--- /dev/null
+From de2df0c11b9485b6c645ba1c6bb2f73ee51d4ce0 Mon Sep 17 00:00:00 2001
+From: Jose Abreu <joabreu@synopsys.com>
+Date: Fri, 30 Nov 2018 09:47:31 +0000
+Subject: ARC: io.h: Implement reads{x}()/writes{x}()
+
+[ Upstream commit 10d443431dc2bb733cf7add99b453e3fb9047a2e ]
+
+Some ARC CPU's do not support unaligned loads/stores. Currently, generic
+implementation of reads{b/w/l}()/writes{b/w/l}() is being used with ARC.
+This can lead to misfunction of some drivers as generic functions do a
+plain dereference of a pointer that can be unaligned.
+
+Let's use {get/put}_unaligned() helpers instead of plain dereference of
+pointer in order to fix. The helpers allow to get and store data from an
+unaligned address whilst preserving the CPU internal alignment.
+According to [1], the use of these helpers are costly in terms of
+performance so we added an initial check for a buffer already aligned so
+that the usage of the helpers can be avoided, when possible.
+
+[1] Documentation/unaligned-memory-access.txt
+
+Cc: Alexey Brodkin <abrodkin@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Tested-by: Vitor Soares <soares@synopsys.com>
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/include/asm/io.h | 72 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 72 insertions(+)
+
+diff --git a/arch/arc/include/asm/io.h b/arch/arc/include/asm/io.h
+index c22b181e8206..2f39d9b3886e 100644
+--- a/arch/arc/include/asm/io.h
++++ b/arch/arc/include/asm/io.h
+@@ -12,6 +12,7 @@
+ #include <linux/types.h>
+ #include <asm/byteorder.h>
+ #include <asm/page.h>
++#include <asm/unaligned.h>
+
+ #ifdef CONFIG_ISA_ARCV2
+ #include <asm/barrier.h>
+@@ -94,6 +95,42 @@ static inline u32 __raw_readl(const volatile void __iomem *addr)
+ return w;
+ }
+
++/*
++ * {read,write}s{b,w,l}() repeatedly access the same IO address in
++ * native endianness in 8-, 16-, 32-bit chunks {into,from} memory,
++ * @count times
++ */
++#define __raw_readsx(t,f) \
++static inline void __raw_reads##f(const volatile void __iomem *addr, \
++ void *ptr, unsigned int count) \
++{ \
++ bool is_aligned = ((unsigned long)ptr % ((t) / 8)) == 0; \
++ u##t *buf = ptr; \
++ \
++ if (!count) \
++ return; \
++ \
++ /* Some ARC CPU's don't support unaligned accesses */ \
++ if (is_aligned) { \
++ do { \
++ u##t x = __raw_read##f(addr); \
++ *buf++ = x; \
++ } while (--count); \
++ } else { \
++ do { \
++ u##t x = __raw_read##f(addr); \
++ put_unaligned(x, buf++); \
++ } while (--count); \
++ } \
++}
++
++#define __raw_readsb __raw_readsb
++__raw_readsx(8, b)
++#define __raw_readsw __raw_readsw
++__raw_readsx(16, w)
++#define __raw_readsl __raw_readsl
++__raw_readsx(32, l)
++
+ #define __raw_writeb __raw_writeb
+ static inline void __raw_writeb(u8 b, volatile void __iomem *addr)
+ {
+@@ -126,6 +163,35 @@ static inline void __raw_writel(u32 w, volatile void __iomem *addr)
+
+ }
+
++#define __raw_writesx(t,f) \
++static inline void __raw_writes##f(volatile void __iomem *addr, \
++ const void *ptr, unsigned int count) \
++{ \
++ bool is_aligned = ((unsigned long)ptr % ((t) / 8)) == 0; \
++ const u##t *buf = ptr; \
++ \
++ if (!count) \
++ return; \
++ \
++ /* Some ARC CPU's don't support unaligned accesses */ \
++ if (is_aligned) { \
++ do { \
++ __raw_write##f(*buf++, addr); \
++ } while (--count); \
++ } else { \
++ do { \
++ __raw_write##f(get_unaligned(buf++), addr); \
++ } while (--count); \
++ } \
++}
++
++#define __raw_writesb __raw_writesb
++__raw_writesx(8, b)
++#define __raw_writesw __raw_writesw
++__raw_writesx(16, w)
++#define __raw_writesl __raw_writesl
++__raw_writesx(32, l)
++
+ /*
+ * MMIO can also get buffered/optimized in micro-arch, so barriers needed
+ * Based on ARM model for the typical use case
+@@ -141,10 +207,16 @@ static inline void __raw_writel(u32 w, volatile void __iomem *addr)
+ #define readb(c) ({ u8 __v = readb_relaxed(c); __iormb(); __v; })
+ #define readw(c) ({ u16 __v = readw_relaxed(c); __iormb(); __v; })
+ #define readl(c) ({ u32 __v = readl_relaxed(c); __iormb(); __v; })
++#define readsb(p,d,l) ({ __raw_readsb(p,d,l); __iormb(); })
++#define readsw(p,d,l) ({ __raw_readsw(p,d,l); __iormb(); })
++#define readsl(p,d,l) ({ __raw_readsl(p,d,l); __iormb(); })
+
+ #define writeb(v,c) ({ __iowmb(); writeb_relaxed(v,c); })
+ #define writew(v,c) ({ __iowmb(); writew_relaxed(v,c); })
+ #define writel(v,c) ({ __iowmb(); writel_relaxed(v,c); })
++#define writesb(p,d,l) ({ __iowmb(); __raw_writesb(p,d,l); })
++#define writesw(p,d,l) ({ __iowmb(); __raw_writesw(p,d,l); })
++#define writesl(p,d,l) ({ __iowmb(); __raw_writesl(p,d,l); })
+
+ /*
+ * Relaxed API for drivers which can handle barrier ordering themselves
+--
+2.19.1
+
--- /dev/null
+From e4f3414cc8c7f5e45781c2f7100c86d13563a895 Mon Sep 17 00:00:00 2001
+From: Chris Cole <chris@sageembedded.com>
+Date: Fri, 23 Nov 2018 12:20:45 +0100
+Subject: ARM: 8814/1: mm: improve/fix ARM v7_dma_inv_range() unaligned address
+ handling
+
+[ Upstream commit a1208f6a822ac29933e772ef1f637c5d67838da9 ]
+
+This patch addresses possible memory corruption when
+v7_dma_inv_range(start_address, end_address) address parameters are not
+aligned to whole cache lines. This function issues "invalidate" cache
+management operations to all cache lines from start_address (inclusive)
+to end_address (exclusive). When start_address and/or end_address are
+not aligned, the start and/or end cache lines are first issued "clean &
+invalidate" operation. The assumption is this is done to ensure that any
+dirty data addresses outside the address range (but part of the first or
+last cache lines) are cleaned/flushed so that data is not lost, which
+could happen if just an invalidate is issued.
