--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Jaroslav Kysela <perex@perex.cz>
+Date: Thu, 9 Mar 2017 13:29:13 +0100
+Subject: ALSA: hda - add support for docking station for HP 820 G2
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+
+[ Upstream commit 04d5466a976b096364a39a63ac264c1b3a5f8fa1 ]
+
+This tested patch adds missing initialization for Line-In/Out PINs for
+the docking station for HP 820 G2.
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4683,6 +4683,7 @@ enum {
+ ALC286_FIXUP_HP_GPIO_LED,
+ ALC280_FIXUP_HP_GPIO2_MIC_HOTKEY,
+ ALC280_FIXUP_HP_DOCK_PINS,
++ ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED,
+ ALC280_FIXUP_HP_9480M,
+ ALC288_FIXUP_DELL_HEADSET_MODE,
+ ALC288_FIXUP_DELL1_MIC_NO_PRESENCE,
+@@ -5216,6 +5217,16 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC280_FIXUP_HP_GPIO4
+ },
++ [ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x1b, 0x21011020 }, /* line-out */
++ { 0x18, 0x2181103f }, /* line-in */
++ { },
++ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_HP_GPIO_MIC1_LED
++ },
+ [ALC280_FIXUP_HP_9480M] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc280_fixup_hp_9480m,
+@@ -5388,7 +5399,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x2256, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
+ SND_PCI_QUIRK(0x103c, 0x2257, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
+ SND_PCI_QUIRK(0x103c, 0x2259, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
+- SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED),
++ SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED),
+ SND_PCI_QUIRK(0x103c, 0x2260, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x2263, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+ SND_PCI_QUIRK(0x103c, 0x2264, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1),
+@@ -5544,6 +5555,7 @@ static const struct hda_model_fixup alc2
+ {.id = ALC269_FIXUP_HEADSET_MIC, .name = "headset-mic"},
+ {.id = ALC269_FIXUP_LENOVO_DOCK, .name = "lenovo-dock"},
+ {.id = ALC269_FIXUP_HP_GPIO_LED, .name = "hp-gpio-led"},
++ {.id = ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, .name = "hp-dock-gpio-mic1-led"},
+ {.id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "dell-headset-multi"},
+ {.id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, .name = "dell-headset-dock"},
+ {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"},
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Wed, 29 Mar 2017 17:12:47 +0100
+Subject: ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+
+[ Upstream commit 916a008b4b8ecc02fbd035cfb133773dba1ff3d7 ]
+
+dma_get_sgtable() tries to create a scatterlist table containing valid
+struct page pointers for the coherent memory allocation passed in to it.
+
+However, memory can be declared via dma_declare_coherent_memory(), or
+via other reservation schemes which means that coherent memory is not
+guaranteed to be backed by struct pages. In such cases, the resulting
+scatterlist table contains pointers to invalid pages, which causes
+kernel oops later.
+
+This patch adds detection of such memory, and refuses to create a
+scatterlist table for such memory.
+
+Reported-by: Shuah Khan <shuahkhan@gmail.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mm/dma-mapping.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -749,13 +749,31 @@ static void arm_coherent_dma_free(struct
+ __arm_dma_free(dev, size, cpu_addr, handle, attrs, true);
+ }
+
++/*
++ * The whole dma_get_sgtable() idea is fundamentally unsafe - it seems
++ * that the intention is to allow exporting memory allocated via the
++ * coherent DMA APIs through the dma_buf API, which only accepts a
++ * scattertable. This presents a couple of problems:
++ * 1. Not all memory allocated via the coherent DMA APIs is backed by
++ * a struct page
++ * 2. Passing coherent DMA memory into the streaming APIs is not allowed
++ * as we will try to flush the memory through a different alias to that
++ * actually being used (and the flushes are redundant.)
++ */
+ int arm_dma_get_sgtable(struct device *dev, struct sg_table *sgt,
+ void *cpu_addr, dma_addr_t handle, size_t size,
+ struct dma_attrs *attrs)
+ {
+- struct page *page = pfn_to_page(dma_to_pfn(dev, handle));
++ unsigned long pfn = dma_to_pfn(dev, handle);
++ struct page *page;
+ int ret;
+
++ /* If the PFN is not valid, we do not have a struct page */
++ if (!pfn_valid(pfn))
++ return -ENXIO;
++
++ page = pfn_to_page(pfn);
++
+ ret = sg_alloc_table(sgt, 1, GFP_KERNEL);
+ if (unlikely(ret))
+ return ret;
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: "Reizer, Eyal" <eyalr@ti.com>
+Date: Sun, 26 Mar 2017 08:53:10 +0000
+Subject: ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend
+
+From: "Reizer, Eyal" <eyalr@ti.com>
+
+
+[ Upstream commit 9bcf53f34a2c1cebc45cc12e273dcd5f51fbc099 ]
+
+mmc2 used for wl12xx was missing the keep-power-in suspend
+parameter. As a result the board couldn't reach suspend state.
+
+Signed-off-by: Eyal Reizer <eyalr@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/am335x-evmsk.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/am335x-evmsk.dts
++++ b/arch/arm/boot/dts/am335x-evmsk.dts
+@@ -645,6 +645,7 @@
+ ti,non-removable;
+ bus-width = <4>;
+ cap-power-off-card;
++ keep-power-in-suspend;
+ pinctrl-names = "default";
+ pinctrl-0 = <&mmc2_pins>;
+ };
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Rob Herring <robh@kernel.org>
+Date: Tue, 21 Mar 2017 21:03:01 -0500
+Subject: ARM: dts: ti: fix PCI bus dtc warnings
+
+From: Rob Herring <robh@kernel.org>
+
+
+[ Upstream commit 7d79f6098d82f8c09914d7799bc96891ad9c3baf ]
+
+dtc recently added PCI bus checks. Fix these warnings.
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Cc: "BenoƮt Cousson" <bcousson@baylibre.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: linux-omap@vger.kernel.org
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/dra7.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -118,6 +118,7 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x20013000 0x13000 0 0xffed000>;
++ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
+ ti,hwmods = "pcie1";
+@@ -153,6 +154,7 @@
+ device_type = "pci";
+ ranges = <0x81000000 0 0 0x03000 0 0x00010000
+ 0x82000000 0 0x30013000 0x13000 0 0xffed000>;
++ bus-range = <0x00 0xff>;
+ #interrupt-cells = <1>;
+ num-lanes = <1>;
+ ti,hwmods = "pcie2";
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Derek Basehore <dbasehore@chromium.org>
+Date: Tue, 29 Aug 2017 13:34:34 -0700
+Subject: backlight: pwm_bl: Fix overflow condition
+
+From: Derek Basehore <dbasehore@chromium.org>
+
+
+[ Upstream commit 5d0c49acebc9488e37db95f1d4a55644e545ffe7 ]
+
+This fixes an overflow condition that can happen with high max
+brightness and period values in compute_duty_cycle. This fixes it by
+using a 64 bit variable for computing the duty cycle.
+
+Signed-off-by: Derek Basehore <dbasehore@chromium.org>
+Acked-by: Thierry Reding <thierry.reding@gmail.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/backlight/pwm_bl.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/backlight/pwm_bl.c
++++ b/drivers/video/backlight/pwm_bl.c
+@@ -78,14 +78,17 @@ static void pwm_backlight_power_off(stru
+ static int compute_duty_cycle(struct pwm_bl_data *pb, int brightness)
+ {
+ unsigned int lth = pb->lth_brightness;
+- int duty_cycle;
++ u64 duty_cycle;
+
+ if (pb->levels)
+ duty_cycle = pb->levels[brightness];
+ else
+ duty_cycle = brightness;
+
+- return (duty_cycle * (pb->period - lth) / pb->scale) + lth;
++ duty_cycle *= pb->period - lth;
++ do_div(duty_cycle, pb->scale);
++
++ return duty_cycle + lth;
+ }
+
+ static int pwm_backlight_update_status(struct backlight_device *bl)
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2017 20:52:46 +0530
+Subject: cpuidle: powernv: Pass correct drv->cpumask for registration
+
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+
+
+[ Upstream commit 293d264f13cbde328d5477f49e3103edbc1dc191 ]
+
+drv->cpumask defaults to cpu_possible_mask in __cpuidle_driver_init().
+On PowerNV platform cpu_present could be less than cpu_possible in cases
+where firmware detects the cpu, but it is not available to the OS. When
+CONFIG_HOTPLUG_CPU=n, such cpus are not hotplugable at runtime and hence
+we skip creating cpu_device.
+
+This breaks cpuidle on powernv where register_cpu() is not called for
+cpus in cpu_possible_mask that cannot be hot-added at runtime.
