
++ struct list_head list;
++ struct nf_conntrack_helper helper;
++};
++
++static LIST_HEAD(nfnl_cthelper_list);
++
+ static int
+ nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
+ struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+@@ -205,14 +212,16 @@ nfnl_cthelper_create(const struct nlattr
+ struct nf_conntrack_tuple *tuple)
+ {
+ struct nf_conntrack_helper *helper;
++ struct nfnl_cthelper *nfcth;
+ int ret;
+
+ if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
+ return -EINVAL;
+
+- helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
+- if (helper == NULL)
++ nfcth = kzalloc(sizeof(*nfcth), GFP_KERNEL);
++ if (nfcth == NULL)
+ return -ENOMEM;
++ helper = &nfcth->helper;
+
+ ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
+ if (ret < 0)
+@@ -249,11 +258,12 @@ nfnl_cthelper_create(const struct nlattr
+ if (ret < 0)
+ goto err2;
+
++ list_add_tail(&nfcth->list, &nfnl_cthelper_list);
+ return 0;
+ err2:
+ kfree(helper->expect_policy);
+ err1:
+- kfree(helper);
++ kfree(nfcth);
+ return ret;
+ }
+
+@@ -379,7 +389,8 @@ nfnl_cthelper_new(struct sock *nfnl, str
+ const char *helper_name;
+ struct nf_conntrack_helper *cur, *helper = NULL;
+ struct nf_conntrack_tuple tuple;
+- int ret = 0, i;
++ struct nfnl_cthelper *nlcth;
++ int ret = 0;
+
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ return -EINVAL;
+@@ -390,31 +401,22 @@ nfnl_cthelper_new(struct sock *nfnl, str
+ if (ret < 0)
+ return ret;
+
+- rcu_read_lock();
+- for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
+- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
+
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
++ if (strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
++ continue;
+
+- if (strncmp(cur->name, helper_name,
+- NF_CT_HELPER_NAME_LEN) != 0)
+- continue;
++ if ((tuple.src.l3num != cur->tuple.src.l3num ||
++ tuple.dst.protonum != cur->tuple.dst.protonum))
++ continue;
+
+- if ((tuple.src.l3num != cur->tuple.src.l3num ||
+- tuple.dst.protonum != cur->tuple.dst.protonum))
+- continue;
++ if (nlh->nlmsg_flags & NLM_F_EXCL)
++ return -EEXIST;
+
+- if (nlh->nlmsg_flags & NLM_F_EXCL) {
+- ret = -EEXIST;
+- goto err;
+- }
+- helper = cur;
+- break;
+- }
++ helper = cur;
++ break;
+ }
+- rcu_read_unlock();
+
+ if (helper == NULL)
+ ret = nfnl_cthelper_create(tb, &tuple);
+@@ -422,9 +424,6 @@ nfnl_cthelper_new(struct sock *nfnl, str
+ ret = nfnl_cthelper_update(tb, helper);
+
+ return ret;
+-err:
+- rcu_read_unlock();
+- return ret;
+ }
+
+ static int
+@@ -588,11 +587,12 @@ static int
+ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
+ const struct nlmsghdr *nlh, const struct nlattr * const tb[])
+ {
+- int ret = -ENOENT, i;
++ int ret = -ENOENT;
+ struct nf_conntrack_helper *cur;
+ struct sk_buff *skb2;
+ char *helper_name = NULL;
+ struct nf_conntrack_tuple tuple;
++ struct nfnl_cthelper *nlcth;
+ bool tuple_set = false;
+
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+@@ -613,45 +613,39 @@ nfnl_cthelper_get(struct sock *nfnl, str
+ tuple_set = true;
+ }
+
+- for (i = 0; i < nf_ct_helper_hsize; i++) {
+- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
+-
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
+-
+- if (helper_name && strncmp(cur->name, helper_name,
+- NF_CT_HELPER_NAME_LEN) != 0) {
+- continue;
+- }
+- if (tuple_set &&
+- (tuple.src.l3num != cur->tuple.src.l3num ||
+- tuple.dst.protonum != cur->tuple.dst.protonum))
+- continue;
+-
+- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+- if (skb2 == NULL) {
+- ret = -ENOMEM;
+- break;
+- }
++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
++ if (helper_name &&
++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
++ continue;
++
++ if (tuple_set &&
++ (tuple.src.l3num != cur->tuple.src.l3num ||
++ tuple.dst.protonum != cur->tuple.dst.protonum))
++ continue;
++
++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ if (skb2 == NULL) {
++ ret = -ENOMEM;
++ break;
++ }
+
+- ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
+- nlh->nlmsg_seq,
+- NFNL_MSG_TYPE(nlh->nlmsg_type),
+- NFNL_MSG_CTHELPER_NEW, cur);
+- if (ret <= 0) {
+- kfree_skb(skb2);
+- break;
+- }
++ ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
++ nlh->nlmsg_seq,
++ NFNL_MSG_TYPE(nlh->nlmsg_type),
++ NFNL_MSG_CTHELPER_NEW, cur);
++ if (ret <= 0) {
++ kfree_skb(skb2);
++ break;
++ }
+
+- ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
+- MSG_DONTWAIT);
+- if (ret > 0)
+- ret = 0;
++ ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
++ MSG_DONTWAIT);
++ if (ret > 0)
++ ret = 0;
+
+- /* this avoids a loop in nfnetlink. */
+- return ret == -EAGAIN ? -ENOBUFS : ret;
+- }
++ /* this avoids a loop in nfnetlink. */
++ return ret == -EAGAIN ? -ENOBUFS : ret;
+ }
+ return ret;
+ }
+@@ -662,10 +656,10 @@ nfnl_cthelper_del(struct sock *nfnl, str
+ {
+ char *helper_name = NULL;
+ struct nf_conntrack_helper *cur;
+- struct hlist_node *tmp;
+ struct nf_conntrack_tuple tuple;
+ bool tuple_set = false, found = false;
+- int i, j = 0, ret;
++ struct nfnl_cthelper *nlcth, *n;
++ int j = 0, ret;
+
+ if (tb[NFCTH_NAME])
+ helper_name = nla_data(tb[NFCTH_NAME]);
+@@ -678,30 +672,27 @@ nfnl_cthelper_del(struct sock *nfnl, str
+ tuple_set = true;
+ }
+
+- for (i = 0; i < nf_ct_helper_hsize; i++) {
+- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
+- hnode) {
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
+-
+- j++;
+-
+- if (helper_name && strncmp(cur->name, helper_name,
+- NF_CT_HELPER_NAME_LEN) != 0) {
+- continue;
+- }
+- if (tuple_set &&
+- (tuple.src.l3num != cur->tuple.src.l3num ||
+- tuple.dst.protonum != cur->tuple.dst.protonum))
+- continue;
++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
++ j++;
++
++ if (helper_name &&
++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
++ continue;
++
++ if (tuple_set &&
++ (tuple.src.l3num != cur->tuple.src.l3num ||
++ tuple.dst.protonum != cur->tuple.dst.protonum))
++ continue;
++
++ found = true;
++ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
+
+- found = true;
+- nf_conntrack_helper_unregister(cur);
+- kfree(cur->expect_policy);
+- kfree(cur);
+- }
++ list_del(&nlcth->list);
++ kfree(nlcth);
+ }
++
+ /* Make sure we return success if we flush and there is no helpers */
+ return (found || j == 0) ? 0 : -ENOENT;
+ }
+@@ -750,22 +741,16 @@ err_out:
+ static void __exit nfnl_cthelper_exit(void)
+ {
+ struct nf_conntrack_helper *cur;
+- struct hlist_node *tmp;
+- int i;
++ struct nfnl_cthelper *nlcth, *n;
+
+ nfnetlink_subsys_unregister(&nfnl_cthelper_subsys);
+
+- for (i=0; i<nf_ct_helper_hsize; i++) {
+- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
+- hnode) {
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
+
+- nf_conntrack_helper_unregister(cur);
+- kfree(cur->expect_policy);
+- kfree(cur);
+- }
++ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
++ kfree(nlcth);
+ }
+ }
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+Date: Tue, 21 Mar 2017 15:07:10 +0800
+Subject: netfilter: nfnl_cthelper: Fix memory leak
+
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+
+
+[ Upstream commit f83bf8da1135ca635aac8f062cad3f001fcf3a26 ]
+
+We have memory leaks of nf_conntrack_helper & expect_policy.
+
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -216,7 +216,7 @@ nfnl_cthelper_create(const struct nlattr
+
+ ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
+ if (ret < 0)
+- goto err;
++ goto err1;
+
+ strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
+ helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
+@@ -247,10 +247,12 @@ nfnl_cthelper_create(const struct nlattr
+
+ ret = nf_conntrack_helper_register(helper);
+ if (ret < 0)
+- goto err;
++ goto err2;
+
+ return 0;
+-err:
++err2:
++ kfree(helper->expect_policy);
++err1:
+ kfree(helper);
+ return ret;
+ }
+@@ -696,6 +698,8 @@ nfnl_cthelper_del(struct sock *nfnl, str
+
+ found = true;
+ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
++ kfree(cur);
+ }
+ }
+ /* Make sure we return success if we flush and there is no helpers */
+@@ -759,6 +763,8 @@ static void __exit nfnl_cthelper_exit(vo
+ continue;
+
+ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
++ kfree(cur);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 21 Mar 2017 13:32:37 +0100
+Subject: netfilter: nfnl_cthelper: fix runtime expectation policy updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+
+[ Upstream commit 2c422257550f123049552b39f7af6e3428a60f43 ]
+
+We only allow runtime updates of expectation policies for timeout and
+maximum number of expectations, otherwise reject the update.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 86 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 84 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -256,6 +256,89 @@ err:
+ }
+
+ static int
++nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
++ struct nf_conntrack_expect_policy *new_policy,
++ const struct nlattr *attr)
++{
++ struct nlattr *tb[NFCTH_POLICY_MAX + 1];
++ int err;
++
++ err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr,
++ nfnl_cthelper_expect_pol);
++ if (err < 0)
++ return err;
++
++ if (!tb[NFCTH_POLICY_NAME] ||
++ !tb[NFCTH_POLICY_EXPECT_MAX] ||
++ !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
++ return -EINVAL;
++
++ if (nla_strcmp(tb[NFCTH_POLICY_NAME], policy->name))
++ return -EBUSY;
++
++ new_policy->max_expected =
++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
++ new_policy->timeout =
++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
++
++ return 0;
++}
++
++static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
++ struct nf_conntrack_helper *helper)
++{
++ struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
++ struct nf_conntrack_expect_policy *policy;
++ int i, err;
++
++ /* Check first that all policy attributes are well-formed, so we don't
++ * leave things in inconsistent state on errors.