+
+The problem is that these first/last partial cache lines are issued
+"clean & invalidate" and then "invalidate". This second "invalidate" is
+not required and worse can cause "lost" writes to addresses outside the
+address range but part of the cache line. If another component writes to
+its part of the cache line between the "clean & invalidate" and
+"invalidate" operations, the write can get lost. This fix is to remove
+the extra "invalidate" operation when unaligned addressed are used.
+
+A kernel module is available that has a stress test to reproduce the
+issue and a unit test of the updated v7_dma_inv_range(). It can be
+downloaded from
+http://ftp.sageembedded.com/outgoing/linux/cache-test-20181107.tgz.
+
+v7_dma_inv_range() is call by dmac_[un]map_area(addr, len, direction)
+when the direction is DMA_FROM_DEVICE. One can (I believe) successfully
+argue that DMA from a device to main memory should use buffers aligned
+to cache line size, because the "clean & invalidate" might overwrite
+data that the device just wrote using DMA. But if a driver does use
+unaligned buffers, at least this fix will prevent memory corruption
+outside the buffer.
+
+Signed-off-by: Chris Cole <chris@sageembedded.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/cache-v7.S | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mm/cache-v7.S b/arch/arm/mm/cache-v7.S
+index a134d8a13d00..11d699af30ed 100644
+--- a/arch/arm/mm/cache-v7.S
++++ b/arch/arm/mm/cache-v7.S
+@@ -359,14 +359,16 @@ v7_dma_inv_range:
+ ALT_UP(W(nop))
+ #endif
+ mcrne p15, 0, r0, c7, c14, 1 @ clean & invalidate D / U line
++ addne r0, r0, r2
+
+ tst r1, r3
+ bic r1, r1, r3
+ mcrne p15, 0, r1, c7, c14, 1 @ clean & invalidate D / U line
+-1:
+- mcr p15, 0, r0, c7, c6, 1 @ invalidate D / U line
+- add r0, r0, r2
+ cmp r0, r1
++1:
++ mcrlo p15, 0, r0, c7, c6, 1 @ invalidate D / U line
++ addlo r0, r0, r2
++ cmplo r0, r1
+ blo 1b
+ dsb st
+ ret lr
+--
+2.19.1
+
--- /dev/null
+From 08b1e54042802ce36a3103ffea6947aa83d3aa24 Mon Sep 17 00:00:00 2001
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+Date: Fri, 23 Nov 2018 12:25:21 +0100
+Subject: ARM: 8815/1: V7M: align v7m_dma_inv_range() with v7 counterpart
+
+[ Upstream commit 3d0358d0ba048c5afb1385787aaec8fa5ad78fcc ]
+
+Chris has discovered and reported that v7_dma_inv_range() may corrupt
+memory if address range is not aligned to cache line size.
+
+Since the whole cache-v7m.S was lifted form cache-v7.S the same
+observation applies to v7m_dma_inv_range(). So the fix just mirrors
+what has been done for v7 with a little specific of M-class.
+
+Cc: Chris Cole <chris@sageembedded.com>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/cache-v7m.S | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/mm/cache-v7m.S b/arch/arm/mm/cache-v7m.S
+index 816a7e44e6f1..d29927740a19 100644
+--- a/arch/arm/mm/cache-v7m.S
++++ b/arch/arm/mm/cache-v7m.S
+@@ -73,9 +73,11 @@
+ /*
+ * dcimvac: Invalidate data cache line by MVA to PoC
+ */
+-.macro dcimvac, rt, tmp
+- v7m_cacheop \rt, \tmp, V7M_SCB_DCIMVAC
++.irp c,,eq,ne,cs,cc,mi,pl,vs,vc,hi,ls,ge,lt,gt,le,hs,lo
++.macro dcimvac\c, rt, tmp
++ v7m_cacheop \rt, \tmp, V7M_SCB_DCIMVAC, \c
+ .endm
++.endr
+
+ /*
+ * dccmvau: Clean data cache line by MVA to PoU
+@@ -369,14 +371,16 @@ v7m_dma_inv_range:
+ tst r0, r3
+ bic r0, r0, r3
+ dccimvacne r0, r3
++ addne r0, r0, r2
+ subne r3, r2, #1 @ restore r3, corrupted by v7m's dccimvac
+ tst r1, r3
+ bic r1, r1, r3
+ dccimvacne r1, r3
+-1:
+- dcimvac r0, r3
+- add r0, r0, r2
+ cmp r0, r1
++1:
++ dcimvaclo r0, r3
++ addlo r0, r0, r2
++ cmplo r0, r1
+ blo 1b
+ dsb st
+ ret lr
+--
+2.19.1
+
--- /dev/null
+From b949d3011fd236dddb45091b8dda1171a676cb7c Mon Sep 17 00:00:00 2001
+From: Toni Peltonen <peltzi@peltzi.fi>
+Date: Tue, 27 Nov 2018 16:56:57 +0200
+Subject: bonding: fix 802.3ad state sent to partner when unbinding slave
+
+[ Upstream commit 3b5b3a3331d141e8f2a7aaae3a94dfa1e61ecbe4 ]
+
+Previously when unbinding a slave the 802.3ad implementation only told
+partner that the port is not suitable for aggregation by setting the port
+aggregation state from aggregatable to individual. This is not enough. If the
+physical layer still stays up and we only unbinded this port from the bond there
+is nothing in the aggregation status alone to prevent the partner from sending
+traffic towards us. To ensure that the partner doesn't consider this
+port at all anymore we should also disable collecting and distributing to
+signal that this actor is going away. Also clear AD_STATE_SYNCHRONIZATION to
+ensure partner exits collecting + distributing state.
+
+I have tested this behaviour againts Arista EOS switches with mlx5 cards
+(physical link stays up even when interface is down) and simulated
+the same situation virtually Linux <-> Linux with two network namespaces
+running two veth device pairs. In both cases setting aggregation to
+individual doesn't alone prevent traffic from being to sent towards this
+port given that the link stays up in partners end. Partner still keeps
+it's end in collecting + distributing state and continues until timeout is
+reached. In most cases this means we are losing the traffic partner sends
+towards our port while we wait for timeout. This is most visible with slow
+periodic time (LACP rate slow).
+
+Other open source implementations like Open VSwitch and libreswitch, and
+vendor implementations like Arista EOS, seem to disable collecting +
+distributing to when doing similar port disabling/detaching/removing change.
+With this patch kernel implementation would behave the same way and ensure
+partner doesn't consider our actor viable anymore.