+
+Trying cpuidle_register_device() on cpu without cpu_device will cause
+crash like this:
+
+cpu 0xf: Vector: 380 (Data SLB Access) at [c000000ff1503490]
+ pc: c00000000022c8bc: string+0x34/0x60
+ lr: c00000000022ed78: vsnprintf+0x284/0x42c
+ sp: c000000ff1503710
+ msr: 9000000000009033
+ dar: 6000000060000000
+ current = 0xc000000ff1480000
+ paca = 0xc00000000fe82d00 softe: 0 irq_happened: 0x01
+ pid = 1, comm = swapper/8
+Linux version 4.11.0-rc2 (sv@sagarika) (gcc version 4.9.4
+(Buildroot 2017.02-00004-gc28573e) ) #15 SMP Fri Mar 17 19:32:02 IST 2017
+enter ? for help
+[link register ] c00000000022ed78 vsnprintf+0x284/0x42c
+[c000000ff1503710] c00000000022ebb8 vsnprintf+0xc4/0x42c (unreliable)
+[c000000ff1503800] c00000000022ef40 vscnprintf+0x20/0x44
+[c000000ff1503830] c0000000000ab61c vprintk_emit+0x94/0x2cc
+[c000000ff15038a0] c0000000000acc9c vprintk_func+0x60/0x74
+[c000000ff15038c0] c000000000619694 printk+0x38/0x4c
+[c000000ff15038e0] c000000000224950 kobject_get+0x40/0x60
+[c000000ff1503950] c00000000022507c kobject_add_internal+0x60/0x2c4
+[c000000ff15039e0] c000000000225350 kobject_init_and_add+0x70/0x78
+[c000000ff1503a60] c00000000053c288 cpuidle_add_sysfs+0x9c/0xe0
+[c000000ff1503ae0] c00000000053aeac cpuidle_register_device+0xd4/0x12c
+[c000000ff1503b30] c00000000053b108 cpuidle_register+0x98/0xcc
+[c000000ff1503bc0] c00000000085eaf0 powernv_processor_idle_init+0x140/0x1e0
+[c000000ff1503c60] c00000000000cd60 do_one_initcall+0xc0/0x15c
+[c000000ff1503d20] c000000000833e84 kernel_init_freeable+0x1a0/0x25c
+[c000000ff1503dc0] c00000000000d478 kernel_init+0x24/0x12c
+[c000000ff1503e30] c00000000000b564 ret_from_kernel_thread+0x5c/0x78
+
+This patch fixes the bug by passing correct cpumask from
+powernv-cpuidle driver.
+
+Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Reviewed-by: Gautham R. Shenoy <ego@linux.vnet.ibm.com>
+Acked-by: Michael Ellerman <mpe@ellerman.id.au>
+[ rjw: Comment massage ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle-powernv.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -154,6 +154,24 @@ static int powernv_cpuidle_driver_init(v
+ drv->state_count += 1;
+ }
+
++ /*
++ * On the PowerNV platform cpu_present may be less than cpu_possible in
++ * cases when firmware detects the CPU, but it is not available to the
++ * OS. If CONFIG_HOTPLUG_CPU=n, then such CPUs are not hotplugable at
++ * run time and hence cpu_devices are not created for those CPUs by the
++ * generic topology_init().
++ *
++ * drv->cpumask defaults to cpu_possible_mask in
++ * __cpuidle_driver_init(). This breaks cpuidle on PowerNV where
++ * cpu_devices are not created for CPUs in cpu_possible_mask that
++ * cannot be hot-added later at run time.
++ *
++ * Trying cpuidle_register_device() on a CPU without a cpu_device is
++ * incorrect, so pass a correct CPU mask to the generic cpuidle driver.
++ */
++
++ drv->cpumask = (struct cpumask *)cpu_present_mask;
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+Date: Sun, 19 Mar 2017 00:51:59 +0530
+Subject: cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
+
+From: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+
+
+[ Upstream commit ad0a45fd9c14feebd000b6e84189d0edff265170 ]
+
+If a given cpu is not in cpu_present and cpu hotplug
+is disabled, arch can skip setting up the cpu_dev.
+
+Arch cpuidle driver should pass correct cpu mask
+for registration, but failing to do so by the driver
+causes error to propagate and crash like this:
+
+[ 30.076045] Unable to handle kernel paging request for data at address 0x00000048
+[ 30.076100] Faulting instruction address: 0xc0000000007b2f30
+cpu 0x4d: Vector: 300 (Data Access) at [c000003feb18b670]
+ pc: c0000000007b2f30: kobject_get+0x20/0x70
+ lr: c0000000007b3c94: kobject_add_internal+0x54/0x3f0
+ sp: c000003feb18b8f0
+ msr: 9000000000009033
+ dar: 48
+ dsisr: 40000000
+ current = 0xc000003fd2ed8300
+ paca = 0xc00000000fbab500 softe: 0 irq_happened: 0x01
+ pid = 1, comm = swapper/0
+Linux version 4.11.0-rc2-svaidy+ (sv@sagarika) (gcc version 6.2.0
+20161005 (Ubuntu 6.2.0-5ubuntu12) ) #10 SMP Sun Mar 19 00:08:09 IST 2017
+enter ? for help
+[c000003feb18b960] c0000000007b3c94 kobject_add_internal+0x54/0x3f0
+[c000003feb18b9f0] c0000000007b43a4 kobject_init_and_add+0x64/0xa0
+[c000003feb18ba70] c000000000e284f4 cpuidle_add_sysfs+0xb4/0x130
+[c000003feb18baf0] c000000000e26038 cpuidle_register_device+0x118/0x1c0
+[c000003feb18bb30] c000000000e26c48 cpuidle_register+0x78/0x120
+[c000003feb18bbc0] c00000000168fd9c powernv_processor_idle_init+0x110/0x1c4
+[c000003feb18bc40] c00000000000cff8 do_one_initcall+0x68/0x1d0
+[c000003feb18bd00] c0000000016242f4 kernel_init_freeable+0x280/0x360
+[c000003feb18bdc0] c00000000000d864 kernel_init+0x24/0x160
+[c000003feb18be30] c00000000000b4e8 ret_from_kernel_thread+0x5c/0x74
+
+Validating cpu_dev fixes the crash and reports correct error message like:
+
+[ 30.163506] Failed to register cpuidle device for cpu136
+[ 30.173329] Registration of powernv driver failed.
+
+Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
+[ rjw: Comment massage ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/sysfs.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/cpuidle/sysfs.c
++++ b/drivers/cpuidle/sysfs.c
+@@ -613,6 +613,18 @@ int cpuidle_add_sysfs(struct cpuidle_dev
+ struct device *cpu_dev = get_cpu_device((unsigned long)dev->cpu);
+ int error;
+
++ /*
++ * Return if cpu_device is not setup for this CPU.
++ *
++ * This could happen if the arch did not set up cpu_device
++ * since this CPU is not in cpu_present mask and the
++ * driver did not send a correct CPU mask during registration.
++ * Without this check we would end up passing bogus
++ * value for &cpu_dev->kobj in kobject_init_and_add()
++ */
++ if (!cpu_dev)
++ return -ENODEV;
++
+ kdev = kzalloc(sizeof(*kdev), GFP_KERNEL);
+ if (!kdev)
+ return -ENOMEM;
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Wed, 4 Oct 2017 01:00:08 +0200
+Subject: crypto: crypto4xx - increase context and scatter ring buffer elements
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+
+[ Upstream commit 778f81d6cdb7d25360f082ac0384d5103f04eca5 ]
+
+If crypto4xx is used in conjunction with dm-crypt, the available
+ring buffer elements are not enough to handle the load properly.
+
+On an aes-cbc-essiv:sha256 encrypted swap partition the read
+performance is abyssal: (tested with hdparm -t)
+
+/dev/mapper/swap_crypt:
+ Timing buffered disk reads: 14 MB in 3.68 seconds = 3.81 MB/sec
+
+The patch increases both PPC4XX_NUM_SD and PPC4XX_NUM_PD to 256.
+This improves the performance considerably:
+
+/dev/mapper/swap_crypt:
+ Timing buffered disk reads: 104 MB in 3.03 seconds = 34.31 MB/sec
+
+Furthermore, PPC4XX_LAST_SD, PPC4XX_LAST_GD and PPC4XX_LAST_PD
+can be easily calculated from their respective PPC4XX_NUM_*
+constant.
+
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/amcc/crypto4xx_core.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/crypto/amcc/crypto4xx_core.h
++++ b/drivers/crypto/amcc/crypto4xx_core.h
+@@ -32,12 +32,12 @@
+ #define PPC405EX_CE_RESET 0x00000008
+
+ #define CRYPTO4XX_CRYPTO_PRIORITY 300
+-#define PPC4XX_LAST_PD 63
+-#define PPC4XX_NUM_PD 64
+-#define PPC4XX_LAST_GD 1023
++#define PPC4XX_NUM_PD 256
++#define PPC4XX_LAST_PD (PPC4XX_NUM_PD - 1)
+ #define PPC4XX_NUM_GD 1024
+-#define PPC4XX_LAST_SD 63
+-#define PPC4XX_NUM_SD 64
++#define PPC4XX_LAST_GD (PPC4XX_NUM_GD - 1)
++#define PPC4XX_NUM_SD 256
++#define PPC4XX_LAST_SD (PPC4XX_NUM_SD - 1)
+ #define PPC4XX_SD_BUFFER_SIZE 2048
+
+ #define PD_ENTRY_INUSE 1
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 14 Mar 2017 18:25:57 +0800
+Subject: crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+
+[ Upstream commit 8a0f5ccfb33b0b8b51de65b7b3bf342ba10b4fb6 ]
+
+On Tue, Mar 14, 2017 at 10:44:10AM +0100, Dmitry Vyukov wrote:
+>
+> Yes, please.
+> Disregarding some reports is not a good way long term.
+
+Please try this patch.
+
+---8<---
+Subject: netlink: Annotate nlk cb_mutex by protocol
+
+Currently all occurences of nlk->cb_mutex are annotated by lockdep
+as a single class. This causes a false lcokdep cycle involving
+genl and crypto_user.