++ */
++ for (i = 0; i < helper->expect_class_max + 1; i++) {
++
++ if (!tb[NFCTH_POLICY_SET + i])
++ return -EINVAL;
++
++ err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
++ &new_policy[i],
++ tb[NFCTH_POLICY_SET + i]);
++ if (err < 0)
++ return err;
++ }
++ /* Now we can safely update them. */
++ for (i = 0; i < helper->expect_class_max + 1; i++) {
++ policy = (struct nf_conntrack_expect_policy *)
++ &helper->expect_policy[i];
++ policy->max_expected = new_policy->max_expected;
++ policy->timeout = new_policy->timeout;
++ }
++
++ return 0;
++}
++
++static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper,
++ const struct nlattr *attr)
++{
++ struct nlattr *tb[NFCTH_POLICY_SET_MAX + 1];
++ unsigned int class_max;
++ int err;
++
++ err = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
++ nfnl_cthelper_expect_policy_set);
++ if (err < 0)
++ return err;
++
++ if (!tb[NFCTH_POLICY_SET_NUM])
++ return -EINVAL;
++
++ class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
++ if (helper->expect_class_max + 1 != class_max)
++ return -EBUSY;
++
++ return nfnl_cthelper_update_policy_all(tb, helper);
++}
++
++static int
+ nfnl_cthelper_update(const struct nlattr * const tb[],
+ struct nf_conntrack_helper *helper)
+ {
+@@ -265,8 +348,7 @@ nfnl_cthelper_update(const struct nlattr
+ return -EBUSY;
+
+ if (tb[NFCTH_POLICY]) {
+- ret = nfnl_cthelper_parse_expect_policy(helper,
+- tb[NFCTH_POLICY]);
++ ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
+ if (ret < 0)
+ return ret;
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+Date: Thu, 28 Sep 2017 15:33:05 +0100
+Subject: PCI/AER: Report non-fatal errors only to the affected endpoint
+
+From: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+
+
+[ Upstream commit 86acc790717fb60fb51ea3095084e331d8711c74 ]
+
+Previously, if an non-fatal error was reported by an endpoint, we
+called report_error_detected() for the endpoint, every sibling on the
+bus, and their descendents. If any of them did not implement the
+.error_detected() method, do_recovery() failed, leaving all these
+devices unrecovered.
+
+For example, the system described in the bugzilla below has two devices:
+
+ 0000:74:02.0 [19e5:a230] SAS controller, driver has .error_detected()
+ 0000:74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected()
+
+When a device such as 74:02.0 reported a non-fatal error, do_recovery()
+failed because 74:03.0 lacked an .error_detected() method. But per PCIe
+r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and
+does not affect 74:03.0:
+
+ Non-fatal errors are uncorrectable errors which cause a particular
+ transaction to be unreliable but the Link is otherwise fully functional.
+ Isolating Non-fatal from Fatal errors provides Requester/Receiver logic
+ in a device or system management software the opportunity to recover from
+ the error without resetting the components on the Link and disturbing
+ other transactions in progress. Devices not associated with the
+ transaction in error are not impacted by the error.
+
+Report non-fatal errors only to the endpoint that reported them. We really
+want to check for AER_NONFATAL here, but the current code structure doesn't
+allow that. Looking for pci_channel_io_normal is the best we can do now.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055
+Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver")
+Signed-off-by: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+Signed-off-by: Dongdong Liu <liudongdong3@huawei.com>
+[bhelgaas: changelog]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/aer/aerdrv_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/aer/aerdrv_core.c
++++ b/drivers/pci/pcie/aer/aerdrv_core.c
+@@ -388,7 +388,14 @@ static pci_ers_result_t broadcast_error_
+ * If the error is reported by an end point, we think this
+ * error is related to the upstream link of the end point.
+ */
+- pci_walk_bus(dev->bus, cb, &result_data);
++ if (state == pci_channel_io_normal)
++ /*
++ * the error is non fatal so the bus is ok, just invoke
++ * the callback for the function that logged the error.
++ */
++ cb(dev, &result_data);
++ else
++ pci_walk_bus(dev->bus, cb, &result_data);
+ }
+
+ return result_data.result;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: David Daney <david.daney@cavium.com>
+Date: Fri, 8 Sep 2017 10:10:31 +0200
+Subject: PCI: Avoid bus reset if bridge itself is broken
+
+From: David Daney <david.daney@cavium.com>
+
+
+[ Upstream commit 357027786f3523d26f42391aa4c075b8495e5d28 ]
+
+When checking to see if a PCI bus can safely be reset, we previously
+checked to see if any of the children had their PCI_DEV_FLAGS_NO_BUS_RESET
+flag set. Children marked with that flag are known not to behave well
+after a bus reset.
+
+Some PCIe root port bridges also do not behave well after a bus reset,
+sometimes causing the devices behind the bridge to become unusable.
+
+Add a check for PCI_DEV_FLAGS_NO_BUS_RESET being set in the bridge device
+to allow these bridges to be flagged, and prevent their secondary buses
+from being reset.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+[jglauber@cavium.com: fixed typo]
+Signed-off-by: Jan Glauber <jglauber@cavium.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3850,6 +3850,10 @@ static bool pci_bus_resetable(struct pci
+ {
+ struct pci_dev *dev;
+
++
++ if (bus->self && (bus->self->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET))
++ return false;
++
+ list_for_each_entry(dev, &bus->devices, bus_list) {
+ if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
+ (dev->subordinate && !pci_bus_resetable(dev->subordinate)))
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Stuart Hayes <stuart.w.hayes@gmail.com>
+Date: Wed, 4 Oct 2017 10:57:52 -0500
+Subject: PCI: Create SR-IOV virtfn/physfn links before attaching driver
+
+From: Stuart Hayes <stuart.w.hayes@gmail.com>
+
+
+[ Upstream commit 27d6162944b9b34c32cd5841acd21786637ee743 ]
+
+When creating virtual functions, create the "virtfn%u" and "physfn" links
+in sysfs *before* attaching the driver instead of after. When we attach
+the driver to the new virtual network interface first, there is a race when
+the driver attaches to the new sends out an "add" udev event, and the
+network interface naming software (biosdevname or systemd, for example)
+tries to look at these links.
+
+Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/iov.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -161,7 +161,6 @@ static int virtfn_add(struct pci_dev *de
+ pci_device_add(virtfn, virtfn->bus);
+ mutex_unlock(&iov->dev->sriov->lock);
+
+- pci_bus_add_device(virtfn);
+ sprintf(buf, "virtfn%u", id);
+ rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf);
+ if (rc)
+@@ -172,6 +171,8 @@ static int virtfn_add(struct pci_dev *de
+
+ kobject_uevent(&virtfn->dev.kobj, KOBJ_CHANGE);
+
++ pci_bus_add_device(virtfn);
++
+ return 0;
+
+ failed2:
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 3 Oct 2017 18:29:49 -0400
+Subject: percpu: don't forget to free the temporary struct pcpu_alloc_info
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+
+[ Upstream commit 438a50618095061920d3a30d4c5ca1ef2e0ff860 ]
+
+Unlike the SMP case, the !SMP case does not free the memory for struct
+pcpu_alloc_info allocated in setup_per_cpu_areas(). And to give it a
+chance of being reused by the page allocator later, align it to a page
+boundary just like its size.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Acked-by: Dennis Zhou <dennisszhou@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/percpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/percpu.c
++++ b/mm/percpu.c
+@@ -1402,7 +1402,7 @@ struct pcpu_alloc_info * __init pcpu_all
+ __alignof__(ai->groups[0].cpu_map[0]));
+ ai_size = base_size + nr_units * sizeof(ai->groups[0].cpu_map[0]);
+
+- ptr = memblock_virt_alloc_nopanic(PFN_ALIGN(ai_size), 0);
++ ptr = memblock_virt_alloc_nopanic(PFN_ALIGN(ai_size), PAGE_SIZE);
+ if (!ptr)
+ return NULL;
+ ai = ptr;
+@@ -2265,6 +2265,7 @@ void __init setup_per_cpu_areas(void)
+
+ if (pcpu_setup_first_chunk(ai, fc) < 0)
+ panic("Failed to initialize percpu areas.");
++ pcpu_free_alloc_info(ai);
+ }
+
+ #endif /* CONFIG_SMP */
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Patrice Chotard <patrice.chotard@st.com>
+Date: Thu, 16 Mar 2017 18:26:02 +0100
+Subject: pinctrl: st: add irq_request/release_resources callbacks
+
+From: Patrice Chotard <patrice.chotard@st.com>
+
+
+[ Upstream commit e855fa9a65c40788b5069abb0d094537daa22e05 ]
+
+When using GPIO as IRQ source, the GPIO must be configured
+in INPUT. Callbacks dedicated for this was missing in
+pinctrl-st driver.