+
+Signed-off-by: Toni Peltonen <peltzi@peltzi.fi>
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Acked-by: Jonathan Toppins <jtoppins@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_3ad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
+index 6dcc42d79cab..1e2ee97b9240 100644
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -2050,6 +2050,9 @@ void bond_3ad_unbind_slave(struct slave *slave)
+ aggregator->aggregator_identifier);
+
+ /* Tell the partner that this port is not suitable for aggregation */
++ port->actor_oper_port_state &= ~AD_STATE_SYNCHRONIZATION;
++ port->actor_oper_port_state &= ~AD_STATE_COLLECTING;
++ port->actor_oper_port_state &= ~AD_STATE_DISTRIBUTING;
+ port->actor_oper_port_state &= ~AD_STATE_AGGREGATION;
+ __update_lacpdu_from_port(port);
+ ad_lacpdu_send(port);
+--
+2.19.1
+
--- /dev/null
+From 0ae90335d441df43ebc2584579cc961b9b4074b1 Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Mon, 3 Dec 2018 22:46:04 -0800
+Subject: bpf: check pending signals while verifying programs
+
+[ Upstream commit c3494801cd1785e2c25f1a5735fa19ddcf9665da ]
+
+Malicious user space may try to force the verifier to use as much cpu
+time and memory as possible. Hence check for pending signals
+while verifying the program.
+Note that suspend of sys_bpf(PROG_LOAD) syscall will lead to EAGAIN,
+since the kernel has to release the resources used for program verification.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 1438b7396cb4..335c00209f74 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2919,6 +2919,9 @@ static int do_check(struct bpf_verifier_env *env)
+ goto process_bpf_exit;
+ }
+
++ if (signal_pending(current))
++ return -EAGAIN;
++
+ if (need_resched())
+ cond_resched();
+
+--
+2.19.1
+
--- /dev/null
+From e93d2cdc32c8ce9f0ac486b5898c5b8ce1a7f277 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sat, 3 Nov 2018 15:02:44 -0500
+Subject: cifs: In Kconfig CONFIG_CIFS_POSIX needs depends on legacy (insecure
+ cifs)
+
+[ Upstream commit 6e785302dad32228819d8066e5376acd15d0e6ba ]
+
+Missing a dependency. Shouldn't show cifs posix extensions
+in Kconfig if CONFIG_CIFS_ALLOW_INSECURE_DIALECTS (ie SMB1
+protocol) is disabled.
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
+index e7b478b49985..8bef27b8f85d 100644
+--- a/fs/cifs/Kconfig
++++ b/fs/cifs/Kconfig
+@@ -111,7 +111,7 @@ config CIFS_XATTR
+
+ config CIFS_POSIX
+ bool "CIFS POSIX Extensions"
+- depends on CIFS_XATTR
++ depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
+ help
+ Enabling this option will cause the cifs client to attempt to
+ negotiate a newer dialect with servers, such as Samba 3.0.5
+--
+2.19.1
+
--- /dev/null
+From 764ecf7159b08817c909425fc0dbe808e9ffdf8c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 3 Dec 2018 17:51:43 +0300
+Subject: clk: mmp: Off by one in mmp_clk_add()
+
+[ Upstream commit 2e85c57493e391b93445c1e0d530b36b95becc64 ]
+
+The > comparison should be >= or we write one element beyond the end of
+the unit->clk_table[] array.
+
+(The unit->clk_table[] array is allocated in the mmp_clk_init() function
+and it has unit->nr_clks elements).
+
+Fixes: 4661fda10f8b ("clk: mmp: add basic support functions for DT support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mmp/clk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/mmp/clk.c b/drivers/clk/mmp/clk.c
+index 61893fe73251..18b6c9b55b95 100644
+--- a/drivers/clk/mmp/clk.c
++++ b/drivers/clk/mmp/clk.c
+@@ -182,7 +182,7 @@ void mmp_clk_add(struct mmp_clk_unit *unit, unsigned int id,
+ pr_err("CLK %d has invalid pointer %p\n", id, clk);
+ return;
+ }
+- if (id > unit->nr_clks) {
++ if (id >= unit->nr_clks) {
+ pr_err("CLK %d is invalid\n", id);
+ return;
+ }
+--
+2.19.1
+
--- /dev/null
+From 062473f9e8edfda114ea27f92a8dc463c3c30431 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 3 Dec 2018 17:50:55 +0300
+Subject: clk: mvebu: Off by one bugs in cp110_of_clk_get()
+
+[ Upstream commit d9f5b7f5dd0fa74a89de5a7ac1e26366f211ccee ]
+
+These > comparisons should be >= to prevent reading beyond the end of
+of the clk_data->hws[] buffer.
+
+The clk_data->hws[] array is allocated in cp110_syscon_common_probe()
+when we do:
+ cp110_clk_data = devm_kzalloc(dev, sizeof(*cp110_clk_data) +
+ sizeof(struct clk_hw *) * CP110_CLK_NUM,
+ GFP_KERNEL);
+As you can see, it has CP110_CLK_NUM elements which is equivalent to
+CP110_MAX_CORE_CLOCKS + CP110_MAX_GATABLE_CLOCKS.
+
+Fixes: d3da3eaef7f4 ("clk: mvebu: new driver for Armada CP110 system controller")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mvebu/cp110-system-controller.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/mvebu/cp110-system-controller.c b/drivers/clk/mvebu/cp110-system-controller.c
+index f2303da7fda7..465953c75320 100644
+--- a/drivers/clk/mvebu/cp110-system-controller.c
++++ b/drivers/clk/mvebu/cp110-system-controller.c
+@@ -172,11 +172,11 @@ static struct clk *cp110_of_clk_get(struct of_phandle_args *clkspec, void *data)
+ unsigned int idx = clkspec->args[1];
+
+ if (type == CP110_CLK_TYPE_CORE) {
+- if (idx > CP110_MAX_CORE_CLOCKS)
++ if (idx >= CP110_MAX_CORE_CLOCKS)
+ return ERR_PTR(-EINVAL);
+ return clk_data->clks[idx];
+ } else if (type == CP110_CLK_TYPE_GATABLE) {
+- if (idx > CP110_MAX_GATABLE_CLOCKS)
++ if (idx >= CP110_MAX_GATABLE_CLOCKS)
+ return ERR_PTR(-EINVAL);
+ return clk_data->clks[CP110_MAX_CORE_CLOCKS + idx];
+ }
+--
+2.19.1
+
--- /dev/null
+From fc1c7fed36a3aae4061d1dd58ed230317ee5ad07 Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Tue, 20 Nov 2018 08:38:26 -0500
+Subject: drivers/sbus/char: add of_node_put()
+
+[ Upstream commit 6bd520ab7cf69486ea81fd3cdfd2d5a390ad1100 ]
+
+use of_node_put() to release the refcount.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/sbus/char/envctrl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/sbus/char/envctrl.c b/drivers/sbus/char/envctrl.c
+index 5609b602c54d..baa9b322520b 100644
+--- a/drivers/sbus/char/envctrl.c
++++ b/drivers/sbus/char/envctrl.c
+@@ -910,8 +910,10 @@ static void envctrl_init_i2c_child(struct device_node *dp,
+ for (len = 0; len < PCF8584_MAX_CHANNELS; ++len) {
+ pchild->mon_type[len] = ENVCTRL_NOMON;
+ }
++ of_node_put(root_node);
+ return;
+ }
++ of_node_put(root_node);
+ }
+
+ /* Get the monitor channels. */
+--
+2.19.1
+
--- /dev/null
+From cd8e5de5502156f76fdbaae69fe60f1e10363666 Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Wed, 21 Nov 2018 10:22:54 -0500
+Subject: drivers/tty: add missing of_node_put()
+
+[ Upstream commit dac097c4546e4c5b16dd303a1e97c1d319c8ab3e ]
+
+of_find_node_by_path() acquires a reference to the node
+returned by it and that reference needs to be dropped by its caller.