+
+This patch fixes it by dividing cb_mutex into individual classes
+based on the netlink protocol. As genl and crypto_user do not
+use the same netlink protocol this breaks the false dependency
+loop.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -93,6 +93,44 @@ EXPORT_SYMBOL_GPL(nl_table);
+
+ static DECLARE_WAIT_QUEUE_HEAD(nl_table_wait);
+
++static struct lock_class_key nlk_cb_mutex_keys[MAX_LINKS];
++
++static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = {
++ "nlk_cb_mutex-ROUTE",
++ "nlk_cb_mutex-1",
++ "nlk_cb_mutex-USERSOCK",
++ "nlk_cb_mutex-FIREWALL",
++ "nlk_cb_mutex-SOCK_DIAG",
++ "nlk_cb_mutex-NFLOG",
++ "nlk_cb_mutex-XFRM",
++ "nlk_cb_mutex-SELINUX",
++ "nlk_cb_mutex-ISCSI",
++ "nlk_cb_mutex-AUDIT",
++ "nlk_cb_mutex-FIB_LOOKUP",
++ "nlk_cb_mutex-CONNECTOR",
++ "nlk_cb_mutex-NETFILTER",
++ "nlk_cb_mutex-IP6_FW",
++ "nlk_cb_mutex-DNRTMSG",
++ "nlk_cb_mutex-KOBJECT_UEVENT",
++ "nlk_cb_mutex-GENERIC",
++ "nlk_cb_mutex-17",
++ "nlk_cb_mutex-SCSITRANSPORT",
++ "nlk_cb_mutex-ECRYPTFS",
++ "nlk_cb_mutex-RDMA",
++ "nlk_cb_mutex-CRYPTO",
++ "nlk_cb_mutex-SMC",
++ "nlk_cb_mutex-23",
++ "nlk_cb_mutex-24",
++ "nlk_cb_mutex-25",
++ "nlk_cb_mutex-26",
++ "nlk_cb_mutex-27",
++ "nlk_cb_mutex-28",
++ "nlk_cb_mutex-29",
++ "nlk_cb_mutex-30",
++ "nlk_cb_mutex-31",
++ "nlk_cb_mutex-MAX_LINKS"
++};
++
+ static int netlink_dump(struct sock *sk);
+ static void netlink_skb_destructor(struct sk_buff *skb);
+
+@@ -548,6 +586,9 @@ static int __netlink_create(struct net *
+ } else {
+ nlk->cb_mutex = &nlk->cb_def_mutex;
+ mutex_init(nlk->cb_mutex);
++ lockdep_set_class_and_name(nlk->cb_mutex,
++ nlk_cb_mutex_keys + protocol,
++ nlk_cb_mutex_key_strings[protocol]);
+ }
+ init_waitqueue_head(&nlk->wait);
+
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Mon, 2 Oct 2017 07:17:50 -0700
+Subject: fm10k: ensure we process SM mbx when processing VF mbx
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+
+[ Upstream commit 17a91809942ca32c70026d2d5ba3348a2c4fdf8f ]
+
+When we process VF mailboxes, the driver is likely going to also queue
+up messages to the switch manager. This process merely queues up the
+FIFO, but doesn't actually begin the transmission process. Because we
+hold the mailbox lock during this VF processing, the PF<->SM mailbox is
+not getting processed at this time. Ensure that we actually process the
+PF<->SM mailbox in between each PF<->VF mailbox.
+
+This should ensure prompt transmission of the messages queued up after
+each VF message is received and handled.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_iov.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_iov.c
+@@ -145,6 +145,9 @@ process_mbx:
+ struct fm10k_mbx_info *mbx = &vf_info->mbx;
+ u16 glort = vf_info->glort;
+
++ /* process the SM mailbox first to drain outgoing messages */
++ hw->mbx.ops.process(hw, &hw->mbx);
++
+ /* verify port mapping is valid, if not reset port */
+ if (vf_info->vf_flags && !fm10k_glort_valid_pf(hw, glort))
+ hw->iov.ops.reset_lport(hw, vf_info);
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Peter Stein <peter@stuntstein.dk>
+Date: Fri, 17 Feb 2017 00:00:50 -0800
+Subject: HID: xinmo: fix for out of range for THT 2P arcade controller.
+
+From: Peter Stein <peter@stuntstein.dk>
+
+
+[ Upstream commit 9257821c5a1dc57ef3a37f7cbcebaf548395c964 ]
+
+There is a new clone of the XIN MO arcade controller which has same issue with
+out of range like the original. This fix will solve the issue where 2
+directions on the joystick are not recognized by the new THT 2P arcade
+controller with device ID 0x75e1. In details the new device ID is added the
+hid-id list and the hid-xinmo source code.
+
+Signed-off-by: Peter Stein <peter@stuntstein.dk>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 1 +
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-xinmo.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1977,6 +1977,7 @@ static const struct hid_device_id hid_ha
+ { HID_USB_DEVICE(USB_VENDOR_ID_WALTOP, USB_DEVICE_ID_WALTOP_SIRIUS_BATTERY_FREE_TABLET) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_X_TENSIONS, USB_DEVICE_ID_SPEEDLINK_VAD_CEZANNE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0005) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZEROPLUS, 0x0030) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ZYDACRON, USB_DEVICE_ID_ZYDACRON_REMOTE_CONTROL) },
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1000,6 +1000,7 @@
+
+ #define USB_VENDOR_ID_XIN_MO 0x16c0
+ #define USB_DEVICE_ID_XIN_MO_DUAL_ARCADE 0x05e1
++#define USB_DEVICE_ID_THT_2P_ARCADE 0x75e1
+
+ #define USB_VENDOR_ID_XIROKU 0x1477
+ #define USB_DEVICE_ID_XIROKU_SPX 0x1006
+--- a/drivers/hid/hid-xinmo.c
++++ b/drivers/hid/hid-xinmo.c
+@@ -46,6 +46,7 @@ static int xinmo_event(struct hid_device
+
+ static const struct hid_device_id xinmo_devices[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_XIN_MO_DUAL_ARCADE) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_XIN_MO, USB_DEVICE_ID_THT_2P_ARCADE) },
+ { }
+ };
+
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 23 Mar 2017 16:03:11 +0100
+Subject: hwmon: (asus_atk0110) fix uninitialized data access
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit a2125d02443e9a4e68bcfd9f8004fa23239e8329 ]
+
+The latest gcc-7 snapshot adds a warning to point out that when
+atk_read_value_old or atk_read_value_new fails, we copy
+uninitialized data into sensor->cached_value:
+
+drivers/hwmon/asus_atk0110.c: In function 'atk_input_show':
+drivers/hwmon/asus_atk0110.c:651:26: error: 'value' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+
+Adding an error check avoids this. All versions of the driver
+are affected.
+
+Fixes: 2c03d07ad54d ("hwmon: Add Asus ATK0110 support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Luca Tettamanti <kronos.it@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/asus_atk0110.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hwmon/asus_atk0110.c
++++ b/drivers/hwmon/asus_atk0110.c
+@@ -646,6 +646,9 @@ static int atk_read_value(struct atk_sen
+ else
+ err = atk_read_value_new(sensor, value);
+
++ if (err)
++ return err;
++
+ sensor->is_valid = true;
+ sensor->last_updated = jiffies;
+ sensor->cached_value = *value;
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Mike Looijmans <mike.looijmans@topic.nl>
+Date: Thu, 23 Mar 2017 10:00:36 +0100
+Subject: i2c: mux: pca954x: Add missing pca9546 definition to chip_desc
+
+From: Mike Looijmans <mike.looijmans@topic.nl>
+
+
+[ Upstream commit dbe4d69d252e9e65c6c46826980b77b11a142065 ]
+
+The spec for the pca9546 was missing. This chip is the same as the pca9545
+except that it lacks interrupt lines. While the i2c_device_id table mapped
+the pca9546 to the pca9545 definition the compatible table did not.
+
+Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/muxes/i2c-mux-pca954x.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
+@@ -93,6 +93,10 @@ static const struct chip_desc chips[] =
+ .nchans = 4,
+ .muxtype = pca954x_isswi,
+ },
++ [pca_9546] = {
++ .nchans = 4,
++ .muxtype = pca954x_isswi,
++ },
+ [pca_9547] = {
+ .nchans = 8,
+ .enable = 0x8,
+@@ -110,7 +114,7 @@ static const struct i2c_device_id pca954
+ { "pca9543", pca_9543 },
+ { "pca9544", pca_9544 },
+ { "pca9545", pca_9545 },
+- { "pca9546", pca_9545 },
++ { "pca9546", pca_9546 },
+ { "pca9547", pca_9547 },
+ { "pca9548", pca_9548 },
+ { }
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 24 Mar 2017 15:01:42 -0700
+Subject: i40e: Do not enable NAPI on q_vectors that have no rings
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+
+[ Upstream commit 13a8cd191a2b470cfd435b3b57dbd21aa65ff78c ]
+
+When testing the epoll w/ busy poll code I found that I could get into a
+state where the i40e driver had q_vectors w/ active NAPI that had no rings.
+This was resulting in a divide by zero error. To correct it I am updating
+the driver code so that we only support NAPI on q_vectors that have 1 or
+more rings allocated to them.
+
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -3814,8 +3814,12 @@ static void i40e_napi_enable_all(struct
+ if (!vsi->netdev)
+ return;
+
+- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
+- napi_enable(&vsi->q_vectors[q_idx]->napi);
++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
++
++ if (q_vector->rx.ring || q_vector->tx.ring)
++ napi_enable(&q_vector->napi);
++ }
+ }
+
+ /**
+@@ -3829,8 +3833,12 @@ static void i40e_napi_disable_all(struct
+ if (!vsi->netdev)
+ return;
+
+- for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
+- napi_disable(&vsi->q_vectors[q_idx]->napi);
++ for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
++ struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
++
++ if (q_vector->rx.ring || q_vector->tx.ring)
++ napi_disable(&q_vector->napi);
++ }
+ }
+
+ /**
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 27 Aug 2017 08:39:51 +0200
+Subject: igb: check memory allocation failure
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 18eb86362a52f0af933cc0fd5e37027317eb2d1c ]
+
+Check memory allocation failures and return -ENOMEM in such cases, as
+already done for other memory allocations in this function.