+
+This fix the following kernel error when trying to lock a gpio
+as IRQ:
+
+[ 7.521095] gpio gpiochip7: (PIO11): gpiochip_lock_as_irq: tried to flag a GPIO set as output for IRQ
+[ 7.526018] gpio gpiochip7: (PIO11): unable to lock HW IRQ 6 for IRQ
+[ 7.529405] genirq: Failed to request resources for 0-0053 (irq 81) on irqchip GPIO
+
+Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-st.c | 30 ++++++++++++++++++++++++------
+ 1 file changed, 24 insertions(+), 6 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-st.c
++++ b/drivers/pinctrl/pinctrl-st.c
+@@ -1338,6 +1338,22 @@ static void st_gpio_irq_unmask(struct ir
+ writel(BIT(d->hwirq), bank->base + REG_PIO_SET_PMASK);
+ }
+
++static int st_gpio_irq_request_resources(struct irq_data *d)
++{
++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++
++ st_gpio_direction_input(gc, d->hwirq);
++
++ return gpiochip_lock_as_irq(gc, d->hwirq);
++}
++
++static void st_gpio_irq_release_resources(struct irq_data *d)
++{
++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++
++ gpiochip_unlock_as_irq(gc, d->hwirq);
++}
++
+ static int st_gpio_irq_set_type(struct irq_data *d, unsigned type)
+ {
+ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+@@ -1493,12 +1509,14 @@ static struct gpio_chip st_gpio_template
+ };
+
+ static struct irq_chip st_gpio_irqchip = {
+- .name = "GPIO",
+- .irq_disable = st_gpio_irq_mask,
+- .irq_mask = st_gpio_irq_mask,
+- .irq_unmask = st_gpio_irq_unmask,
+- .irq_set_type = st_gpio_irq_set_type,
+- .flags = IRQCHIP_SKIP_SET_WAKE,
++ .name = "GPIO",
++ .irq_request_resources = st_gpio_irq_request_resources,
++ .irq_release_resources = st_gpio_irq_release_resources,
++ .irq_disable = st_gpio_irq_mask,
++ .irq_mask = st_gpio_irq_mask,
++ .irq_unmask = st_gpio_irq_unmask,
++ .irq_set_type = st_gpio_irq_set_type,
++ .flags = IRQCHIP_SKIP_SET_WAKE,
+ };
+
+ static int st_gpiolib_register_bank(struct st_pinctrl *info,
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: hayeswang <hayeswang@realtek.com>
+Date: Tue, 14 Mar 2017 14:15:20 +0800
+Subject: r8152: fix the list rx_done may be used without initialization
+
+From: hayeswang <hayeswang@realtek.com>
+
+
+[ Upstream commit 98d068ab52b4b11d403995ed14154660797e7136 ]
+
+The list rx_done would be initialized when the linking on occurs.
+Therefore, if a napi is scheduled without any linking on before,
+the following kernel panic would happen.
+
+ BUG: unable to handle kernel NULL pointer dereference at 000000000000008
+ IP: [<ffffffffc085efde>] r8152_poll+0xe1e/0x1210 [r8152]
+ PGD 0
+ Oops: 0002 [#1] SMP
+
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1277,6 +1277,7 @@ static int alloc_all_mem(struct r8152 *t
+ spin_lock_init(&tp->rx_lock);
+ spin_lock_init(&tp->tx_lock);
+ INIT_LIST_HEAD(&tp->tx_free);
++ INIT_LIST_HEAD(&tp->rx_done);
+ skb_queue_head_init(&tp->tx_queue);
+ skb_queue_head_init(&tp->rx_queue);
+
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: hayeswang <hayeswang@realtek.com>
+Date: Thu, 23 Mar 2017 19:14:19 +0800
+Subject: r8152: prevent the driver from transmitting packets with carrier off
+
+From: hayeswang <hayeswang@realtek.com>
+
+
+[ Upstream commit 2f25abe6bac573928a990ccbdac75873add8127e ]
+
+The linking status may be changed when autosuspend. And, after
+autoresume, the driver may try to transmit packets when the device
+is carrier off, because the interrupt transfer doesn't update the
+linking status, yet. And, if the device is in ALDPS mode, the device
+would stop working.
+
+The another similar case is
+ 1. unplug the cable.
+ 2. interrupt transfer queue a work_queue for linking change.
+ 3. device enters the ALDPS mode.
+ 4. a tx occurs before the work_queue is called.
+
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1207,6 +1207,7 @@ static void intr_callback(struct urb *ur
+ }
+ } else {
+ if (netif_carrier_ok(tp->netdev)) {
++ netif_stop_queue(tp->netdev);
+ set_bit(RTL8152_LINK_CHG, &tp->flags);
+ schedule_delayed_work(&tp->schedule, 0);
+ }
+@@ -3001,6 +3002,9 @@ static void set_carrier(struct r8152 *tp
+ napi_enable(&tp->napi);
+ netif_wake_queue(netdev);
+ netif_info(tp, link, netdev, "carrier on\n");
++ } else if (netif_queue_stopped(netdev) &&
++ skb_queue_len(&tp->tx_queue) < tp->tx_qlen) {
++ netif_wake_queue(netdev);
+ }
+ } else {
+ if (netif_carrier_ok(netdev)) {
+@@ -3561,8 +3565,18 @@ static int rtl8152_resume(struct usb_int
+ clear_bit(SELECTIVE_SUSPEND, &tp->flags);
+ napi_disable(&tp->napi);
+ set_bit(WORK_ENABLE, &tp->flags);
+- if (netif_carrier_ok(tp->netdev))
+- rtl_start_rx(tp);
++
++ if (netif_carrier_ok(tp->netdev)) {
++ if (rtl8152_get_speed(tp) & LINK_STATUS) {
++ rtl_start_rx(tp);
++ } else {
++ netif_carrier_off(tp->netdev);
++ tp->rtl_ops.disable(tp);
++ netif_info(tp, link, tp->netdev,
++ "linking down\n");
++ }
++ }
++
+ napi_enable(&tp->napi);
+ } else {
+ tp->rtl_ops.up(tp);
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Sagi Grimberg <sagi@grimberg.me>
+Date: Mon, 27 Feb 2017 20:16:33 +0200
+Subject: RDMA/iser: Fix possible mr leak on device removal event
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+
+[ Upstream commit ea174c9573b0e0c8bc1a7a90fe9360ccb7aa9cbb ]
+
+When the rdma device is removed, we must cleanup all
+the rdma resources within the DEVICE_REMOVAL event
+handler to let the device teardown gracefully. When
+this happens with live I/O, some memory regions are
+occupied. Thus, track them too and dereg all the mr's.
+
+We are safe with mr access by iscsi_iser_cleanup_task.
+
+Reported-by: Raju Rangoju <rajur@chelsio.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/ulp/iser/iscsi_iser.h | 2 ++
+ drivers/infiniband/ulp/iser/iser_verbs.c | 8 +++++---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/ulp/iser/iscsi_iser.h
++++ b/drivers/infiniband/ulp/iser/iscsi_iser.h
+@@ -450,6 +450,7 @@ struct iser_fr_desc {
+ struct list_head list;
+ struct iser_reg_resources rsc;
+ struct iser_pi_context *pi_ctx;
++ struct list_head all_list;
+ };
+
+ /**
+@@ -463,6 +464,7 @@ struct iser_fr_pool {
+ struct list_head list;
+ spinlock_t lock;
+ int size;
++ struct list_head all_list;
+ };
+
+ /**
+--- a/drivers/infiniband/ulp/iser/iser_verbs.c
++++ b/drivers/infiniband/ulp/iser/iser_verbs.c
+@@ -405,6 +405,7 @@ int iser_alloc_fastreg_pool(struct ib_co
+ int i, ret;
+
+ INIT_LIST_HEAD(&fr_pool->list);
++ INIT_LIST_HEAD(&fr_pool->all_list);
+ spin_lock_init(&fr_pool->lock);
+ fr_pool->size = 0;
+ for (i = 0; i < cmds_max; i++) {
+@@ -416,6 +417,7 @@ int iser_alloc_fastreg_pool(struct ib_co
+ }
+
+ list_add_tail(&desc->list, &fr_pool->list);
++ list_add_tail(&desc->all_list, &fr_pool->all_list);
+ fr_pool->size++;
+ }
+
+@@ -435,13 +437,13 @@ void iser_free_fastreg_pool(struct ib_co
+ struct iser_fr_desc *desc, *tmp;
+ int i = 0;
+
+- if (list_empty(&fr_pool->list))
++ if (list_empty(&fr_pool->all_list))
+ return;
+
+ iser_info("freeing conn %p fr pool\n", ib_conn);
+
+- list_for_each_entry_safe(desc, tmp, &fr_pool->list, list) {
+- list_del(&desc->list);
++ list_for_each_entry_safe(desc, tmp, &fr_pool->all_list, all_list) {
++ list_del(&desc->all_list);
+ iser_free_reg_res(&desc->rsc);
+ if (desc->pi_ctx)
+ iser_free_pi_ctx(desc->pi_ctx);
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 29 Sep 2017 11:22:15 +0100
+Subject: rtc: pl031: make interrupt optional
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+
+[ Upstream commit 5b64a2965dfdfca8039e93303c64e2b15c19ff0c ]
+
+On some platforms, the interrupt for the PL031 is optional. Avoid
+trying to claim the interrupt if it's not specified.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-pl031.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/rtc/rtc-pl031.c
++++ b/drivers/rtc/rtc-pl031.c
+@@ -308,7 +308,8 @@ static int pl031_remove(struct amba_devi
+
+ dev_pm_clear_wake_irq(&adev->dev);
+ device_init_wakeup(&adev->dev, false);
+- free_irq(adev->irq[0], ldata);
++ if (adev->irq[0])
++ free_irq(adev->irq[0], ldata);
+ rtc_device_unregister(ldata->rtc);
+ iounmap(ldata->base);
+ kfree(ldata);
+@@ -381,12 +382,13 @@ static int pl031_probe(struct amba_devic
+ goto out_no_rtc;
+ }
+
+- if (request_irq(adev->irq[0], pl031_interrupt,
+- vendor->irqflags, "rtc-pl031", ldata)) {
+- ret = -EIO;
+- goto out_no_irq;
++ if (adev->irq[0]) {
++ ret = request_irq(adev->irq[0], pl031_interrupt,
++ vendor->irqflags, "rtc-pl031", ldata);
++ if (ret)
++ goto out_no_irq;
++ dev_pm_set_wake_irq(&adev->dev, adev->irq[0]);
+ }
+- dev_pm_set_wake_irq(&adev->dev, adev->irq[0]);
+ return 0;
+
+ out_no_irq:
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Date: Thu, 28 Sep 2017 13:53:27 +0200
+Subject: rtc: set the alarm to the next expiring timer
+
+From: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+
+
+[ Upstream commit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d ]
+
+If there is any non expired timer in the queue, the RTC alarm is never set.