+This place is not doing this, so fix it.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/suncore.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/suncore.c b/drivers/tty/serial/suncore.c
+index 127472bd6a7c..209f314745ab 100644
+--- a/drivers/tty/serial/suncore.c
++++ b/drivers/tty/serial/suncore.c
+@@ -111,6 +111,7 @@ void sunserial_console_termios(struct console *con, struct device_node *uart_dp)
+ mode = of_get_property(dp, mode_prop, NULL);
+ if (!mode)
+ mode = "9600,8,n,1,-";
++ of_node_put(dp);
+ }
+
+ cflag = CREAD | HUPCL | CLOCAL;
+--
+2.19.1
+
--- /dev/null
+From 93deeef0f6dadc30a0c66fdf2b1a09c948309ce0 Mon Sep 17 00:00:00 2001
+From: Sam Bobroff <sbobroff@linux.ibm.com>
+Date: Mon, 3 Dec 2018 11:53:21 +1100
+Subject: drm/ast: Fix connector leak during driver unload
+
+[ Upstream commit e594a5e349ddbfdaca1951bb3f8d72f3f1660d73 ]
+
+When unloading the ast driver, a warning message is printed by
+drm_mode_config_cleanup() because a reference is still held to one of
+the drm_connector structs.
+
+Correct this by calling drm_crtc_force_disable_all() in
+ast_fbdev_destroy().
+
+Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1e613f3c630c7bbc72e04a44b178259b9164d2f6.1543798395.git.sbobroff@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_fb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/ast/ast_fb.c b/drivers/gpu/drm/ast/ast_fb.c
+index 7a86e24e2687..5e0d3e561b04 100644
+--- a/drivers/gpu/drm/ast/ast_fb.c
++++ b/drivers/gpu/drm/ast/ast_fb.c
+@@ -286,6 +286,7 @@ static void ast_fbdev_destroy(struct drm_device *dev,
+ {
+ struct ast_framebuffer *afb = &afbdev->afb;
+
++ drm_crtc_force_disable_all(dev);
+ drm_fb_helper_unregister_fbi(&afbdev->helper);
+ drm_fb_helper_release_fbi(&afbdev->helper);
+
+--
+2.19.1
+
--- /dev/null
+From 523a3b2d991bf25b291bb5d97b3a776c24693247 Mon Sep 17 00:00:00 2001
+From: Sean Paul <seanpaul@chromium.org>
+Date: Wed, 3 Oct 2018 16:22:31 -0400
+Subject: drm/msm: Grab a vblank reference when waiting for commit_done
+
+[ Upstream commit 3b712e43e3876b42b38321ecf790a1f5fe59c834 ]
+
+Similar to the atomic helpers, we should enable vblank while we're
+waiting for the commit to finish. DPU needs this, MDP5 seems to work
+fine without it.
+
+Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_atomic.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
+index 73bae382eac3..5c58a98f67c0 100644
+--- a/drivers/gpu/drm/msm/msm_atomic.c
++++ b/drivers/gpu/drm/msm/msm_atomic.c
+@@ -98,7 +98,12 @@ static void msm_atomic_wait_for_commit_done(struct drm_device *dev,
+ if (old_state->legacy_cursor_update)
+ continue;
+
++ if (drm_crtc_vblank_get(crtc))
++ continue;
++
+ kms->funcs->wait_for_crtc_commit_done(kms, crtc);
++
++ drm_crtc_vblank_put(crtc);
+ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 69e98ea3cbca02c3db989db2942ff25f53bb7afe Mon Sep 17 00:00:00 2001
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Mon, 3 Dec 2018 13:21:01 +0100
+Subject: ethernet: fman: fix wrong of_node_put() in probe function
+
+[ Upstream commit ecb239d96d369c23c33d41708646df646de669f4 ]
+
+After getting a reference to the platform device's of_node the probe
+function ends up calling of_find_matching_node() using the node as an
+argument. The function takes care of decreasing the refcount on it. We
+are then incorrectly decreasing the refcount on that node again.
+
+This patch removes the unwarranted call to of_node_put().
+
+Fixes: 414fd46e7762 ("fsl/fman: Add FMan support")
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fman/fman.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fman/fman.c b/drivers/net/ethernet/freescale/fman/fman.c
+index dafd9e1baba2..380c4a2f6516 100644
+--- a/drivers/net/ethernet/freescale/fman/fman.c
++++ b/drivers/net/ethernet/freescale/fman/fman.c
+@@ -2817,7 +2817,7 @@ static struct fman *read_dts_node(struct platform_device *of_dev)
+ if (!muram_node) {
+ dev_err(&of_dev->dev, "%s: could not find MURAM node\n",
+ __func__);
+- goto fman_node_put;
++ goto fman_free;
+ }
+
+ err = of_address_to_resource(muram_node, 0,
+@@ -2826,11 +2826,10 @@ static struct fman *read_dts_node(struct platform_device *of_dev)
+ of_node_put(muram_node);
+ dev_err(&of_dev->dev, "%s: of_address_to_resource() = %d\n",
+ __func__, err);
+- goto fman_node_put;
++ goto fman_free;
+ }
+
+ of_node_put(muram_node);
+- of_node_put(fm_node);
+
+ err = devm_request_irq(&of_dev->dev, irq, fman_irq, 0, "fman", fman);
+ if (err < 0) {
+--
+2.19.1
+
--- /dev/null
+From dda231a3f4645ba49b2caa10bd8f979ac3636113 Mon Sep 17 00:00:00 2001
+From: "Adamski, Krzysztof (Nokia - PL/Wroclaw)" <krzysztof.adamski@nokia.com>
+Date: Fri, 16 Nov 2018 13:24:41 +0000
+Subject: i2c: axxia: properly handle master timeout
+
+[ Upstream commit 6c7f25cae54b840302e4f1b371dbf318fbf09ab2 ]
+
+According to Intel (R) Axxia TM Lionfish Communication Processor
+Peripheral Subsystem Hardware Reference Manual, the AXXIA I2C module
+have a programmable Master Wait Timer, which among others, checks the
+time between commands send in manual mode. When a timeout (25ms) passes,
+TSS bit is set in Master Interrupt Status register and a Stop command is
+issued by the hardware.