+
+This avoids NULL pointers dereference.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com
+Acked-by: PJ Waskiewicz <peter.waskiewicz.jr@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3001,6 +3001,8 @@ static int igb_sw_init(struct igb_adapte
+ /* Setup and initialize a copy of the hw vlan table array */
+ adapter->shadow_vfta = kcalloc(E1000_VLAN_FILTER_TBL_SIZE, sizeof(u32),
+ GFP_ATOMIC);
++ if (!adapter->shadow_vfta)
++ return -ENOMEM;
+
+ /* This call may decrease the number of queues */
+ if (igb_init_interrupt_scheme(adapter, true)) {
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 25 Mar 2017 01:48:08 +0300
+Subject: irda: vlsi_ir: fix check for DMA mapping errors
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+
+[ Upstream commit 6ac3b77a6ffff7513ff86b684aa256ea01c0e5b5 ]
+
+vlsi_alloc_ring() checks for DMA mapping errors by comparing
+returned address with zero, while pci_dma_mapping_error() should be used.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/irda/vlsi_ir.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/irda/vlsi_ir.c
++++ b/drivers/net/irda/vlsi_ir.c
+@@ -426,8 +426,9 @@ static struct vlsi_ring *vlsi_alloc_ring
+ memset(rd, 0, sizeof(*rd));
+ rd->hw = hwmap + i;
+ rd->buf = kmalloc(len, GFP_KERNEL|GFP_DMA);
+- if (rd->buf == NULL ||
+- !(busaddr = pci_map_single(pdev, rd->buf, len, dir))) {
++ if (rd->buf)
++ busaddr = pci_map_single(pdev, rd->buf, len, dir);
++ if (rd->buf == NULL || pci_dma_mapping_error(pdev, busaddr)) {
+ if (rd->buf) {
+ IRDA_ERROR("%s: failed to create PCI-MAP for %p",
+ __func__, rd->buf);
+@@ -438,8 +439,7 @@ static struct vlsi_ring *vlsi_alloc_ring
+ rd = r->rd + j;
+ busaddr = rd_get_addr(rd);
+ rd_set_addr_status(rd, 0, 0);
+- if (busaddr)
+- pci_unmap_single(pdev, busaddr, len, dir);
++ pci_unmap_single(pdev, busaddr, len, dir);
+ kfree(rd->buf);
+ rd->buf = NULL;
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 28 Mar 2017 12:11:07 +0200
+Subject: isdn: kcapi: avoid uninitialized data
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+
+[ Upstream commit af109a2cf6a9a6271fa420ae2d64d72d86c92b7d ]
+
+gcc-7 points out that the AVMB1_ADDCARD ioctl results in an unintialized
+value ending up in the cardnr parameter:
+
+drivers/isdn/capi/kcapi.c: In function 'old_capi_manufacturer':
+drivers/isdn/capi/kcapi.c:1042:24: error: 'cdef.cardnr' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ cparams.cardnr = cdef.cardnr;
+
+This has been broken since before the start of the git history, so
+either the value is not used for anything important, or the ioctl
+command doesn't get called in practice.
+
+Setting the cardnr to zero avoids the warning and makes sure
+we have consistent behavior.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/capi/kcapi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/isdn/capi/kcapi.c
++++ b/drivers/isdn/capi/kcapi.c
+@@ -1032,6 +1032,7 @@ static int old_capi_manufacturer(unsigne
+ sizeof(avmb1_carddef))))
+ return -EFAULT;
+ cdef.cardtype = AVM_CARDTYPE_B1;
++ cdef.cardnr = 0;
+ } else {
+ if ((retval = copy_from_user(&cdef, data,
+ sizeof(avmb1_extcarddef))))
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+Date: Mon, 20 Mar 2017 21:18:55 -0700
+Subject: KVM: x86: correct async page present tracepoint
+
+From: Wanpeng Li <wanpeng.li@hotmail.com>
+
+
+[ Upstream commit 24dccf83a121b8a4ad5c2ad383a8184ef6c266ee ]
+
+After async pf setup successfully, there is a broadcast wakeup w/ special
+token 0xffffffff which tells vCPU that it should wake up all processes
+waiting for APFs though there is no real process waiting at the moment.
+
+The async page present tracepoint print prematurely and fails to catch the
+special token setup. This patch fixes it by moving the async page present
+tracepoint after the special token setup.
+
+Before patch:
+
+qemu-system-x86-8499 [006] ...1 5973.473292: kvm_async_pf_ready: token 0x0 gva 0x0
+
+After patch:
+
+qemu-system-x86-8499 [006] ...1 5973.473292: kvm_async_pf_ready: token 0xffffffff gva 0x0
+
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim KrÄmĆ”Å <rkrcmar@redhat.com>
+Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -7783,11 +7783,11 @@ void kvm_arch_async_page_present(struct
+ {
+ struct x86_exception fault;
+
+- trace_kvm_async_pf_ready(work->arch.token, work->gva);
+ if (work->wakeup_all)
+ work->arch.token = ~0; /* broadcast wakeup */
+ else
+ kvm_del_async_pf_gfn(vcpu, work->arch.gfn);
++ trace_kvm_async_pf_ready(work->arch.token, work->gva);
+
+ if ((vcpu->arch.apf.msr_val & KVM_ASYNC_PF_ENABLED) &&
+ !apf_put_user(vcpu, KVM_PV_REASON_PAGE_READY)) {
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+Date: Fri, 24 Mar 2017 09:38:03 -0700
+Subject: net: Do not allow negative values for busy_read and busy_poll sysctl interfaces
+
+From: Alexander Duyck <alexander.h.duyck@intel.com>
+
+
+[ Upstream commit 95f255211396958c718aef8c45e3923b5211ea7b ]
+
+This change basically codifies what I think was already the limitations on
+the busy_poll and busy_read sysctl interfaces. We weren't checking the
+lower bounds and as such could input negative values. The behavior when
+that was used was dependent on the architecture. In order to prevent any
+issues with that I am just disabling support for values less than 0 since
+this way we don't have to worry about any odd behaviors.
+
+By limiting the sysctl values this way it also makes it consistent with how
+we handle the SO_BUSY_POLL socket option since the value appears to be
+reported as a signed integer value and negative values are rejected.
+
+Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sysctl_net_core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -331,14 +331,16 @@ static struct ctl_table net_core_table[]
+ .data = &sysctl_net_busy_poll,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &zero,
+ },
+ {
+ .procname = "busy_read",
+ .data = &sysctl_net_busy_read,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec
++ .proc_handler = proc_dointvec_minmax,
++ .extra1 = &zero,
+ },
+ #endif
+ #ifdef CONFIG_NET_SCHED
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Dan Murphy <dmurphy@ti.com>
+Date: Tue, 10 Oct 2017 12:42:56 -0500
+Subject: net: phy: at803x: Change error to EINVAL for invalid MAC
+
+From: Dan Murphy <dmurphy@ti.com>
+
+
+[ Upstream commit fc7556877d1748ac00958822a0a3bba1d4bd9e0d ]
+
+Change the return error code to EINVAL if the MAC
+address is not valid in the set_wol function.
+
+Signed-off-by: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/at803x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/at803x.c
++++ b/drivers/net/phy/at803x.c
+@@ -105,7 +105,7 @@ static int at803x_set_wol(struct phy_dev
+ mac = (const u8 *) ndev->dev_addr;
+
+ if (!is_valid_ether_addr(mac))
+- return -EFAULT;
++ return -EINVAL;
+
+ for (i = 0; i < 3; i++) {
+ phy_write(phydev, AT803X_MMD_ACCESS_CONTROL,
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Tony Lindgren <tony@atomide.com>
+Date: Sun, 19 Mar 2017 09:19:57 -0700
+Subject: net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4
+
+From: Tony Lindgren <tony@atomide.com>
+
+
+[ Upstream commit 4071898bf0f4d79ff353db327af2a15123272548 ]
+
+This gets qmicli working with the MDM6600 modem.
+
+Cc: BjĆørn Mork <bjorn@mork.no>
+Reviewed-by: Sebastian Reichel <sre@kernel.org>
+Tested-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: BjĆørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -460,6 +460,10 @@ static const struct usb_device_id produc
+ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, USB_CLASS_VENDOR_SPEC, 0x01, 0x69),
+ .driver_info = (unsigned long)&qmi_wwan_info,
+ },
++ { /* Motorola Mapphone devices with MDM6600 */
++ USB_VENDOR_AND_INTERFACE_INFO(0x22b8, USB_CLASS_VENDOR_SPEC, 0xfb, 0xff),
++ .driver_info = (unsigned long)&qmi_wwan_info,
++ },
+
+ /* 2. Combined interface devices matching on class+protocol */
+ { /* Huawei E367 and possibly others in "Windows mode" */
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Gao Feng <fgao@ikuai8.com>
+Date: Sat, 25 Mar 2017 18:24:36 +0800
+Subject: netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register
+
+From: Gao Feng <fgao@ikuai8.com>
+
+
+[ Upstream commit 75c689dca98851d65ef5a27e5ce26b625b68751c ]
+
+In the commit 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp
+helper"), the snmp_helper is replaced by nf_nat_snmp_hook. So the
+snmp_helper is never registered. But it still tries to unregister the
+snmp_helper, it could cause the panic.