+This is an issue when adding a timer that expires before the next non
+expired timer.
+
+Ensure the RTC alarm is set in that case.
+
+Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/interface.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -764,7 +764,7 @@ static int rtc_timer_enqueue(struct rtc_
+ }
+
+ timerqueue_add(&rtc->timerqueue, &timer->node);
+- if (!next) {
++ if (!next || ktime_before(timer->node.expires, next->expires)) {
+ struct rtc_wkalrm alarm;
+ int err;
+ alarm.time = rtc_ktime_to_tm(timer->node.expires);
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2017 14:55:09 +0100
+Subject: s390/qeth: no ETH header for outbound AF_IUCV
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit acd9776b5c45ef02d1a210969a6fcc058afb76e3 ]
+
+With AF_IUCV traffic, the skb passed to hard_start_xmit() has a 14 byte
+slot at skb->data, intended for an ETH header. qeth_l3_fill_af_iucv_hdr()
+fills this ETH header... and then immediately moves it to the
+skb's headroom, where it disappears and is never seen again.
+
+But it's still possible for us to return NETDEV_TX_BUSY after the skb has
+been modified. Since we didn't get a private copy of the skb, the next
+time the skb is delivered to hard_start_xmit() it no longer has the
+expected layout (we moved the ETH header to the headroom, so skb->data
+now starts at the IUCV_TRANS header). So when qeth_l3_fill_af_iucv_hdr()
+does another round of rebuilding, the resulting qeth header ends up
+all wrong. On transmission, the buffer is then rejected by
+the HiperSockets device with SBALF15 = x'04'.
+When this error is passed back to af_iucv as TX_NOTIFY_UNREACHABLE, it
+tears down the offending socket.
+
+As the ETH header for AF_IUCV serves no purpose, just align the code to
+what we do for IP traffic on L3 HiperSockets: keep the ETH header at
+skb->data, and pass down data_offset = ETH_HLEN to qeth_fill_buffer().
+When mapping the payload into the SBAL elements, the ETH header is then
+stripped off. This avoids the skb manipulations in
+qeth_l3_fill_af_iucv_hdr(), and any buffer re-entering hard_start_xmit()
+after NETDEV_TX_BUSY is now processed properly.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -2680,17 +2680,13 @@ static void qeth_l3_fill_af_iucv_hdr(str
+ char daddr[16];
+ struct af_iucv_trans_hdr *iucv_hdr;
+
+- skb_pull(skb, 14);
+- card->dev->header_ops->create(skb, card->dev, 0,
+- card->dev->dev_addr, card->dev->dev_addr,
+- card->dev->addr_len);
+- skb_pull(skb, 14);
+- iucv_hdr = (struct af_iucv_trans_hdr *)skb->data;
+ memset(hdr, 0, sizeof(struct qeth_hdr));
+ hdr->hdr.l3.id = QETH_HEADER_TYPE_LAYER3;
+ hdr->hdr.l3.ext_flags = 0;
+- hdr->hdr.l3.length = skb->len;
++ hdr->hdr.l3.length = skb->len - ETH_HLEN;
+ hdr->hdr.l3.flags = QETH_HDR_IPV6 | QETH_CAST_UNICAST;
++
++ iucv_hdr = (struct af_iucv_trans_hdr *) (skb->data + ETH_HLEN);
+ memset(daddr, 0, sizeof(daddr));
+ daddr[0] = 0xfe;
+ daddr[1] = 0x80;
+@@ -2873,10 +2869,7 @@ static int qeth_l3_hard_start_xmit(struc
+ if ((card->info.type == QETH_CARD_TYPE_IQD) && (!large_send) &&
+ (skb_shinfo(skb)->nr_frags == 0)) {
+ new_skb = skb;
+- if (new_skb->protocol == ETH_P_AF_IUCV)
+- data_offset = 0;
+- else
+- data_offset = ETH_HLEN;
++ data_offset = ETH_HLEN;
+ hdr = kmem_cache_alloc(qeth_core_header_cache, GFP_ATOMIC);
+ if (!hdr)
+ goto tx_drop;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 17 Mar 2017 08:05:28 -0700
+Subject: sch_dsmark: fix invalid skb_cow() usage
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit aea92fb2e09e29653b023d4254ac9fbf94221538 ]
+
+skb_cow(skb, sizeof(ip header)) is not very helpful in this context.
+
+First we need to use pskb_may_pull() to make sure the ip header
+is in skb linear part, then use skb_try_make_writable() to
+address clones issues.
+
+Fixes: 4c30719f4f55 ("[PKT_SCHED] dsmark: handle cloned and non-linear skb's")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_dsmark.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_dsmark.c
++++ b/net/sched/sch_dsmark.c
+@@ -199,9 +199,13 @@ static int dsmark_enqueue(struct sk_buff
+ pr_debug("%s(skb %p,sch %p,[qdisc %p])\n", __func__, skb, sch, p);
+
+ if (p->set_tc_index) {
++ int wlen = skb_network_offset(skb);
++
+ switch (tc_skb_protocol(skb)) {
+ case htons(ETH_P_IP):
+- if (skb_cow_head(skb, sizeof(struct iphdr)))
++ wlen += sizeof(struct iphdr);
++ if (!pskb_may_pull(skb, wlen) ||
++ skb_try_make_writable(skb, wlen))
+ goto drop;
+
+ skb->tc_index = ipv4_get_dsfield(ip_hdr(skb))
+@@ -209,7 +213,9 @@ static int dsmark_enqueue(struct sk_buff
+ break;
+
+ case htons(ETH_P_IPV6):
+- if (skb_cow_head(skb, sizeof(struct ipv6hdr)))
++ wlen += sizeof(struct ipv6hdr);
++ if (!pskb_may_pull(skb, wlen) ||
++ skb_try_make_writable(skb, wlen))
+ goto drop;
+
+ skb->tc_index = ipv6_get_dsfield(ipv6_hdr(skb))
--- /dev/null
+From f98db6013c557c216da5038d9c52045be55cd039 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 26 Apr 2016 09:39:06 -0700
+Subject: sched/core: Add switch_mm_irqs_off() and use it in the scheduler
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit f98db6013c557c216da5038d9c52045be55cd039 upstream.
+
+By default, this is the same thing as switch_mm().
+
+x86 will override it as an optimization.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/df401df47bdd6be3e389c6f1e3f5310d70e81b2c.1461688545.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mmu_context.h | 7 +++++++
+ kernel/sched/core.c | 6 +++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/include/linux/mmu_context.h
++++ b/include/linux/mmu_context.h
+@@ -1,9 +1,16 @@
+ #ifndef _LINUX_MMU_CONTEXT_H
+ #define _LINUX_MMU_CONTEXT_H
+
++#include <asm/mmu_context.h>
++
+ struct mm_struct;
+
+ void use_mm(struct mm_struct *mm);
+ void unuse_mm(struct mm_struct *mm);
+
++/* Architectures that care about IRQ state in switch_mm can override this. */
++#ifndef switch_mm_irqs_off
++# define switch_mm_irqs_off switch_mm
++#endif
++
+ #endif
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -32,7 +32,7 @@
+ #include <linux/init.h>
+ #include <linux/uaccess.h>
+ #include <linux/highmem.h>
+-#include <asm/mmu_context.h>
++#include <linux/mmu_context.h>
+ #include <linux/interrupt.h>
+ #include <linux/capability.h>
+ #include <linux/completion.h>
+@@ -2708,7 +2708,7 @@ context_switch(struct rq *rq, struct tas
+ atomic_inc(&oldmm->mm_count);
+ enter_lazy_tlb(oldmm, next);
+ } else
+- switch_mm(oldmm, mm, next);
++ switch_mm_irqs_off(oldmm, mm, next);
+
+ if (!prev->mm) {
+ prev->active_mm = NULL;
+@@ -5206,7 +5206,7 @@ void idle_task_exit(void)
+ BUG_ON(cpu_online(smp_processor_id()));
+
+ if (mm != &init_mm) {
+- switch_mm(mm, &init_mm, current);
++ switch_mm_irqs_off(mm, &init_mm, current);
+ finish_arch_post_lock_switch();
+ }
+ mmdrop(mm);
--- /dev/null
+From 252d2a4117bc181b287eeddf848863788da733ae Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 9 Jun 2017 11:49:15 -0700
+Subject: sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off()
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 252d2a4117bc181b287eeddf848863788da733ae upstream.
+
+idle_task_exit() can be called with IRQs on x86 on and therefore
+should use switch_mm(), not switch_mm_irqs_off().
+
+This doesn't seem to cause any problems right now, but it will
+confuse my upcoming TLB flush changes. Nonetheless, I think it
+should be backported because it's trivial. There won't be any
+meaningful performance impact because idle_task_exit() is only
+used when offlining a CPU.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: f98db6013c55 ("sched/core: Add switch_mm_irqs_off() and use it in the scheduler")
+Link: http://lkml.kernel.org/r/ca3d1a9fa93a0b49f5a8ff729eda3640fb6abdf9.1497034141.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5206,7 +5206,7 @@ void idle_task_exit(void)
+ BUG_ON(cpu_online(smp_processor_id()));
+
+ if (mm != &init_mm) {
+- switch_mm_irqs_off(mm, &init_mm, current);
++ switch_mm(mm, &init_mm, current);
+ finish_arch_post_lock_switch();
+ }
+ mmdrop(mm);
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Varun Prakash <varun@chelsio.com>
+Date: Wed, 11 Oct 2017 19:33:07 +0530
+Subject: scsi: cxgb4i: fix Tx skb leak
+
+From: Varun Prakash <varun@chelsio.com>
+
+
+[ Upstream commit 9b3a081fb62158b50bcc90522ca2423017544367 ]
+
+In case of connection reset Tx skb queue can have some skbs which are
+not transmitted so purge Tx skb queue in release_offload_resources() to
+avoid skb leak.