+
+The axxia_i2c_xfer(), does not properly handle this situation, however.
+For each message a separate axxia_i2c_xfer_msg() is called and this
+function incorrectly assumes that any interrupt might happen only when
+waiting for completion. This is mostly correct but there is one
+exception - a master timeout can trigger if enough time has passed
+between individual transfers. It will, by definition, happen between
+transfers when the interrupts are disabled by the code. If that happens,
+the hardware issues Stop command.
+
+The interrupt indicating timeout will not be triggered as soon as we
+enable them since the Master Interrupt Status is cleared when master
+mode is entered again (which happens before enabling irqs) meaning this
+error is lost and the transfer is continued even though the Stop was
+issued on the bus. The subsequent operations completes without error but
+a bogus value (0xFF in case of read) is read as the client device is
+confused because aborted transfer. No error is returned from
+master_xfer() making caller believe that a valid value was read.
+
+To fix the problem, the TSS bit (indicating timeout) in Master Interrupt
+Status register is checked before each transfer. If it is set, there was
+a timeout before this transfer and (as described above) the hardware
+already issued Stop command so the transaction should be aborted thus
+-ETIMEOUT is returned from the master_xfer() callback. In order to be
+sure no timeout was issued we can't just read the status just before
+starting new transaction as there will always be a small window of time
+(few CPU cycles at best) where this might still happen. For this reason
+we have to temporally disable the timer before checking for TSS bit.
+Disabling it will, however, clear the TSS bit so in order to preserve
+that information, we have to read it in ISR so we have to ensure that
+the TSS interrupt is not masked between transfers of one transaction.
+There is no need to call bus recovery or controller reinitialization if
+that happens so it's skipped.
+
+Signed-off-by: Krzysztof Adamski <krzysztof.adamski@nokia.com>
+Reviewed-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-axxia.c | 40 ++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-axxia.c b/drivers/i2c/busses/i2c-axxia.c
+index 4351a9343058..96a6d5df9b26 100644
+--- a/drivers/i2c/busses/i2c-axxia.c
++++ b/drivers/i2c/busses/i2c-axxia.c
+@@ -74,8 +74,7 @@
+ MST_STATUS_ND)
+ #define MST_STATUS_ERR (MST_STATUS_NAK | \
+ MST_STATUS_AL | \
+- MST_STATUS_IP | \
+- MST_STATUS_TSS)
++ MST_STATUS_IP)
+ #define MST_TX_BYTES_XFRD 0x50
+ #define MST_RX_BYTES_XFRD 0x54
+ #define SCL_HIGH_PERIOD 0x80
+@@ -241,7 +240,7 @@ static int axxia_i2c_empty_rx_fifo(struct axxia_i2c_dev *idev)
+ */
+ if (c <= 0 || c > I2C_SMBUS_BLOCK_MAX) {
+ idev->msg_err = -EPROTO;
+- i2c_int_disable(idev, ~0);
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
+ complete(&idev->msg_complete);
+ break;
+ }
+@@ -299,14 +298,19 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev)
+
+ if (status & MST_STATUS_SCC) {
+ /* Stop completed */
+- i2c_int_disable(idev, ~0);
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
+ complete(&idev->msg_complete);
+ } else if (status & MST_STATUS_SNS) {
+ /* Transfer done */
+- i2c_int_disable(idev, ~0);
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
+ if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len)
+ axxia_i2c_empty_rx_fifo(idev);
+ complete(&idev->msg_complete);
++ } else if (status & MST_STATUS_TSS) {
++ /* Transfer timeout */
++ idev->msg_err = -ETIMEDOUT;
++ i2c_int_disable(idev, ~MST_STATUS_TSS);
++ complete(&idev->msg_complete);
+ } else if (unlikely(status & MST_STATUS_ERR)) {
+ /* Transfer error */
+ i2c_int_disable(idev, ~0);
+@@ -339,10 +343,10 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg)
+ u32 rx_xfer, tx_xfer;
+ u32 addr_1, addr_2;
+ unsigned long time_left;
++ unsigned int wt_value;
+
+ idev->msg = msg;
+ idev->msg_xfrd = 0;
+- idev->msg_err = 0;
+ reinit_completion(&idev->msg_complete);
+
+ if (i2c_m_ten(msg)) {
+@@ -382,9 +386,18 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg)
+ else if (axxia_i2c_fill_tx_fifo(idev) != 0)
+ int_mask |= MST_STATUS_TFL;
+
++ wt_value = WT_VALUE(readl(idev->base + WAIT_TIMER_CONTROL));
++ /* Disable wait timer temporarly */
++ writel(wt_value, idev->base + WAIT_TIMER_CONTROL);
++ /* Check if timeout error happened */
++ if (idev->msg_err)
++ goto out;
++
+ /* Start manual mode */
+ writel(CMD_MANUAL, idev->base + MST_COMMAND);
+
++ writel(WT_EN | wt_value, idev->base + WAIT_TIMER_CONTROL);
++
+ i2c_int_enable(idev, int_mask);
+
+ time_left = wait_for_completion_timeout(&idev->msg_complete,
+@@ -395,13 +408,15 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg)
+ if (readl(idev->base + MST_COMMAND) & CMD_BUSY)
+ dev_warn(idev->dev, "busy after xfer\n");
+
+- if (time_left == 0)
++ if (time_left == 0) {
+ idev->msg_err = -ETIMEDOUT;
+-
+- if (idev->msg_err == -ETIMEDOUT)
+ i2c_recover_bus(&idev->adapter);
++ axxia_i2c_init(idev);
++ }
+
+- if (unlikely(idev->msg_err) && idev->msg_err != -ENXIO)
++out:
++ if (unlikely(idev->msg_err) && idev->msg_err != -ENXIO &&
++ idev->msg_err != -ETIMEDOUT)
+ axxia_i2c_init(idev);
+
+ return idev->msg_err;
+@@ -409,7 +424,7 @@ static int axxia_i2c_xfer_msg(struct axxia_i2c_dev *idev, struct i2c_msg *msg)
+
+ static int axxia_i2c_stop(struct axxia_i2c_dev *idev)
+ {
+- u32 int_mask = MST_STATUS_ERR | MST_STATUS_SCC;
++ u32 int_mask = MST_STATUS_ERR | MST_STATUS_SCC | MST_STATUS_TSS;
+ unsigned long time_left;
+
+ reinit_completion(&idev->msg_complete);
+@@ -436,6 +451,9 @@ axxia_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], int num)
+ int i;
+ int ret = 0;
+
++ idev->msg_err = 0;
++ i2c_int_enable(idev, MST_STATUS_TSS);
++
+ for (i = 0; ret == 0 && i < num; ++i)
+ ret = axxia_i2c_xfer_msg(idev, &msgs[i]);
+
+--
+2.19.1
+
--- /dev/null
+From f78a47b7ec87de0976022f07158d3de23476e179 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 21 Nov 2018 10:19:55 +0100
+Subject: i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI
+ device node
+
+[ Upstream commit 0544ee4b1ad574aec3b6379af5f5cdee42840971 ]
+
+Some AMD based HP laptops have a SMB0001 ACPI device node which does not
+define any methods.