+
+Now remove the useless snmp_helper and the unregister call in the
+error handler.
+
+Fixes: 93557f53e1fb ("netfilter: nf_conntrack: nf_conntrack snmp helper")
+Signed-off-by: Gao Feng <fgao@ikuai8.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nf_nat_snmp_basic.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
++++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
+@@ -1260,16 +1260,6 @@ static const struct nf_conntrack_expect_
+ .timeout = 180,
+ };
+
+-static struct nf_conntrack_helper snmp_helper __read_mostly = {
+- .me = THIS_MODULE,
+- .help = help,
+- .expect_policy = &snmp_exp_policy,
+- .name = "snmp",
+- .tuple.src.l3num = AF_INET,
+- .tuple.src.u.udp.port = cpu_to_be16(SNMP_PORT),
+- .tuple.dst.protonum = IPPROTO_UDP,
+-};
+-
+ static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
+ .me = THIS_MODULE,
+ .help = help,
+@@ -1288,17 +1278,10 @@ static struct nf_conntrack_helper snmp_t
+
+ static int __init nf_nat_snmp_basic_init(void)
+ {
+- int ret = 0;
+-
+ BUG_ON(nf_nat_snmp_hook != NULL);
+ RCU_INIT_POINTER(nf_nat_snmp_hook, help);
+
+- ret = nf_conntrack_helper_register(&snmp_trap_helper);
+- if (ret < 0) {
+- nf_conntrack_helper_unregister(&snmp_helper);
+- return ret;
+- }
+- return ret;
++ return nf_conntrack_helper_register(&snmp_trap_helper);
+ }
+
+ static void __exit nf_nat_snmp_basic_fini(void)
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Liping Zhang <zlpnobody@gmail.com>
+Date: Sat, 25 Mar 2017 12:09:15 +0800
+Subject: netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table
+
+From: Liping Zhang <zlpnobody@gmail.com>
+
+
+[ Upstream commit 83d90219a5df8d950855ce73229a97b63605c317 ]
+
+The nf_ct_helper_hash table is protected by nf_ct_helper_mutex, while
+nfct_helper operation is protected by nfnl_lock(NFNL_SUBSYS_CTHELPER).
+So it's possible that one CPU is walking the nf_ct_helper_hash for
+cthelper add/get/del, another cpu is doing nf_conntrack_helpers_unregister
+at the same time. This is dangrous, and may cause use after free error.
+
+Note, delete operation will flush all cthelpers added via nfnetlink, so
+using rcu to do protect is not easy.
+
+Now introduce a dummy list to record all the cthelpers added via
+nfnetlink, then we can walk the dummy list instead of walking the
+nf_ct_helper_hash. Also, keep nfnl_cthelper_dump_table unchanged, it
+may be invoked without nfnl_lock(NFNL_SUBSYS_CTHELPER) held.
+
+Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 185 +++++++++++++++++--------------------
+ 1 file changed, 85 insertions(+), 100 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -32,6 +32,13 @@ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+ MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
+
++struct nfnl_cthelper {
++ struct list_head list;
++ struct nf_conntrack_helper helper;
++};
++
++static LIST_HEAD(nfnl_cthelper_list);
++
+ static int
+ nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
+ struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+@@ -205,14 +212,16 @@ nfnl_cthelper_create(const struct nlattr
+ struct nf_conntrack_tuple *tuple)
+ {
+ struct nf_conntrack_helper *helper;
++ struct nfnl_cthelper *nfcth;
+ int ret;
+
+ if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
+ return -EINVAL;
+
+- helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
+- if (helper == NULL)
++ nfcth = kzalloc(sizeof(*nfcth), GFP_KERNEL);
++ if (nfcth == NULL)
+ return -ENOMEM;
++ helper = &nfcth->helper;
+
+ ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
+ if (ret < 0)
+@@ -249,11 +258,12 @@ nfnl_cthelper_create(const struct nlattr
+ if (ret < 0)
+ goto err2;
+
++ list_add_tail(&nfcth->list, &nfnl_cthelper_list);
+ return 0;
+ err2:
+ kfree(helper->expect_policy);
+ err1:
+- kfree(helper);
++ kfree(nfcth);
+ return ret;
+ }
+
+@@ -379,7 +389,8 @@ nfnl_cthelper_new(struct sock *nfnl, str
+ const char *helper_name;
+ struct nf_conntrack_helper *cur, *helper = NULL;
+ struct nf_conntrack_tuple tuple;
+- int ret = 0, i;
++ struct nfnl_cthelper *nlcth;
++ int ret = 0;
+
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ return -EINVAL;
+@@ -390,31 +401,22 @@ nfnl_cthelper_new(struct sock *nfnl, str
+ if (ret < 0)
+ return ret;
+
+- rcu_read_lock();
+- for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
+- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
+
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
++ if (strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
++ continue;
+
+- if (strncmp(cur->name, helper_name,
+- NF_CT_HELPER_NAME_LEN) != 0)
+- continue;
++ if ((tuple.src.l3num != cur->tuple.src.l3num ||
++ tuple.dst.protonum != cur->tuple.dst.protonum))
++ continue;
+
+- if ((tuple.src.l3num != cur->tuple.src.l3num ||
+- tuple.dst.protonum != cur->tuple.dst.protonum))
+- continue;
++ if (nlh->nlmsg_flags & NLM_F_EXCL)
++ return -EEXIST;
+
+- if (nlh->nlmsg_flags & NLM_F_EXCL) {
+- ret = -EEXIST;
+- goto err;
+- }
+- helper = cur;
+- break;
+- }
++ helper = cur;
++ break;
+ }
+- rcu_read_unlock();
+
+ if (helper == NULL)
+ ret = nfnl_cthelper_create(tb, &tuple);
+@@ -422,9 +424,6 @@ nfnl_cthelper_new(struct sock *nfnl, str
+ ret = nfnl_cthelper_update(tb, helper);
+
+ return ret;
+-err:
+- rcu_read_unlock();
+- return ret;
+ }
+
+ static int
+@@ -588,11 +587,12 @@ static int
+ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
+ const struct nlmsghdr *nlh, const struct nlattr * const tb[])
+ {
+- int ret = -ENOENT, i;
++ int ret = -ENOENT;
+ struct nf_conntrack_helper *cur;
+ struct sk_buff *skb2;
+ char *helper_name = NULL;
+ struct nf_conntrack_tuple tuple;
++ struct nfnl_cthelper *nlcth;
+ bool tuple_set = false;
+
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+@@ -613,45 +613,39 @@ nfnl_cthelper_get(struct sock *nfnl, str
+ tuple_set = true;
+ }
+
+- for (i = 0; i < nf_ct_helper_hsize; i++) {
+- hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
+-
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
+-
+- if (helper_name && strncmp(cur->name, helper_name,
+- NF_CT_HELPER_NAME_LEN) != 0) {
+- continue;
+- }
+- if (tuple_set &&
+- (tuple.src.l3num != cur->tuple.src.l3num ||
+- tuple.dst.protonum != cur->tuple.dst.protonum))
+- continue;
+-
+- skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+- if (skb2 == NULL) {
+- ret = -ENOMEM;
+- break;
+- }
++ list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
++ if (helper_name &&
++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
++ continue;
++
++ if (tuple_set &&
++ (tuple.src.l3num != cur->tuple.src.l3num ||
++ tuple.dst.protonum != cur->tuple.dst.protonum))
++ continue;
++
++ skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
++ if (skb2 == NULL) {
++ ret = -ENOMEM;
++ break;
++ }
+
+- ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
+- nlh->nlmsg_seq,
+- NFNL_MSG_TYPE(nlh->nlmsg_type),
+- NFNL_MSG_CTHELPER_NEW, cur);
+- if (ret <= 0) {
+- kfree_skb(skb2);
+- break;
+- }
++ ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
++ nlh->nlmsg_seq,
++ NFNL_MSG_TYPE(nlh->nlmsg_type),
++ NFNL_MSG_CTHELPER_NEW, cur);
++ if (ret <= 0) {
++ kfree_skb(skb2);
++ break;
++ }
+
+- ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
+- MSG_DONTWAIT);
+- if (ret > 0)
+- ret = 0;
++ ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
++ MSG_DONTWAIT);
++ if (ret > 0)
++ ret = 0;
+
+- /* this avoids a loop in nfnetlink. */
+- return ret == -EAGAIN ? -ENOBUFS : ret;
+- }
++ /* this avoids a loop in nfnetlink. */
++ return ret == -EAGAIN ? -ENOBUFS : ret;
+ }
+ return ret;
+ }
+@@ -662,10 +656,10 @@ nfnl_cthelper_del(struct sock *nfnl, str
+ {
+ char *helper_name = NULL;
+ struct nf_conntrack_helper *cur;
+- struct hlist_node *tmp;
+ struct nf_conntrack_tuple tuple;
+ bool tuple_set = false, found = false;
+- int i, j = 0, ret;
++ struct nfnl_cthelper *nlcth, *n;
++ int j = 0, ret;
+
+ if (tb[NFCTH_NAME])
+ helper_name = nla_data(tb[NFCTH_NAME]);
+@@ -678,30 +672,27 @@ nfnl_cthelper_del(struct sock *nfnl, str
+ tuple_set = true;
+ }
+
+- for (i = 0; i < nf_ct_helper_hsize; i++) {
+- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
+- hnode) {
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
+-
+- j++;
+-
+- if (helper_name && strncmp(cur->name, helper_name,
+- NF_CT_HELPER_NAME_LEN) != 0) {
+- continue;
+- }
+- if (tuple_set &&
+- (tuple.src.l3num != cur->tuple.src.l3num ||
+- tuple.dst.protonum != cur->tuple.dst.protonum))
+- continue;
++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
++ j++;
++
++ if (helper_name &&
++ strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
++ continue;
++
++ if (tuple_set &&
++ (tuple.src.l3num != cur->tuple.src.l3num ||
++ tuple.dst.protonum != cur->tuple.dst.protonum))
++ continue;
++
++ found = true;
++ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
+
+- found = true;
+- nf_conntrack_helper_unregister(cur);
+- kfree(cur->expect_policy);
+- kfree(cur);
+- }
++ list_del(&nlcth->list);
++ kfree(nlcth);
+ }
++
+ /* Make sure we return success if we flush and there is no helpers */
+ return (found || j == 0) ? 0 : -ENOENT;
+ }
+@@ -750,22 +741,16 @@ err_out:
+ static void __exit nfnl_cthelper_exit(void)
+ {
+ struct nf_conntrack_helper *cur;
+- struct hlist_node *tmp;
+- int i;
++ struct nfnl_cthelper *nlcth, *n;
+
+ nfnetlink_subsys_unregister(&nfnl_cthelper_subsys);
+
+- for (i=0; i<nf_ct_helper_hsize; i++) {
+- hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
+- hnode) {
+- /* skip non-userspace conntrack helpers. */
+- if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
+- continue;
++ list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
++ cur = &nlcth->helper;
+
+- nf_conntrack_helper_unregister(cur);
+- kfree(cur->expect_policy);
+- kfree(cur);
+- }
++ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
++ kfree(nlcth);
+ }
+ }
+
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+Date: Tue, 21 Mar 2017 15:07:10 +0800
+Subject: netfilter: nfnl_cthelper: Fix memory leak
+
+From: Jeffy Chen <jeffy.chen@rock-chips.com>
+
+
+[ Upstream commit f83bf8da1135ca635aac8f062cad3f001fcf3a26 ]
+
+We have memory leaks of nf_conntrack_helper & expect_policy.