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
++++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
+@@ -1339,6 +1339,7 @@ static void release_offload_resources(st
+ csk, csk->state, csk->flags, csk->tid);
+
+ cxgbi_sock_free_cpl_skbs(csk);
++ cxgbi_sock_purge_write_queue(csk);
+ if (csk->wr_cred != csk->wr_max_cred) {
+ cxgbi_sock_purge_wr_queue(csk);
+ cxgbi_sock_reset_wr_list(csk);
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Thu, 23 Mar 2017 08:47:18 -0400
+Subject: scsi: lpfc: Fix PT2PT PRLI reject
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+
+[ Upstream commit a71e3cdcfce4880a4578915e110e3eaed1659765 ]
+
+lpfc cannot establish connection with targets that send PRLI in P2P
+configurations.
+
+If lpfc rejects a PRLI that is sent from a target the target will not
+resend and will reject the PRLI send from the initiator.
+
+[mkp: applied by hand]
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -7491,7 +7491,8 @@ lpfc_els_unsol_buffer(struct lpfc_hba *p
+ did, vport->port_state, ndlp->nlp_flag);
+
+ phba->fc_stat.elsRcvPRLI++;
+- if (vport->port_state < LPFC_DISC_AUTH) {
++ if ((vport->port_state < LPFC_DISC_AUTH) &&
++ (vport->fc_flag & FC_FABRIC)) {
+ rjt_err = LSRJT_UNABLE_TPC;
+ rjt_exp = LSEXP_NOTHING_MORE;
+ break;
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:42 -0700
+Subject: scsi: lpfc: Fix secure firmware updates
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+
+[ Upstream commit 184fc2b9a8bcbda9c14d0a1e7fbecfc028c7702e ]
+
+Firmware update fails with: status x17 add_status x56 on the final write
+
+If multiple DMA buffers are used for the download, some firmware revs
+have difficulty with signatures and crcs split across the dma buffer
+boundaries. Resolve by making all writes be a single 4k page in length.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hw4.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hw4.h
++++ b/drivers/scsi/lpfc/lpfc_hw4.h
+@@ -3180,7 +3180,7 @@ struct lpfc_mbx_get_port_name {
+ #define MB_CEQ_STATUS_QUEUE_FLUSHING 0x4
+ #define MB_CQE_STATUS_DMA_FAILED 0x5
+
+-#define LPFC_MBX_WR_CONFIG_MAX_BDE 8
++#define LPFC_MBX_WR_CONFIG_MAX_BDE 1
+ struct lpfc_mbx_wr_object {
+ struct mbox_header header;
+ union {
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:32 -0700
+Subject: scsi: lpfc: PLOGI failures during NPIV testing
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+
+[ Upstream commit e8bcf0ae4c0346fdc78ebefe0eefcaa6a6622d38 ]
+
+Local Reject/Invalid RPI errors seen during discovery.
+
+Temporary RPI cleanup was occurring regardless of SLI rev. It's only
+necessary on SLI-4.
+
+Adjust the test for whether cleanup is necessary.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -4777,7 +4777,8 @@ lpfc_nlp_remove(struct lpfc_vport *vport
+ lpfc_cancel_retry_delay_tmo(vport, ndlp);
+ if ((ndlp->nlp_flag & NLP_DEFER_RM) &&
+ !(ndlp->nlp_flag & NLP_REG_LOGIN_SEND) &&
+- !(ndlp->nlp_flag & NLP_RPI_REGISTERED)) {
++ !(ndlp->nlp_flag & NLP_RPI_REGISTERED) &&
++ phba->sli_rev != LPFC_SLI_REV4) {
+ /* For this case we need to cleanup the default rpi
+ * allocated by the firmware.
+ */
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Tue, 10 Oct 2017 18:41:18 +0530
+Subject: scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+
+[ Upstream commit 2ce9a3645299ba1752873d333d73f67620f4550b ]
+
+Whenever an I/O for a RAID volume fails with IOCStatus
+MPI2_IOCSTATUS_SCSI_IOC_TERMINATED and SCSIStatus equal to
+(MPI2_SCSI_STATE_TERMINATED | MPI2_SCSI_STATE_NO_SCSI_STATUS) then
+return the I/O to SCSI midlayer with "DID_RESET" (i.e. retry the IO
+infinite times) set in the host byte.
+
+Previously, the driver was completing the I/O with "DID_SOFT_ERROR"
+which causes the I/O to be quickly retried. However, firmware needed
+more time and hence I/Os were failing.
+
+Signed-off-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -4588,6 +4588,11 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *i
+ } else if (log_info == VIRTUAL_IO_FAILED_RETRY) {
+ scmd->result = DID_RESET << 16;
+ break;
++ } else if ((scmd->device->channel == RAID_CHANNEL) &&
++ (scsi_state == (MPI2_SCSI_STATE_TERMINATED |
++ MPI2_SCSI_STATE_NO_SCSI_STATUS))) {
++ scmd->result = DID_RESET << 16;
++ break;
+ }
+ scmd->result = DID_SOFT_ERROR << 16;
+ break;
arm64-initialise-high_memory-global-variable-earlier.patch
cxl-check-if-vphb-exists-before-iterating-over-afu-devices.patch
+x86-mm-add-invpcid-helpers.patch
+x86-mm-fix-invpcid-asm-constraint.patch
+x86-mm-add-a-noinvpcid-boot-option-to-turn-off-invpcid.patch
+x86-mm-if-invpcid-is-available-use-it-to-flush-global-mappings.patch
+mm-rmap-batched-invalidations-should-use-existing-api.patch
+mm-mmu_context-sched-core-fix-mmu_context.h-assumption.patch
+sched-core-add-switch_mm_irqs_off-and-use-it-in-the-scheduler.patch
+x86-mm-build-arch-x86-mm-tlb.c-even-on-smp.patch
+x86-mm-sched-core-uninline-switch_mm.patch
+x86-mm-sched-core-turn-off-irqs-in-switch_mm.patch
+arm-hide-finish_arch_post_lock_switch-from-modules.patch
+sched-core-idle_task_exit-shouldn-t-use-switch_mm_irqs_off.patch
+x86-irq-do-not-substract-irq_tlb_count-from-irq_call_count.patch
+alsa-hda-add-support-for-docking-station-for-hp-820-g2.patch
+alsa-hda-add-support-for-docking-station-for-hp-840-g3.patch
+arm-kprobes-fix-the-return-address-of-multiple-kretprobes.patch
+arm-kprobes-align-stack-to-8-bytes-in-test-code.patch
+cpuidle-validate-cpu_dev-in-cpuidle_add_sysfs.patch
+r8152-fix-the-list-rx_done-may-be-used-without-initialization.patch
+crypto-deadlock-between-crypto_alg_sem-rtnl_mutex-genl_mutex.patch
+sch_dsmark-fix-invalid-skb_cow-usage.patch
+bna-integer-overflow-bug-in-debugfs.patch
+net-qmi_wwan-add-usb-ids-for-mdm6600-modem-on-motorola-droid-4.patch
+usb-gadget-f_uvc-sanity-check-wmaxpacketsize-for-superspeed.patch
+usb-gadget-udc-remove-pointer-dereference-after-free.patch
+netfilter-nfnl_cthelper-fix-runtime-expectation-policy-updates.patch
+netfilter-nfnl_cthelper-fix-memory-leak.patch
+inet-frag-release-spinlock-before-calling-icmp_send.patch
+pinctrl-st-add-irq_request-release_resources-callbacks.patch
+scsi-lpfc-fix-pt2pt-prli-reject.patch
+kvm-x86-correct-async-page-present-tracepoint.patch
+kvm-vmx-fix-enable-vpid-conditions.patch
+arm-dts-ti-fix-pci-bus-dtc-warnings.patch
+hwmon-asus_atk0110-fix-uninitialized-data-access.patch
+i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch
+hid-xinmo-fix-for-out-of-range-for-tht-2p-arcade-controller.patch
+r8152-prevent-the-driver-from-transmitting-packets-with-carrier-off.patch
+s390-qeth-no-eth-header-for-outbound-af_iucv.patch
+bna-avoid-writing-uninitialized-data-into-hw-registers.patch
+net-do-not-allow-negative-values-for-busy_read-and-busy_poll-sysctl-interfaces.patch
+i40e-do-not-enable-napi-on-q_vectors-that-have-no-rings.patch
+rdma-iser-fix-possible-mr-leak-on-device-removal-event.patch
+irda-vlsi_ir-fix-check-for-dma-mapping-errors.patch
+netfilter-nfnl_cthelper-fix-a-race-when-walk-the-nf_ct_helper_hash-table.patch
+netfilter-nf_nat_snmp-fix-panic-when-snmp_trap_helper-fails-to-register.patch
+arm-dts-am335x-evmsk-adjust-mmc2-param-to-allow-suspend.patch
+kvm-pci-assign-do-not-map-smm-memory-slot-pages-in-vt-d-page-tables.patch
+isdn-kcapi-avoid-uninitialized-data.patch
+xhci-plat-register-shutdown-for-xhci_plat.patch
+netfilter-nfnetlink_queue-fix-secctx-memory-leak.patch
+arm-dma-mapping-disallow-dma_get_sgtable-for-non-kernel-managed-memory.patch
+cpuidle-powernv-pass-correct-drv-cpumask-for-registration.patch
+bnxt_en-fix-null-pointer-dereference-in-reopen-failure-path.patch
+backlight-pwm_bl-fix-overflow-condition.patch
+crypto-crypto4xx-increase-context-and-scatter-ring-buffer-elements.patch
+rtc-pl031-make-interrupt-optional.patch
+net-phy-at803x-change-error-to-einval-for-invalid-mac.patch
+pci-avoid-bus-reset-if-bridge-itself-is-broken.patch
+scsi-cxgb4i-fix-tx-skb-leak.patch
+scsi-mpt3sas-fix-io-error-occurs-on-pulling-out-a-drive-from-raid1-volume-created-on-two-sata-drive.patch
+pci-create-sr-iov-virtfn-physfn-links-before-attaching-driver.patch
+igb-check-memory-allocation-failure.patch
+ixgbe-fix-use-of-uninitialized-padding.patch
+pci-aer-report-non-fatal-errors-only-to-the-affected-endpoint.patch
+percpu-don-t-forget-to-free-the-temporary-struct-pcpu_alloc_info.patch
+scsi-lpfc-fix-secure-firmware-updates.patch
+scsi-lpfc-plogi-failures-during-npiv-testing.patch
+fm10k-ensure-we-process-sm-mbx-when-processing-vf-mbx.patch
+tcp-fix-under-evaluated-ssthresh-in-tcp-vegas.patch
+rtc-set-the-alarm-to-the-next-expiring-timer.patch
+cpuidle-fix-broadcast-control-when-broadcast-can-not-be-entered.patch
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Hoang Tran <tranviethoang.vn@gmail.com>
+Date: Wed, 27 Sep 2017 18:30:58 +0200
+Subject: tcp: fix under-evaluated ssthresh in TCP Vegas
+
+From: Hoang Tran <tranviethoang.vn@gmail.com>
+
+
+[ Upstream commit cf5d74b85ef40c202c76d90959db4d850f301b95 ]
+
+With the commit 76174004a0f19785 (tcp: do not slow start when cwnd equals
+ssthresh), the comparison to the reduced cwnd in tcp_vegas_ssthresh() would
+under-evaluate the ssthresh.