+
+This leads to the following error in dmesg:
+
+[ 5.222731] cmi: probe of SMB0001:00 failed with error -5
+
+This commit makes acpi_smbus_cmi_add() return -ENODEV instead in this case
+silencing the error. In case of a failure of the i2c_add_adapter() call
+this commit now propagates the error from that call instead of -EIO.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-scmi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-scmi.c b/drivers/i2c/busses/i2c-scmi.c
+index efefcfa24a4c..d2178f701b41 100644
+--- a/drivers/i2c/busses/i2c-scmi.c
++++ b/drivers/i2c/busses/i2c-scmi.c
+@@ -364,6 +364,7 @@ static int acpi_smbus_cmi_add(struct acpi_device *device)
+ {
+ struct acpi_smbus_cmi *smbus_cmi;
+ const struct acpi_device_id *id;
++ int ret;
+
+ smbus_cmi = kzalloc(sizeof(struct acpi_smbus_cmi), GFP_KERNEL);
+ if (!smbus_cmi)
+@@ -385,8 +386,10 @@ static int acpi_smbus_cmi_add(struct acpi_device *device)
+ acpi_walk_namespace(ACPI_TYPE_METHOD, smbus_cmi->handle, 1,
+ acpi_smbus_cmi_query_methods, NULL, smbus_cmi, NULL);
+
+- if (smbus_cmi->cap_info == 0)
++ if (smbus_cmi->cap_info == 0) {
++ ret = -ENODEV;
+ goto err;
++ }
+
+ snprintf(smbus_cmi->adapter.name, sizeof(smbus_cmi->adapter.name),
+ "SMBus CMI adapter %s",
+@@ -397,7 +400,8 @@ static int acpi_smbus_cmi_add(struct acpi_device *device)
+ smbus_cmi->adapter.class = I2C_CLASS_HWMON | I2C_CLASS_SPD;
+ smbus_cmi->adapter.dev.parent = &device->dev;
+
+- if (i2c_add_adapter(&smbus_cmi->adapter)) {
++ ret = i2c_add_adapter(&smbus_cmi->adapter);
++ if (ret) {
+ dev_err(&device->dev, "Couldn't register adapter!\n");
+ goto err;
+ }
+@@ -407,7 +411,7 @@ static int acpi_smbus_cmi_add(struct acpi_device *device)
+ err:
+ kfree(smbus_cmi);
+ device->driver_data = NULL;
+- return -EIO;
++ return ret;
+ }
+
+ static int acpi_smbus_cmi_remove(struct acpi_device *device)
+--
+2.19.1
+
--- /dev/null
+From c59dff9fe9b5e516a44b9c6bcf7c8b358f464b81 Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Tue, 20 Nov 2018 08:02:49 -0500
+Subject: ide: pmac: add of_node_put()
+
+[ Upstream commit a51921c0db3fd26c4ed83dc0ec5d32988fa02aa5 ]
+
+use of_node_put() to release the refcount.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ide/pmac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ide/pmac.c b/drivers/ide/pmac.c
+index 0c5d3a99468e..b20025a5a8d9 100644
+--- a/drivers/ide/pmac.c
++++ b/drivers/ide/pmac.c
+@@ -920,6 +920,7 @@ static u8 pmac_ide_cable_detect(ide_hwif_t *hwif)
+ struct device_node *root = of_find_node_by_path("/");
+ const char *model = of_get_property(root, "model", NULL);
+
++ of_node_put(root);
+ /* Get cable type from device-tree. */
+ if (cable && !strncmp(cable, "80-", 3)) {
+ /* Some drives fail to detect 80c cable in PowerBook */
+--
+2.19.1
+
--- /dev/null
+From 3116610f6ddc92384e279b8d4ff5feea93117d7e Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Mon, 3 Dec 2018 11:24:30 -0800
+Subject: Input: omap-keypad - fix keyboard debounce configuration
+
+[ Upstream commit 6c3516fed7b61a3527459ccfa67fab130d910610 ]
+
+I noticed that the Android v3.0.8 kernel on droid4 is using different
+keypad values from the mainline kernel and does not have issues with
+keys occasionally being stuck until pressed again. Turns out there was
+an earlier patch posted to fix this as "Input: omap-keypad: errata i689:
+Correct debounce time", but it was never reposted to fix use macros
+for timing calculations.
+
+This updated version is using macros, and also fixes the use of the
+input clock rate to use 32768KiHz instead of 32000KiHz. And we want to
+use the known good Android kernel values of 3 and 6 instead of 2 and 6
+in the earlier patch.
+
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/omap4-keypad.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c
+index 6639b2b8528a..f78c464899db 100644
+--- a/drivers/input/keyboard/omap4-keypad.c
++++ b/drivers/input/keyboard/omap4-keypad.c
+@@ -60,8 +60,18 @@
+
+ /* OMAP4 values */
+ #define OMAP4_VAL_IRQDISABLE 0x0
+-#define OMAP4_VAL_DEBOUNCINGTIME 0x7
+-#define OMAP4_VAL_PVT 0x7
++
++/*
++ * Errata i689: If a key is released for a time shorter than debounce time,
++ * the keyboard will idle and never detect the key release. The workaround
++ * is to use at least a 12ms debounce time. See omap5432 TRM chapter
++ * "26.4.6.2 Keyboard Controller Timer" for more information.