+
+Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -216,7 +216,7 @@ nfnl_cthelper_create(const struct nlattr
+
+ ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
+ if (ret < 0)
+- goto err;
++ goto err1;
+
+ strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
+ helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
+@@ -247,10 +247,12 @@ nfnl_cthelper_create(const struct nlattr
+
+ ret = nf_conntrack_helper_register(helper);
+ if (ret < 0)
+- goto err;
++ goto err2;
+
+ return 0;
+-err:
++err2:
++ kfree(helper->expect_policy);
++err1:
+ kfree(helper);
+ return ret;
+ }
+@@ -696,6 +698,8 @@ nfnl_cthelper_del(struct sock *nfnl, str
+
+ found = true;
+ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
++ kfree(cur);
+ }
+ }
+ /* Make sure we return success if we flush and there is no helpers */
+@@ -759,6 +763,8 @@ static void __exit nfnl_cthelper_exit(vo
+ continue;
+
+ nf_conntrack_helper_unregister(cur);
++ kfree(cur->expect_policy);
++ kfree(cur);
+ }
+ }
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 21 Mar 2017 13:32:37 +0100
+Subject: netfilter: nfnl_cthelper: fix runtime expectation policy updates
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+
+[ Upstream commit 2c422257550f123049552b39f7af6e3428a60f43 ]
+
+We only allow runtime updates of expectation policies for timeout and
+maximum number of expectations, otherwise reject the update.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Liping Zhang <zlpnobody@gmail.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 86 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 84 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -256,6 +256,89 @@ err:
+ }
+
+ static int
++nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
++ struct nf_conntrack_expect_policy *new_policy,
++ const struct nlattr *attr)
++{
++ struct nlattr *tb[NFCTH_POLICY_MAX + 1];
++ int err;
++
++ err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr,
++ nfnl_cthelper_expect_pol);
++ if (err < 0)
++ return err;
++
++ if (!tb[NFCTH_POLICY_NAME] ||
++ !tb[NFCTH_POLICY_EXPECT_MAX] ||
++ !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
++ return -EINVAL;
++
++ if (nla_strcmp(tb[NFCTH_POLICY_NAME], policy->name))
++ return -EBUSY;
++
++ new_policy->max_expected =
++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
++ new_policy->timeout =
++ ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
++
++ return 0;
++}
++
++static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
++ struct nf_conntrack_helper *helper)
++{
++ struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
++ struct nf_conntrack_expect_policy *policy;
++ int i, err;
++
++ /* Check first that all policy attributes are well-formed, so we don't
++ * leave things in inconsistent state on errors.
++ */
++ for (i = 0; i < helper->expect_class_max + 1; i++) {
++
++ if (!tb[NFCTH_POLICY_SET + i])
++ return -EINVAL;
++
++ err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
++ &new_policy[i],
++ tb[NFCTH_POLICY_SET + i]);
++ if (err < 0)
++ return err;
++ }
++ /* Now we can safely update them. */
++ for (i = 0; i < helper->expect_class_max + 1; i++) {
++ policy = (struct nf_conntrack_expect_policy *)
++ &helper->expect_policy[i];
++ policy->max_expected = new_policy->max_expected;
++ policy->timeout = new_policy->timeout;
++ }
++
++ return 0;
++}
++
++static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper,
++ const struct nlattr *attr)
++{
++ struct nlattr *tb[NFCTH_POLICY_SET_MAX + 1];
++ unsigned int class_max;
++ int err;
++
++ err = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
++ nfnl_cthelper_expect_policy_set);
++ if (err < 0)
++ return err;
++
++ if (!tb[NFCTH_POLICY_SET_NUM])
++ return -EINVAL;
++
++ class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
++ if (helper->expect_class_max + 1 != class_max)
++ return -EBUSY;
++
++ return nfnl_cthelper_update_policy_all(tb, helper);
++}
++
++static int
+ nfnl_cthelper_update(const struct nlattr * const tb[],
+ struct nf_conntrack_helper *helper)
+ {
+@@ -265,8 +348,7 @@ nfnl_cthelper_update(const struct nlattr
+ return -EBUSY;
+
+ if (tb[NFCTH_POLICY]) {
+- ret = nfnl_cthelper_parse_expect_policy(helper,
+- tb[NFCTH_POLICY]);
++ ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
+ if (ret < 0)
+ return ret;
+ }
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+Date: Thu, 28 Sep 2017 15:33:05 +0100
+Subject: PCI/AER: Report non-fatal errors only to the affected endpoint
+
+From: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+
+
+[ Upstream commit 86acc790717fb60fb51ea3095084e331d8711c74 ]
+
+Previously, if an non-fatal error was reported by an endpoint, we
+called report_error_detected() for the endpoint, every sibling on the
+bus, and their descendents. If any of them did not implement the
+.error_detected() method, do_recovery() failed, leaving all these
+devices unrecovered.
+
+For example, the system described in the bugzilla below has two devices:
+
+ 0000:74:02.0 [19e5:a230] SAS controller, driver has .error_detected()
+ 0000:74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected()
+
+When a device such as 74:02.0 reported a non-fatal error, do_recovery()
+failed because 74:03.0 lacked an .error_detected() method. But per PCIe
+r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and
+does not affect 74:03.0:
+
+ Non-fatal errors are uncorrectable errors which cause a particular
+ transaction to be unreliable but the Link is otherwise fully functional.
+ Isolating Non-fatal from Fatal errors provides Requester/Receiver logic
+ in a device or system management software the opportunity to recover from
+ the error without resetting the components on the Link and disturbing
+ other transactions in progress. Devices not associated with the
+ transaction in error are not impacted by the error.
+
+Report non-fatal errors only to the endpoint that reported them. We really
+want to check for AER_NONFATAL here, but the current code structure doesn't
+allow that. Looking for pci_channel_io_normal is the best we can do now.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055
+Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver")
+Signed-off-by: Gabriele Paoloni <gabriele.paoloni@huawei.com>
+Signed-off-by: Dongdong Liu <liudongdong3@huawei.com>
+[bhelgaas: changelog]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/aer/aerdrv_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/aer/aerdrv_core.c
++++ b/drivers/pci/pcie/aer/aerdrv_core.c
+@@ -360,7 +360,14 @@ static pci_ers_result_t broadcast_error_
+ * If the error is reported by an end point, we think this
+ * error is related to the upstream link of the end point.
+ */
+- pci_walk_bus(dev->bus, cb, &result_data);
++ if (state == pci_channel_io_normal)
++ /*
++ * the error is non fatal so the bus is ok, just invoke
++ * the callback for the function that logged the error.
++ */
++ cb(dev, &result_data);
++ else
++ pci_walk_bus(dev->bus, cb, &result_data);
+ }
+
+ return result_data.result;
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: David Daney <david.daney@cavium.com>
+Date: Fri, 8 Sep 2017 10:10:31 +0200
+Subject: PCI: Avoid bus reset if bridge itself is broken
+
+From: David Daney <david.daney@cavium.com>
+
+
+[ Upstream commit 357027786f3523d26f42391aa4c075b8495e5d28 ]
+
+When checking to see if a PCI bus can safely be reset, we previously
+checked to see if any of the children had their PCI_DEV_FLAGS_NO_BUS_RESET
+flag set. Children marked with that flag are known not to behave well
+after a bus reset.
+
+Some PCIe root port bridges also do not behave well after a bus reset,
+sometimes causing the devices behind the bridge to become unusable.