+
+Signed-off-by: Hoang Tran <hoang.tran@uclouvain.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_vegas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_vegas.c
++++ b/net/ipv4/tcp_vegas.c
+@@ -158,7 +158,7 @@ EXPORT_SYMBOL_GPL(tcp_vegas_cwnd_event);
+
+ static inline u32 tcp_vegas_ssthresh(struct tcp_sock *tp)
+ {
+- return min(tp->snd_ssthresh, tp->snd_cwnd-1);
++ return min(tp->snd_ssthresh, tp->snd_cwnd);
+ }
+
+ static void tcp_vegas_cong_avoid(struct sock *sk, u32 ack, u32 acked)
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Roger Quadros <rogerq@ti.com>
+Date: Wed, 8 Mar 2017 16:05:44 +0200
+Subject: usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed
+
+From: Roger Quadros <rogerq@ti.com>
+
+
+[ Upstream commit 16bb05d98c904a4f6c5ce7e2d992299f794acbf2 ]
+
+As per USB3.0 Specification "Table 9-20. Standard Endpoint Descriptor",
+for interrupt and isochronous endpoints, wMaxPacketSize must be set to
+1024 if the endpoint defines bMaxBurst to be greater than zero.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -594,6 +594,14 @@ uvc_function_bind(struct usb_configurati
+ opts->streaming_maxpacket = clamp(opts->streaming_maxpacket, 1U, 3072U);
+ opts->streaming_maxburst = min(opts->streaming_maxburst, 15U);
+
++ /* For SS, wMaxPacketSize has to be 1024 if bMaxBurst is not 0 */
++ if (opts->streaming_maxburst &&
++ (opts->streaming_maxpacket % 1024) != 0) {
++ opts->streaming_maxpacket = roundup(opts->streaming_maxpacket, 1024);
++ INFO(cdev, "overriding streaming_maxpacket to %d\n",
++ opts->streaming_maxpacket);
++ }
++
+ /* Fill in the FS/HS/SS Video Streaming specific descriptors from the
+ * module parameters.
+ *
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Fri, 10 Mar 2017 15:39:32 -0600
+Subject: usb: gadget: udc: remove pointer dereference after free
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit 1f459262b0e1649a1e5ad12fa4c66eb76c2220ce ]
+
+Remove pointer dereference after free.
+
+Addresses-Coverity-ID: 1091173
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -1534,7 +1534,6 @@ static void pch_udc_free_dma_chain(struc
+ td = phys_to_virt(addr);
+ addr2 = (dma_addr_t)td->next;
+ pci_pool_free(dev->data_requests, td, addr);
+- td->next = 0x00;
+ addr = addr2;
+ }
+ req->chain_len = 1;
--- /dev/null
+From 82ba4faca1bffad429f15c90c980ffd010366c25 Mon Sep 17 00:00:00 2001
+From: Aaron Lu <aaron.lu@intel.com>
+Date: Thu, 11 Aug 2016 15:44:30 +0800
+Subject: x86/irq: Do not substract irq_tlb_count from irq_call_count
+
+From: Aaron Lu <aaron.lu@intel.com>
+
+commit 82ba4faca1bffad429f15c90c980ffd010366c25 upstream.
+
+Since commit:
+
+ 52aec3308db8 ("x86/tlb: replace INVALIDATE_TLB_VECTOR by CALL_FUNCTION_VECTOR")
+
+the TLB remote shootdown is done through call function vector. That
+commit didn't take care of irq_tlb_count, which a later commit:
+
+ fd0f5869724f ("x86: Distinguish TLB shootdown interrupts from other functions call interrupts")
+
+... tried to fix.
+
+The fix assumes every increase of irq_tlb_count has a corresponding
+increase of irq_call_count. So the irq_call_count is always bigger than
+irq_tlb_count and we could substract irq_tlb_count from irq_call_count.
+
+Unfortunately this is not true for the smp_call_function_single() case.
+The IPI is only sent if the target CPU's call_single_queue is empty when
+adding a csd into it in generic_exec_single. That means if two threads
+are both adding flush tlb csds to the same CPU's call_single_queue, only
+one IPI is sent. In other words, the irq_call_count is incremented by 1
+but irq_tlb_count is incremented by 2. Over time, irq_tlb_count will be
+bigger than irq_call_count and the substract will produce a very large
+irq_call_count value due to overflow.
+
+Considering that:
+
+ 1) it's not worth to send more IPIs for the sake of accurate counting of
+ irq_call_count in generic_exec_single();
+
+ 2) it's not easy to tell if the call function interrupt is for TLB
+ shootdown in __smp_call_function_single_interrupt().
+
+Not to exclude TLB shootdown from call function count seems to be the
+simplest fix and this patch just does that.
+
+This bug was found by LKP's cyclic performance regression tracking recently
+with the vm-scalability test suite. I have bisected to commit:
+
+ 3dec0ba0be6a ("mm/rmap: share the i_mmap_rwsem")
+
+This commit didn't do anything wrong but revealed the irq_call_count
+problem. IIUC, the commit makes rwc->remap_one in rmap_walk_file
+concurrent with multiple threads. When remap_one is try_to_unmap_one(),
+then multiple threads could queue flush TLB to the same CPU but only
+one IPI will be sent.
+
+Since the commit was added in Linux v3.19, the counting problem only
+shows up from v3.19 onwards.
+
+Signed-off-by: Aaron Lu <aaron.lu@intel.com>
+Cc: Alex Shi <alex.shi@linaro.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
+Link: http://lkml.kernel.org/r/20160811074430.GA18163@aaronlu.sh.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/hardirq.h | 4 ----
+ arch/x86/kernel/irq.c | 3 +--
+ 2 files changed, 1 insertion(+), 6 deletions(-)
+
+--- a/arch/x86/include/asm/hardirq.h
++++ b/arch/x86/include/asm/hardirq.h
+@@ -22,10 +22,6 @@ typedef struct {
+ #ifdef CONFIG_SMP
+ unsigned int irq_resched_count;
+ unsigned int irq_call_count;
+- /*
+- * irq_tlb_count is double-counted in irq_call_count, so it must be
+- * subtracted from irq_call_count when displaying irq_call_count
+- */
+ unsigned int irq_tlb_count;
+ #endif
+ #ifdef CONFIG_X86_THERMAL_VECTOR
+--- a/arch/x86/kernel/irq.c
++++ b/arch/x86/kernel/irq.c
+@@ -102,8 +102,7 @@ int arch_show_interrupts(struct seq_file
+ seq_puts(p, " Rescheduling interrupts\n");
+ seq_printf(p, "%*s: ", prec, "CAL");
+ for_each_online_cpu(j)
+- seq_printf(p, "%10u ", irq_stats(j)->irq_call_count -
+- irq_stats(j)->irq_tlb_count);
++ seq_printf(p, "%10u ", irq_stats(j)->irq_call_count);
+ seq_puts(p, " Function call interrupts\n");
+ seq_printf(p, "%*s: ", prec, "TLB");
+ for_each_online_cpu(j)
--- /dev/null
+From d12a72b844a49d4162f24cefdab30bed3f86730e Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 29 Jan 2016 11:42:58 -0800
+Subject: x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit d12a72b844a49d4162f24cefdab30bed3f86730e upstream.
+
+This adds a chicken bit to turn off INVPCID in case something goes
+wrong. It's an early_param() because we do TLB flushes before we
+parse __setup() parameters.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luis R. Rodriguez <mcgrof@suse.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Toshi Kani <toshi.kani@hp.com>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/f586317ed1bc2b87aee652267e515b90051af385.1454096309.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/kernel-parameters.txt | 2 ++
+ arch/x86/kernel/cpu/common.c | 16 ++++++++++++++++
+ 2 files changed, 18 insertions(+)
+
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -2519,6 +2519,8 @@ bytes respectively. Such letter suffixes
+
+ nointroute [IA-64]
+
++ noinvpcid [X86] Disable the INVPCID cpu feature.
++
+ nojitter [IA-64] Disables jitter checking for ITC timers.