++ */
++#define OMAP4_KEYPAD_PTV_DIV_128 0x6
++#define OMAP4_KEYPAD_DEBOUNCINGTIME_MS(dbms, ptv) \
++ ((((dbms) * 1000) / ((1 << ((ptv) + 1)) * (1000000 / 32768))) - 1)
++#define OMAP4_VAL_DEBOUNCINGTIME_16MS \
++ OMAP4_KEYPAD_DEBOUNCINGTIME_MS(16, OMAP4_KEYPAD_PTV_DIV_128)
+
+ enum {
+ KBD_REVISION_OMAP4 = 0,
+@@ -181,9 +191,9 @@ static int omap4_keypad_open(struct input_dev *input)
+
+ kbd_writel(keypad_data, OMAP4_KBD_CTRL,
+ OMAP4_DEF_CTRL_NOSOFTMODE |
+- (OMAP4_VAL_PVT << OMAP4_DEF_CTRL_PTV_SHIFT));
++ (OMAP4_KEYPAD_PTV_DIV_128 << OMAP4_DEF_CTRL_PTV_SHIFT));
+ kbd_writel(keypad_data, OMAP4_KBD_DEBOUNCINGTIME,
+- OMAP4_VAL_DEBOUNCINGTIME);
++ OMAP4_VAL_DEBOUNCINGTIME_16MS);
+ /* clear pending interrupts */
+ kbd_write_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS,
+ kbd_read_irqreg(keypad_data, OMAP4_KBD_IRQSTATUS));
+--
+2.19.1
+
--- /dev/null
+From 0b9313ac2102e3ff7687a4aa12217960b99448da Mon Sep 17 00:00:00 2001
+From: Juha-Matti Tilli <juha-matti.tilli@iki.fi>
+Date: Sun, 2 Dec 2018 12:47:08 +0200
+Subject: libata: whitelist all SAMSUNG MZ7KM* solid-state disks
+
+[ Upstream commit fd6f32f78645db32b6b95a42e45da2ddd6de0e67 ]
+
+These devices support read zero after trim (RZAT), as they advertise to
+the OS. However, the OS doesn't believe the SSDs unless they are
+explicitly whitelisted.
+
+Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Juha-Matti Tilli <juha-matti.tilli@iki.fi>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index a166359ad5d4..35be49f5791d 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4476,6 +4476,7 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
+ { "SSD*INTEL*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, },
+ { "Samsung*SSD*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, },
+ { "SAMSUNG*SSD*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, },
++ { "SAMSUNG*MZ7KM*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, },
+ { "ST[1248][0248]0[FH]*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM, },
+
+ /*
+--
+2.19.1
+
--- /dev/null
+From fcc9693d043b79b0130addbeada18c7f2096872d Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Fri, 5 Oct 2018 23:22:06 +0300
+Subject: mac80211_hwsim: fix module init error paths for netlink
+
+[ Upstream commit 05cc09de4c017663a217630682041066f2f9a5cd ]
+
+There is no unregister netlink notifier and family on error paths
+in init_mac80211_hwsim(). Also there is an error path where
+hwsim_class is not destroyed.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Fixes: 62759361eb49 ("mac80211-hwsim: Provide multicast event for HWSIM_CMD_NEW_RADIO")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index 0852a1aad075..780acf23fd19 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3403,16 +3403,16 @@ static int __init init_mac80211_hwsim(void)
+ if (err)
+ goto out_unregister_pernet;
+
++ err = hwsim_init_netlink();
++ if (err)
++ goto out_unregister_driver;
++
+ hwsim_class = class_create(THIS_MODULE, "mac80211_hwsim");
+ if (IS_ERR(hwsim_class)) {
+ err = PTR_ERR(hwsim_class);
+- goto out_unregister_driver;
++ goto out_exit_netlink;
+ }
+
+- err = hwsim_init_netlink();
+- if (err < 0)
+- goto out_unregister_driver;
+-
+ for (i = 0; i < radios; i++) {
+ struct hwsim_new_radio_params param = { 0 };
+
+@@ -3518,6 +3518,8 @@ out_free_mon:
+ free_netdev(hwsim_mon);
+ out_free_radios:
+ mac80211_hwsim_free();
++out_exit_netlink:
++ hwsim_exit_netlink();
+ out_unregister_driver:
+ platform_driver_unregister(&mac80211_hwsim_driver);
+ out_unregister_pernet:
+--
+2.19.1
+
--- /dev/null
+From 437f0fe53b539fa865b9081321d0acd1e8ab16ff Mon Sep 17 00:00:00 2001
+From: Anderson Luiz Alves <alacn1@gmail.com>
+Date: Fri, 30 Nov 2018 21:58:36 -0200
+Subject: mv88e6060: disable hardware level MAC learning
+
+[ Upstream commit a74515604a7b171f2702bdcbd1e231225fb456d0 ]
+
+Disable hardware level MAC learning because it breaks station roaming.
+When enabled it drops all frames that arrive from a MAC address
+that is on a different port at learning table.
+
+Signed-off-by: Anderson Luiz Alves <alacn1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6060.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6060.c b/drivers/net/dsa/mv88e6060.c
+index 7ce36dbd9b62..a3607d083332 100644
+--- a/drivers/net/dsa/mv88e6060.c
++++ b/drivers/net/dsa/mv88e6060.c
+@@ -114,8 +114,7 @@ static int mv88e6060_switch_reset(struct dsa_switch *ds)
+ /* Reset the switch. */
+ REG_WRITE(REG_GLOBAL, GLOBAL_ATU_CONTROL,
+ GLOBAL_ATU_CONTROL_SWRESET |
+- GLOBAL_ATU_CONTROL_ATUSIZE_1024 |
+- GLOBAL_ATU_CONTROL_ATE_AGE_5MIN);
++ GLOBAL_ATU_CONTROL_LEARNDIS);
+
+ /* Wait up to one second for reset to complete. */
+ timeout = jiffies + 1 * HZ;
+@@ -140,13 +139,10 @@ static int mv88e6060_setup_global(struct dsa_switch *ds)
+ */
+ REG_WRITE(REG_GLOBAL, GLOBAL_CONTROL, GLOBAL_CONTROL_MAX_FRAME_1536);
+
+- /* Enable automatic address learning, set the address
+- * database size to 1024 entries, and set the default aging
+- * time to 5 minutes.
++ /* Disable automatic address learning.
+ */
+ REG_WRITE(REG_GLOBAL, GLOBAL_ATU_CONTROL,
+- GLOBAL_ATU_CONTROL_ATUSIZE_1024 |
+- GLOBAL_ATU_CONTROL_ATE_AGE_5MIN);
++ GLOBAL_ATU_CONTROL_LEARNDIS);
+
+ return 0;
+ }
+--
+2.19.1
+
--- /dev/null
+From 65f7b436461c4ddc2b8eeb3d1d2b15913935a034 Mon Sep 17 00:00:00 2001
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Sun, 2 Dec 2018 14:34:37 +0200
+Subject: net/mlx4_en: Fix build break when CONFIG_INET is off
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 1b603f9e4313348608f256b564ed6e3d9e67f377 ]
+
+MLX4_EN depends on NETDEVICES, ETHERNET and INET Kconfigs.