+
+Add a check for PCI_DEV_FLAGS_NO_BUS_RESET being set in the bridge device
+to allow these bridges to be flagged, and prevent their secondary buses
+from being reset.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+[jglauber@cavium.com: fixed typo]
+Signed-off-by: Jan Glauber <jglauber@cavium.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
+
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3580,6 +3580,10 @@ static bool pci_bus_resetable(struct pci
+ {
+ struct pci_dev *dev;
+
++
++ if (bus->self && (bus->self->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET))
++ return false;
++
+ list_for_each_entry(dev, &bus->devices, bus_list) {
+ if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
+ (dev->subordinate && !pci_bus_resetable(dev->subordinate)))
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Stuart Hayes <stuart.w.hayes@gmail.com>
+Date: Wed, 4 Oct 2017 10:57:52 -0500
+Subject: PCI: Create SR-IOV virtfn/physfn links before attaching driver
+
+From: Stuart Hayes <stuart.w.hayes@gmail.com>
+
+
+[ Upstream commit 27d6162944b9b34c32cd5841acd21786637ee743 ]
+
+When creating virtual functions, create the "virtfn%u" and "physfn" links
+in sysfs *before* attaching the driver instead of after. When we attach
+the driver to the new virtual network interface first, there is a race when
+the driver attaches to the new sends out an "add" udev event, and the
+network interface naming software (biosdevname or systemd, for example)
+tries to look at these links.
+
+Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/iov.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -106,7 +106,6 @@ static int virtfn_add(struct pci_dev *de
+ pci_device_add(virtfn, virtfn->bus);
+ mutex_unlock(&iov->dev->sriov->lock);
+
+- pci_bus_add_device(virtfn);
+ sprintf(buf, "virtfn%u", id);
+ rc = sysfs_create_link(&dev->dev.kobj, &virtfn->dev.kobj, buf);
+ if (rc)
+@@ -117,6 +116,8 @@ static int virtfn_add(struct pci_dev *de
+
+ kobject_uevent(&virtfn->dev.kobj, KOBJ_CHANGE);
+
++ pci_bus_add_device(virtfn);
++
+ return 0;
+
+ failed2:
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+Date: Tue, 3 Oct 2017 18:29:49 -0400
+Subject: percpu: don't forget to free the temporary struct pcpu_alloc_info
+
+From: Nicolas Pitre <nicolas.pitre@linaro.org>
+
+
+[ Upstream commit 438a50618095061920d3a30d4c5ca1ef2e0ff860 ]
+
+Unlike the SMP case, the !SMP case does not free the memory for struct
+pcpu_alloc_info allocated in setup_per_cpu_areas(). And to give it a
+chance of being reused by the page allocator later, align it to a page
+boundary just like its size.
+
+Signed-off-by: Nicolas Pitre <nico@linaro.org>
+Acked-by: Dennis Zhou <dennisszhou@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/percpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/percpu.c
++++ b/mm/percpu.c
+@@ -1402,7 +1402,7 @@ struct pcpu_alloc_info * __init pcpu_all
+ __alignof__(ai->groups[0].cpu_map[0]));
+ ai_size = base_size + nr_units * sizeof(ai->groups[0].cpu_map[0]);
+
+- ptr = memblock_virt_alloc_nopanic(PFN_ALIGN(ai_size), 0);
++ ptr = memblock_virt_alloc_nopanic(PFN_ALIGN(ai_size), PAGE_SIZE);
+ if (!ptr)
+ return NULL;
+ ai = ptr;
+@@ -2268,6 +2268,7 @@ void __init setup_per_cpu_areas(void)
+
+ if (pcpu_setup_first_chunk(ai, fc) < 0)
+ panic("Failed to initialize percpu areas.");
++ pcpu_free_alloc_info(ai);
+ }
+
+ #endif /* CONFIG_SMP */
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: hayeswang <hayeswang@realtek.com>
+Date: Tue, 14 Mar 2017 14:15:20 +0800
+Subject: r8152: fix the list rx_done may be used without initialization
+
+From: hayeswang <hayeswang@realtek.com>
+
+
+[ Upstream commit 98d068ab52b4b11d403995ed14154660797e7136 ]
+
+The list rx_done would be initialized when the linking on occurs.
+Therefore, if a napi is scheduled without any linking on before,
+the following kernel panic would happen.
+
+ BUG: unable to handle kernel NULL pointer dereference at 000000000000008
+ IP: [<ffffffffc085efde>] r8152_poll+0xe1e/0x1210 [r8152]
+ PGD 0
+ Oops: 0002 [#1] SMP
+
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1252,6 +1252,7 @@ static int alloc_all_mem(struct r8152 *t
+ spin_lock_init(&tp->tx_lock);
+ INIT_LIST_HEAD(&tp->rx_done);
+ INIT_LIST_HEAD(&tp->tx_free);
++ INIT_LIST_HEAD(&tp->rx_done);
+ skb_queue_head_init(&tp->tx_queue);
+
+ for (i = 0; i < RTL8152_MAX_RX; i++) {
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 23 Mar 2017 14:55:09 +0100
+Subject: s390/qeth: no ETH header for outbound AF_IUCV
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit acd9776b5c45ef02d1a210969a6fcc058afb76e3 ]
+
+With AF_IUCV traffic, the skb passed to hard_start_xmit() has a 14 byte
+slot at skb->data, intended for an ETH header. qeth_l3_fill_af_iucv_hdr()
+fills this ETH header... and then immediately moves it to the
+skb's headroom, where it disappears and is never seen again.
+
+But it's still possible for us to return NETDEV_TX_BUSY after the skb has
+been modified. Since we didn't get a private copy of the skb, the next
+time the skb is delivered to hard_start_xmit() it no longer has the
+expected layout (we moved the ETH header to the headroom, so skb->data
+now starts at the IUCV_TRANS header). So when qeth_l3_fill_af_iucv_hdr()
+does another round of rebuilding, the resulting qeth header ends up
+all wrong. On transmission, the buffer is then rejected by
+the HiperSockets device with SBALF15 = x'04'.
+When this error is passed back to af_iucv as TX_NOTIFY_UNREACHABLE, it
+tears down the offending socket.
+
+As the ETH header for AF_IUCV serves no purpose, just align the code to
+what we do for IP traffic on L3 HiperSockets: keep the ETH header at
+skb->data, and pass down data_offset = ETH_HLEN to qeth_fill_buffer().
+When mapping the payload into the SBAL elements, the ETH header is then
+stripped off. This avoids the skb manipulations in
+qeth_l3_fill_af_iucv_hdr(), and any buffer re-entering hard_start_xmit()
+after NETDEV_TX_BUSY is now processed properly.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -2769,17 +2769,13 @@ static void qeth_l3_fill_af_iucv_hdr(str
+ char daddr[16];
+ struct af_iucv_trans_hdr *iucv_hdr;
+
+- skb_pull(skb, 14);
+- card->dev->header_ops->create(skb, card->dev, 0,
+- card->dev->dev_addr, card->dev->dev_addr,
+- card->dev->addr_len);
+- skb_pull(skb, 14);
+- iucv_hdr = (struct af_iucv_trans_hdr *)skb->data;
+ memset(hdr, 0, sizeof(struct qeth_hdr));
+ hdr->hdr.l3.id = QETH_HEADER_TYPE_LAYER3;
+ hdr->hdr.l3.ext_flags = 0;
+- hdr->hdr.l3.length = skb->len;
++ hdr->hdr.l3.length = skb->len - ETH_HLEN;
+ hdr->hdr.l3.flags = QETH_HDR_IPV6 | QETH_CAST_UNICAST;
++
++ iucv_hdr = (struct af_iucv_trans_hdr *) (skb->data + ETH_HLEN);
+ memset(daddr, 0, sizeof(daddr));
+ daddr[0] = 0xfe;
+ daddr[1] = 0x80;
+@@ -2962,10 +2958,7 @@ static int qeth_l3_hard_start_xmit(struc
+ if ((card->info.type == QETH_CARD_TYPE_IQD) && (!large_send) &&
+ (skb_shinfo(skb)->nr_frags == 0)) {
+ new_skb = skb;
+- if (new_skb->protocol == ETH_P_AF_IUCV)
+- data_offset = 0;
+- else
+- data_offset = ETH_HLEN;
++ data_offset = ETH_HLEN;
+ hdr = kmem_cache_alloc(qeth_core_header_cache, GFP_ATOMIC);
+ if (!hdr)
+ goto tx_drop;
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Varun Prakash <varun@chelsio.com>
+Date: Wed, 11 Oct 2017 19:33:07 +0530
+Subject: scsi: cxgb4i: fix Tx skb leak
+
+From: Varun Prakash <varun@chelsio.com>
+
+
+[ Upstream commit 9b3a081fb62158b50bcc90522ca2423017544367 ]
+
+In case of connection reset Tx skb queue can have some skbs which are
+not transmitted so purge Tx skb queue in release_offload_resources() to
+avoid skb leak.
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
++++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
+@@ -1262,6 +1262,7 @@ static void release_offload_resources(st
+ csk, csk->state, csk->flags, csk->tid);
+
+ cxgbi_sock_free_cpl_skbs(csk);
++ cxgbi_sock_purge_write_queue(csk);
+ if (csk->wr_cred != csk->wr_max_cred) {
+ cxgbi_sock_purge_wr_queue(csk);
+ cxgbi_sock_reset_wr_list(csk);
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Thu, 23 Mar 2017 08:47:18 -0400
+Subject: scsi: lpfc: Fix PT2PT PRLI reject
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+
+[ Upstream commit a71e3cdcfce4880a4578915e110e3eaed1659765 ]
+
+lpfc cannot establish connection with targets that send PRLI in P2P
+configurations.