+
+ no-kvmclock [X86,KVM] Disable paravirtualized KVM clock driver
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -162,6 +162,22 @@ static int __init x86_mpx_setup(char *s)
+ }
+ __setup("nompx", x86_mpx_setup);
+
++static int __init x86_noinvpcid_setup(char *s)
++{
++ /* noinvpcid doesn't accept parameters */
++ if (s)
++ return -EINVAL;
++
++ /* do not emit a message if the feature is not present */
++ if (!boot_cpu_has(X86_FEATURE_INVPCID))
++ return 0;
++
++ setup_clear_cpu_cap(X86_FEATURE_INVPCID);
++ pr_info("noinvpcid: INVPCID feature disabled\n");
++ return 0;
++}
++early_param("noinvpcid", x86_noinvpcid_setup);
++
+ #ifdef CONFIG_X86_32
+ static int cachesize_override = -1;
+ static int disable_x86_serial_nr = 1;
--- /dev/null
+From 060a402a1ddb551455ee410de2eadd3349f2801b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 29 Jan 2016 11:42:57 -0800
+Subject: x86/mm: Add INVPCID helpers
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 060a402a1ddb551455ee410de2eadd3349f2801b upstream.
+
+This adds helpers for each of the four currently-specified INVPCID
+modes.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luis R. Rodriguez <mcgrof@suse.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Toshi Kani <toshi.kani@hp.com>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/8a62b23ad686888cee01da134c91409e22064db9.1454096309.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/tlbflush.h | 48 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -7,6 +7,54 @@
+ #include <asm/processor.h>
+ #include <asm/special_insns.h>
+
++static inline void __invpcid(unsigned long pcid, unsigned long addr,
++ unsigned long type)
++{
++ u64 desc[2] = { pcid, addr };
++
++ /*
++ * The memory clobber is because the whole point is to invalidate
++ * stale TLB entries and, especially if we're flushing global
++ * mappings, we don't want the compiler to reorder any subsequent
++ * memory accesses before the TLB flush.
++ *
++ * The hex opcode is invpcid (%ecx), %eax in 32-bit mode and
++ * invpcid (%rcx), %rax in long mode.
++ */
++ asm volatile (".byte 0x66, 0x0f, 0x38, 0x82, 0x01"
++ : : "m" (desc), "a" (type), "c" (desc) : "memory");
++}
++
++#define INVPCID_TYPE_INDIV_ADDR 0
++#define INVPCID_TYPE_SINGLE_CTXT 1
++#define INVPCID_TYPE_ALL_INCL_GLOBAL 2
++#define INVPCID_TYPE_ALL_NON_GLOBAL 3
++
++/* Flush all mappings for a given pcid and addr, not including globals. */
++static inline void invpcid_flush_one(unsigned long pcid,
++ unsigned long addr)
++{
++ __invpcid(pcid, addr, INVPCID_TYPE_INDIV_ADDR);
++}
++
++/* Flush all mappings for a given PCID, not including globals. */
++static inline void invpcid_flush_single_context(unsigned long pcid)
++{
++ __invpcid(pcid, 0, INVPCID_TYPE_SINGLE_CTXT);
++}
++
++/* Flush all mappings, including globals, for all PCIDs. */
++static inline void invpcid_flush_all(void)
++{
++ __invpcid(0, 0, INVPCID_TYPE_ALL_INCL_GLOBAL);
++}
++
++/* Flush all mappings for all PCIDs except globals. */
++static inline void invpcid_flush_all_nonglobals(void)
++{
++ __invpcid(0, 0, INVPCID_TYPE_ALL_NON_GLOBAL);
++}
++
+ #ifdef CONFIG_PARAVIRT
+ #include <asm/paravirt.h>
+ #else
--- /dev/null
+From e1074888c326038340a1ada9129d679e661f2ea6 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 26 Apr 2016 09:39:07 -0700
+Subject: x86/mm: Build arch/x86/mm/tlb.c even on !SMP
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit e1074888c326038340a1ada9129d679e661f2ea6 upstream.
+
+Currently all of the functions that live in tlb.c are inlined on
+!SMP builds. One can debate whether this is a good idea (in many
+respects the code in tlb.c is better than the inlined UP code).
+
+Regardless, I want to add code that needs to be built on UP and SMP
+kernels and relates to tlb flushing, so arrange for tlb.c to be
+compiled unconditionally.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/f0d778f0d828fc46e5d1946bca80f0aaf9abf032.1461688545.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/x86/mm/Makefile | 3 +--
+ arch/x86/mm/tlb.c | 4 ++++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/mm/Makefile
++++ b/arch/x86/mm/Makefile
+@@ -1,5 +1,5 @@
+ obj-y := init.o init_$(BITS).o fault.o ioremap.o extable.o pageattr.o mmap.o \
+- pat.o pgtable.o physaddr.o gup.o setup_nx.o
++ pat.o pgtable.o physaddr.o gup.o setup_nx.o tlb.o
+
+ # Make sure __phys_addr has no stackprotector
+ nostackp := $(call cc-option, -fno-stack-protector)
+@@ -9,7 +9,6 @@ CFLAGS_setup_nx.o := $(nostackp)
+ CFLAGS_fault.o := -I$(src)/../include/asm/trace
+
+ obj-$(CONFIG_X86_PAT) += pat_rbtree.o
+-obj-$(CONFIG_SMP) += tlb.o
+
+ obj-$(CONFIG_X86_32) += pgtable_32.o iomap_32.o
+
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -28,6 +28,8 @@
+ * Implement flush IPI by CALL_FUNCTION_VECTOR, Alex Shi
+ */
+
++#ifdef CONFIG_SMP
++
+ struct flush_tlb_info {
+ struct mm_struct *flush_mm;
+ unsigned long flush_start;
+@@ -351,3 +353,5 @@ static int __init create_tlb_single_page
+ return 0;
+ }
+ late_initcall(create_tlb_single_page_flush_ceiling);
++
++#endif /* CONFIG_SMP */
--- /dev/null
+From e2c7698cd61f11d4077fdb28148b2d31b82ac848 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 10 Feb 2016 15:51:16 +0100
+Subject: x86/mm: Fix INVPCID asm constraint
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Borislav Petkov <bp@suse.de>
+
+commit e2c7698cd61f11d4077fdb28148b2d31b82ac848 upstream.
+
+So we want to specify the dependency on both @pcid and @addr so that the
+compiler doesn't reorder accesses to them *before* the TLB flush. But
+for that to work, we need to express this properly in the inline asm and
+deref the whole desc array, not the pointer to it. See clwb() for an
+example.
+
+This fixes the build error on 32-bit:
+
+ arch/x86/include/asm/tlbflush.h: In function ‘__invpcid’:
+ arch/x86/include/asm/tlbflush.h:26:18: error: memory input 0 is not directly addressable
+
+which gcc4.7 caught but 5.x didn't. Which is strange. :-\
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luis R. Rodriguez <mcgrof@suse.com>
+Cc: Michael Matz <matz@suse.de>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Toshi Kani <toshi.kani@hp.com>
+Cc: linux-mm@kvack.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/tlbflush.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -10,7 +10,7 @@
+ static inline void __invpcid(unsigned long pcid, unsigned long addr,
+ unsigned long type)
+ {
+- u64 desc[2] = { pcid, addr };
++ struct { u64 d[2]; } desc = { { pcid, addr } };
+
+ /*
+ * The memory clobber is because the whole point is to invalidate
+@@ -22,7 +22,7 @@ static inline void __invpcid(unsigned lo
+ * invpcid (%rcx), %rax in long mode.
+ */
+ asm volatile (".byte 0x66, 0x0f, 0x38, 0x82, 0x01"
+- : : "m" (desc), "a" (type), "c" (desc) : "memory");
++ : : "m" (desc), "a" (type), "c" (&desc) : "memory");
+ }
+
+ #define INVPCID_TYPE_INDIV_ADDR 0
--- /dev/null
+From d8bced79af1db6734f66b42064cc773cada2ce99 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 29 Jan 2016 11:42:59 -0800
+Subject: x86/mm: If INVPCID is available, use it to flush global mappings
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit d8bced79af1db6734f66b42064cc773cada2ce99 upstream.
+
+On my Skylake laptop, INVPCID function 2 (flush absolutely
+everything) takes about 376ns, whereas saving flags, twiddling
+CR4.PGE to flush global mappings, and restoring flags takes about
+539ns.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luis R. Rodriguez <mcgrof@suse.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Toshi Kani <toshi.kani@hp.com>
+Cc: linux-mm@kvack.org
+Link: http://lkml.kernel.org/r/ed0ef62581c0ea9c99b9bf6df726015e96d44743.1454096309.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/tlbflush.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -159,6 +159,15 @@ static inline void __native_flush_tlb_gl
+ {
+ unsigned long flags;
+
++ if (static_cpu_has(X86_FEATURE_INVPCID)) {
++ /*
++ * Using INVPCID is considerably faster than a pair of writes
++ * to CR4 sandwiched inside an IRQ flag save/restore.
++ */
++ invpcid_flush_all();
++ return;
++ }
++
+ /*
+ * Read-modify-write to CR4 - protect it from preemption and
+ * from interrupts. (Use the raw variant because this code can
--- /dev/null
+From 078194f8e9fe3cf54c8fd8bded48a1db5bd8eb8a Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 26 Apr 2016 09:39:09 -0700
+Subject: x86/mm, sched/core: Turn off IRQs in switch_mm()
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 078194f8e9fe3cf54c8fd8bded48a1db5bd8eb8a upstream.
+
+Potential races between switch_mm() and TLB-flush or LDT-flush IPIs
+could be very messy. AFAICT the code is currently okay, whether by
+accident or by careful design, but enabling PCID will make it
+considerably more complicated and will no longer be obviously safe.
+
+Fix it with a big hammer: run switch_mm() with IRQs off.
+
+To avoid a performance hit in the scheduler, we take advantage of
+our knowledge that the scheduler already has IRQs disabled when it
+calls switch_mm().
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/f19baf759693c9dcae64bbff76189db77cb13398.1461688545.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/mmu_context.h | 3 +++
+ arch/x86/mm/tlb.c | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -107,6 +107,9 @@ static inline void enter_lazy_tlb(struct
+ extern void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ struct task_struct *tsk);
+
++extern void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
++ struct task_struct *tsk);
++#define switch_mm_irqs_off switch_mm_irqs_off
+
+ #define activate_mm(prev, next) \
+ do { \
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -64,6 +64,16 @@ EXPORT_SYMBOL_GPL(leave_mm);
+ void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+ struct task_struct *tsk)
+ {
++ unsigned long flags;
++
++ local_irq_save(flags);
++ switch_mm_irqs_off(prev, next, tsk);
++ local_irq_restore(flags);
++}
++
++void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
++ struct task_struct *tsk)
++{
+ unsigned cpu = smp_processor_id();
+
+ if (likely(prev != next)) {
--- /dev/null
+From 69c0319aabba45bcf33178916a2f06967b4adede Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Tue, 26 Apr 2016 09:39:08 -0700
+Subject: x86/mm, sched/core: Uninline switch_mm()
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 69c0319aabba45bcf33178916a2f06967b4adede upstream.
+
+It's fairly large and it has quite a few callers. This may also
+help untangle some headers down the road.
+
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/54f3367803e7f80b2be62c8a21879aa74b1a5f57.1461688545.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/mmu_context.h | 98 -----------------------------------
+ arch/x86/mm/tlb.c | 102 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 104 insertions(+), 96 deletions(-)
+
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -104,103 +104,9 @@ static inline void enter_lazy_tlb(struct
+ #endif
+ }
+
+-static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
+- struct task_struct *tsk)
+-{
+- unsigned cpu = smp_processor_id();
++extern void switch_mm(struct mm_struct *prev, struct mm_struct *next,
++ struct task_struct *tsk);
+
+- if (likely(prev != next)) {
+-#ifdef CONFIG_SMP
+- this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
+- this_cpu_write(cpu_tlbstate.active_mm, next);
+-#endif
+- cpumask_set_cpu(cpu, mm_cpumask(next));
+-
+- /*
+- * Re-load page tables.
+- *
+- * This logic has an ordering constraint:
+- *
+- * CPU 0: Write to a PTE for 'next'
+- * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
+- * CPU 1: set bit 1 in next's mm_cpumask
+- * CPU 1: load from the PTE that CPU 0 writes (implicit)
+- *
+- * We need to prevent an outcome in which CPU 1 observes
+- * the new PTE value and CPU 0 observes bit 1 clear in
+- * mm_cpumask. (If that occurs, then the IPI will never
+- * be sent, and CPU 0's TLB will contain a stale entry.)
+- *
+- * The bad outcome can occur if either CPU's load is
+- * reordered before that CPU's store, so both CPUs must
+- * execute full barriers to prevent this from happening.
+- *
+- * Thus, switch_mm needs a full barrier between the
+- * store to mm_cpumask and any operation that could load
+- * from next->pgd. TLB fills are special and can happen
+- * due to instruction fetches or for no reason at all,
+- * and neither LOCK nor MFENCE orders them.
+- * Fortunately, load_cr3() is serializing and gives the
+- * ordering guarantee we need.
+- *
+- */
+- load_cr3(next->pgd);
+-
+- trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
+-
+- /* Stop flush ipis for the previous mm */
+- cpumask_clear_cpu(cpu, mm_cpumask(prev));
+-
+- /* Load per-mm CR4 state */
+- load_mm_cr4(next);
+-
+-#ifdef CONFIG_MODIFY_LDT_SYSCALL
+- /*
+- * Load the LDT, if the LDT is different.
+- *
+- * It's possible that prev->context.ldt doesn't match
+- * the LDT register. This can happen if leave_mm(prev)
+- * was called and then modify_ldt changed
+- * prev->context.ldt but suppressed an IPI to this CPU.
+- * In this case, prev->context.ldt != NULL, because we
+- * never set context.ldt to NULL while the mm still
+- * exists. That means that next->context.ldt !=
+- * prev->context.ldt, because mms never share an LDT.
+- */
+- if (unlikely(prev->context.ldt != next->context.ldt))
+- load_mm_ldt(next);
+-#endif
+- }
+-#ifdef CONFIG_SMP
+- else {
+- this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
+- BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
+-
+- if (!cpumask_test_cpu(cpu, mm_cpumask(next))) {
+- /*
+- * On established mms, the mm_cpumask is only changed
+- * from irq context, from ptep_clear_flush() while in
+- * lazy tlb mode, and here. Irqs are blocked during
+- * schedule, protecting us from simultaneous changes.
+- */
+- cpumask_set_cpu(cpu, mm_cpumask(next));
+-
+- /*
+- * We were in lazy tlb mode and leave_mm disabled
+- * tlb flush IPI delivery. We must reload CR3
+- * to make sure to use no freed page tables.
+- *
+- * As above, load_cr3() is serializing and orders TLB
+- * fills with respect to the mm_cpumask write.
+- */
+- load_cr3(next->pgd);
+- trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
+- load_mm_cr4(next);
+- load_mm_ldt(next);
+- }
+- }
+-#endif
+-}
+
+ #define activate_mm(prev, next) \
+ do { \
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -59,6 +59,108 @@ void leave_mm(int cpu)
+ }
+ EXPORT_SYMBOL_GPL(leave_mm);
+
++#endif /* CONFIG_SMP */
++
++void switch_mm(struct mm_struct *prev, struct mm_struct *next,
++ struct task_struct *tsk)
++{
++ unsigned cpu = smp_processor_id();
++
++ if (likely(prev != next)) {
++#ifdef CONFIG_SMP
++ this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
++ this_cpu_write(cpu_tlbstate.active_mm, next);
++#endif
++ cpumask_set_cpu(cpu, mm_cpumask(next));
++
++ /*
++ * Re-load page tables.
++ *
++ * This logic has an ordering constraint:
++ *
++ * CPU 0: Write to a PTE for 'next'
++ * CPU 0: load bit 1 in mm_cpumask. if nonzero, send IPI.
++ * CPU 1: set bit 1 in next's mm_cpumask
++ * CPU 1: load from the PTE that CPU 0 writes (implicit)
++ *
++ * We need to prevent an outcome in which CPU 1 observes
++ * the new PTE value and CPU 0 observes bit 1 clear in
++ * mm_cpumask. (If that occurs, then the IPI will never
++ * be sent, and CPU 0's TLB will contain a stale entry.)
++ *
++ * The bad outcome can occur if either CPU's load is
++ * reordered before that CPU's store, so both CPUs must
++ * execute full barriers to prevent this from happening.
++ *
++ * Thus, switch_mm needs a full barrier between the
++ * store to mm_cpumask and any operation that could load
++ * from next->pgd. TLB fills are special and can happen
++ * due to instruction fetches or for no reason at all,
++ * and neither LOCK nor MFENCE orders them.
++ * Fortunately, load_cr3() is serializing and gives the
++ * ordering guarantee we need.
++ *
++ */
++ load_cr3(next->pgd);
++
++ trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
++
++ /* Stop flush ipis for the previous mm */
++ cpumask_clear_cpu(cpu, mm_cpumask(prev));
++
++ /* Load per-mm CR4 state */
++ load_mm_cr4(next);
++
++#ifdef CONFIG_MODIFY_LDT_SYSCALL
++ /*
++ * Load the LDT, if the LDT is different.
++ *
++ * It's possible that prev->context.ldt doesn't match
++ * the LDT register. This can happen if leave_mm(prev)
++ * was called and then modify_ldt changed
++ * prev->context.ldt but suppressed an IPI to this CPU.
++ * In this case, prev->context.ldt != NULL, because we
++ * never set context.ldt to NULL while the mm still
++ * exists. That means that next->context.ldt !=
++ * prev->context.ldt, because mms never share an LDT.
++ */
++ if (unlikely(prev->context.ldt != next->context.ldt))
++ load_mm_ldt(next);
++#endif
++ }
++#ifdef CONFIG_SMP
++ else {
++ this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
++ BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
++
++ if (!cpumask_test_cpu(cpu, mm_cpumask(next))) {
++ /*
++ * On established mms, the mm_cpumask is only changed
++ * from irq context, from ptep_clear_flush() while in
++ * lazy tlb mode, and here. Irqs are blocked during
++ * schedule, protecting us from simultaneous changes.
++ */
++ cpumask_set_cpu(cpu, mm_cpumask(next));
++
++ /*
++ * We were in lazy tlb mode and leave_mm disabled
++ * tlb flush IPI delivery. We must reload CR3
++ * to make sure to use no freed page tables.
++ *
++ * As above, load_cr3() is serializing and orders TLB
++ * fills with respect to the mm_cpumask write.
++ */
++ load_cr3(next->pgd);
++ trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
++ load_mm_cr4(next);
++ load_mm_ldt(next);
++ }
++ }
++#endif
++}
++
++#ifdef CONFIG_SMP
++
+ /*
+ * The flush IPI assumes that a thread switch happens in this order:
+ * [cpu0: the cpu that switches]
--- /dev/null
+From foo@baz Thu Dec 21 10:35:49 CET 2017
+From: Adam Wallis <awallis@codeaurora.org>
+Date: Tue, 28 Mar 2017 15:55:28 +0300
+Subject: xhci: plat: Register shutdown for xhci_plat
+
+From: Adam Wallis <awallis@codeaurora.org>
+
+
+[ Upstream commit b07c12517f2aed0add8ce18146bb426b14099392 ]
+
+Shutdown should be called for xhci_plat devices especially for
+situations where kexec might be used by stopping DMA
+transactions.
+
+Signed-off-by: Adam Wallis <awallis@codeaurora.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-plat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -284,6 +284,7 @@ MODULE_DEVICE_TABLE(acpi, usb_xhci_acpi_
+ static struct platform_driver usb_xhci_driver = {
+ .probe = xhci_plat_probe,
+ .remove = xhci_plat_remove,
++ .shutdown = usb_hcd_platform_shutdown,
+ .driver = {
+ .name = "xhci-hcd",
+ .pm = DEV_PM_OPS,
projects / thirdparty / kernel / stable-queue.git / commitdiff