+
+If lpfc rejects a PRLI that is sent from a target the target will not
+resend and will reject the PRLI send from the initiator.
+
+[mkp: applied by hand]
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -6870,7 +6870,8 @@ lpfc_els_unsol_buffer(struct lpfc_hba *p
+ did, vport->port_state, ndlp->nlp_flag);
+
+ phba->fc_stat.elsRcvPRLI++;
+- if (vport->port_state < LPFC_DISC_AUTH) {
++ if ((vport->port_state < LPFC_DISC_AUTH) &&
++ (vport->fc_flag & FC_FABRIC)) {
+ rjt_err = LSRJT_UNABLE_TPC;
+ rjt_exp = LSEXP_NOTHING_MORE;
+ break;
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:42 -0700
+Subject: scsi: lpfc: Fix secure firmware updates
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+
+[ Upstream commit 184fc2b9a8bcbda9c14d0a1e7fbecfc028c7702e ]
+
+Firmware update fails with: status x17 add_status x56 on the final write
+
+If multiple DMA buffers are used for the download, some firmware revs
+have difficulty with signatures and crcs split across the dma buffer
+boundaries. Resolve by making all writes be a single 4k page in length.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hw4.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hw4.h
++++ b/drivers/scsi/lpfc/lpfc_hw4.h
+@@ -2951,7 +2951,7 @@ struct lpfc_mbx_get_port_name {
+ #define MB_CEQ_STATUS_QUEUE_FLUSHING 0x4
+ #define MB_CQE_STATUS_DMA_FAILED 0x5
+
+-#define LPFC_MBX_WR_CONFIG_MAX_BDE 8
++#define LPFC_MBX_WR_CONFIG_MAX_BDE 1
+ struct lpfc_mbx_wr_object {
+ struct mbox_header header;
+ union {
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+Date: Fri, 29 Sep 2017 17:34:32 -0700
+Subject: scsi: lpfc: PLOGI failures during NPIV testing
+
+From: Dick Kennedy <dick.kennedy@broadcom.com>
+
+
+[ Upstream commit e8bcf0ae4c0346fdc78ebefe0eefcaa6a6622d38 ]
+
+Local Reject/Invalid RPI errors seen during discovery.
+
+Temporary RPI cleanup was occurring regardless of SLI rev. It's only
+necessary on SLI-4.
+
+Adjust the test for whether cleanup is necessary.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <james.smart@broadcom.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -4737,7 +4737,8 @@ lpfc_nlp_remove(struct lpfc_vport *vport
+ lpfc_cancel_retry_delay_tmo(vport, ndlp);
+ if ((ndlp->nlp_flag & NLP_DEFER_RM) &&
+ !(ndlp->nlp_flag & NLP_REG_LOGIN_SEND) &&
+- !(ndlp->nlp_flag & NLP_RPI_REGISTERED)) {
++ !(ndlp->nlp_flag & NLP_RPI_REGISTERED) &&
++ phba->sli_rev != LPFC_SLI_REV4) {
+ /* For this case we need to cleanup the default rpi
+ * allocated by the firmware.
+ */
arm64-initialise-high_memory-global-variable-earlier.patch
+alsa-hda-add-support-for-docking-station-for-hp-820-g2.patch
+cpuidle-validate-cpu_dev-in-cpuidle_add_sysfs.patch
+r8152-fix-the-list-rx_done-may-be-used-without-initialization.patch
+crypto-deadlock-between-crypto_alg_sem-rtnl_mutex-genl_mutex.patch
+net-qmi_wwan-add-usb-ids-for-mdm6600-modem-on-motorola-droid-4.patch
+usb-gadget-f_uvc-sanity-check-wmaxpacketsize-for-superspeed.patch
+usb-gadget-udc-remove-pointer-dereference-after-free.patch
+netfilter-nfnl_cthelper-fix-runtime-expectation-policy-updates.patch
+netfilter-nfnl_cthelper-fix-memory-leak.patch
+scsi-lpfc-fix-pt2pt-prli-reject.patch
+kvm-x86-correct-async-page-present-tracepoint.patch
+arm-dts-ti-fix-pci-bus-dtc-warnings.patch
+hwmon-asus_atk0110-fix-uninitialized-data-access.patch
+i2c-mux-pca954x-add-missing-pca9546-definition-to-chip_desc.patch
+hid-xinmo-fix-for-out-of-range-for-tht-2p-arcade-controller.patch
+s390-qeth-no-eth-header-for-outbound-af_iucv.patch
+net-do-not-allow-negative-values-for-busy_read-and-busy_poll-sysctl-interfaces.patch
+i40e-do-not-enable-napi-on-q_vectors-that-have-no-rings.patch
+irda-vlsi_ir-fix-check-for-dma-mapping-errors.patch
+netfilter-nfnl_cthelper-fix-a-race-when-walk-the-nf_ct_helper_hash-table.patch
+netfilter-nf_nat_snmp-fix-panic-when-snmp_trap_helper-fails-to-register.patch
+arm-dts-am335x-evmsk-adjust-mmc2-param-to-allow-suspend.patch
+isdn-kcapi-avoid-uninitialized-data.patch
+xhci-plat-register-shutdown-for-xhci_plat.patch
+arm-dma-mapping-disallow-dma_get_sgtable-for-non-kernel-managed-memory.patch
+cpuidle-powernv-pass-correct-drv-cpumask-for-registration.patch
+backlight-pwm_bl-fix-overflow-condition.patch
+crypto-crypto4xx-increase-context-and-scatter-ring-buffer-elements.patch
+net-phy-at803x-change-error-to-einval-for-invalid-mac.patch
+pci-avoid-bus-reset-if-bridge-itself-is-broken.patch
+scsi-cxgb4i-fix-tx-skb-leak.patch
+pci-create-sr-iov-virtfn-physfn-links-before-attaching-driver.patch
+igb-check-memory-allocation-failure.patch
+pci-aer-report-non-fatal-errors-only-to-the-affected-endpoint.patch
+percpu-don-t-forget-to-free-the-temporary-struct-pcpu_alloc_info.patch
+scsi-lpfc-fix-secure-firmware-updates.patch
+scsi-lpfc-plogi-failures-during-npiv-testing.patch
+fm10k-ensure-we-process-sm-mbx-when-processing-vf-mbx.patch
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Roger Quadros <rogerq@ti.com>
+Date: Wed, 8 Mar 2017 16:05:44 +0200
+Subject: usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed
+
+From: Roger Quadros <rogerq@ti.com>
+
+
+[ Upstream commit 16bb05d98c904a4f6c5ce7e2d992299f794acbf2 ]
+
+As per USB3.0 Specification "Table 9-20. Standard Endpoint Descriptor",
+for interrupt and isochronous endpoints, wMaxPacketSize must be set to
+1024 if the endpoint defines bMaxBurst to be greater than zero.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -612,6 +612,14 @@ uvc_function_bind(struct usb_configurati
+ opts->streaming_maxpacket = clamp(opts->streaming_maxpacket, 1U, 3072U);
+ opts->streaming_maxburst = min(opts->streaming_maxburst, 15U);
+
++ /* For SS, wMaxPacketSize has to be 1024 if bMaxBurst is not 0 */
++ if (opts->streaming_maxburst &&
++ (opts->streaming_maxpacket % 1024) != 0) {
++ opts->streaming_maxpacket = roundup(opts->streaming_maxpacket, 1024);
++ INFO(cdev, "overriding streaming_maxpacket to %d\n",
++ opts->streaming_maxpacket);
++ }
++
+ /* Fill in the FS/HS/SS Video Streaming specific descriptors from the
+ * module parameters.
+ *
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Fri, 10 Mar 2017 15:39:32 -0600
+Subject: usb: gadget: udc: remove pointer dereference after free
+
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+
+
+[ Upstream commit 1f459262b0e1649a1e5ad12fa4c66eb76c2220ce ]
+
+Remove pointer dereference after free.
+
+Addresses-Coverity-ID: 1091173
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -1533,7 +1533,6 @@ static void pch_udc_free_dma_chain(struc
+ td = phys_to_virt(addr);
+ addr2 = (dma_addr_t)td->next;
+ pci_pool_free(dev->data_requests, td, addr);
+- td->next = 0x00;
+ addr = addr2;
+ }
+ req->chain_len = 1;
--- /dev/null
+From foo@baz Thu Dec 21 10:55:04 CET 2017
+From: Adam Wallis <awallis@codeaurora.org>
+Date: Tue, 28 Mar 2017 15:55:28 +0300
+Subject: xhci: plat: Register shutdown for xhci_plat
+
+From: Adam Wallis <awallis@codeaurora.org>
+
+
+[ Upstream commit b07c12517f2aed0add8ce18146bb426b14099392 ]
+
+Shutdown should be called for xhci_plat devices especially for
+situations where kexec might be used by stopping DMA
+transactions.
+
+Signed-off-by: Adam Wallis <awallis@codeaurora.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-plat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -252,6 +252,7 @@ MODULE_DEVICE_TABLE(of, usb_xhci_of_matc
+ static struct platform_driver usb_xhci_driver = {
+ .probe = xhci_plat_probe,
+ .remove = xhci_plat_remove,
++ .shutdown = usb_hcd_platform_shutdown,
+ .driver = {
+ .name = "xhci-hcd",
+ .pm = DEV_PM_OPS,
projects / thirdparty / kernel / stable-queue.git / commitdiff