+Make sure they are listed in MLX4_EN Kconfig dependencies.
+
+This fixes the following build break:
+
+drivers/net/ethernet/mellanox/mlx4/en_rx.c:582:18: warning: ‘struct iphdr’ declared inside parameter list [enabled by default]
+struct iphdr *iph)
+^
+drivers/net/ethernet/mellanox/mlx4/en_rx.c:582:18: warning: its scope is only this definition or declaration, which is probably not what you want [enabled by default]
+drivers/net/ethernet/mellanox/mlx4/en_rx.c: In function ‘get_fixed_ipv4_csum’:
+drivers/net/ethernet/mellanox/mlx4/en_rx.c:586:20: error: dereferencing pointer to incomplete type
+_u8 ipproto = iph->protocol;
+
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/Kconfig b/drivers/net/ethernet/mellanox/mlx4/Kconfig
+index 5098e7f21987..a0eb4e4bc525 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/Kconfig
++++ b/drivers/net/ethernet/mellanox/mlx4/Kconfig
+@@ -5,7 +5,7 @@
+ config MLX4_EN
+ tristate "Mellanox Technologies 1/10/40Gbit Ethernet support"
+ depends on MAY_USE_DEVLINK
+- depends on PCI
++ depends on PCI && NETDEVICES && ETHERNET && INET
+ select MLX4_CORE
+ select PTP_1588_CLOCK
+ ---help---
+--
+2.19.1
+
--- /dev/null
+From e08b42d036c7500c1bd21e2d53db1cba5d6e1302 Mon Sep 17 00:00:00 2001
+From: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Tue, 27 Nov 2018 19:31:30 +0000
+Subject: nfs: don't dirty kernel pages read by direct-io
+
+[ Upstream commit ad3cba223ac02dc769c3bbe88efe277bbb457566 ]
+
+When we use direct_IO with an NFS backing store, we can trigger a
+WARNING in __set_page_dirty(), as below, since we're dirtying the page
+unnecessarily in nfs_direct_read_completion().
+
+To fix, replicate the logic in commit 53cbf3b157a0 ("fs: direct-io:
+don't dirtying pages for ITER_BVEC/ITER_KVEC direct read").
+
+Other filesystems that implement direct_IO handle this; most use
+blockdev_direct_IO(). ceph and cifs have similar logic.
+
+mount 127.0.0.1:/export /nfs
+dd if=/dev/zero of=/nfs/image bs=1M count=200
+losetup --direct-io=on -f /nfs/image
+mkfs.btrfs /dev/loop0
+mount -t btrfs /dev/loop0 /mnt/
+
+kernel: WARNING: CPU: 0 PID: 8067 at fs/buffer.c:580 __set_page_dirty+0xaf/0xd0
+kernel: Modules linked in: loop(E) nfsv3(E) rpcsec_gss_krb5(E) nfsv4(E) dns_resolver(E) nfs(E) fscache(E) nfsd(E) auth_rpcgss(E) nfs_acl(E) lockd(E) grace(E) fuse(E) tun(E) ip6t_rpfilter(E) ipt_REJECT(E) nf_
+kernel: snd_seq(E) snd_seq_device(E) snd_pcm(E) video(E) snd_timer(E) snd(E) soundcore(E) ip_tables(E) xfs(E) libcrc32c(E) sd_mod(E) sr_mod(E) cdrom(E) ata_generic(E) pata_acpi(E) crc32c_intel(E) ahci(E) li
+kernel: CPU: 0 PID: 8067 Comm: kworker/0:2 Tainted: G E 4.20.0-rc1.master.20181111.ol7.x86_64 #1
+kernel: Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+kernel: Workqueue: nfsiod rpc_async_release [sunrpc]
+kernel: RIP: 0010:__set_page_dirty+0xaf/0xd0
+kernel: Code: c3 48 8b 02 f6 c4 04 74 d4 48 89 df e8 ba 05 f7 ff 48 89 c6 eb cb 48 8b 43 08 a8 01 75 1f 48 89 d8 48 8b 00 a8 04 74 02 eb 87 <0f> 0b eb 83 48 83 e8 01 eb 9f 48 83 ea 01 0f 1f 00 eb 8b 48 83 e8
+kernel: RSP: 0000:ffffc1c8825b7d78 EFLAGS: 00013046
+kernel: RAX: 000fffffc0020089 RBX: fffff2b603308b80 RCX: 0000000000000001
+kernel: RDX: 0000000000000001 RSI: ffff9d11478115c8 RDI: ffff9d11478115d0
+kernel: RBP: ffffc1c8825b7da0 R08: 0000646f6973666e R09: 8080808080808080
+kernel: R10: 0000000000000001 R11: 0000000000000000 R12: ffff9d11478115d0
+kernel: R13: ffff9d11478115c8 R14: 0000000000003246 R15: 0000000000000001
+kernel: FS: 0000000000000000(0000) GS:ffff9d115ba00000(0000) knlGS:0000000000000000
+kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+kernel: CR2: 00007f408686f640 CR3: 0000000104d8e004 CR4: 00000000000606f0
+kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+kernel: Call Trace:
+kernel: __set_page_dirty_buffers+0xb6/0x110
+kernel: set_page_dirty+0x52/0xb0
+kernel: nfs_direct_read_completion+0xc4/0x120 [nfs]
+kernel: nfs_pgio_release+0x10/0x20 [nfs]
+kernel: rpc_free_task+0x30/0x70 [sunrpc]
+kernel: rpc_async_release+0x12/0x20 [sunrpc]
+kernel: process_one_work+0x174/0x390
+kernel: worker_thread+0x4f/0x3e0
+kernel: kthread+0x102/0x140
+kernel: ? drain_workqueue+0x130/0x130
+kernel: ? kthread_stop+0x110/0x110
+kernel: ret_from_fork+0x35/0x40
+kernel: ---[ end trace 01341980905412c9 ]---
+
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+
+[forward-ported to v4.20]
+Signed-off-by: Calum Mackay <calum.mackay@oracle.com>
+Reviewed-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/direct.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
+index 1ab91124a93e..53f0012ace42 100644
+--- a/fs/nfs/direct.c
++++ b/fs/nfs/direct.c
+@@ -98,8 +98,11 @@ struct nfs_direct_req {
+ struct pnfs_ds_commit_info ds_cinfo; /* Storage for cinfo */
+ struct work_struct work;
+ int flags;
++ /* for write */
+ #define NFS_ODIRECT_DO_COMMIT (1) /* an unstable reply was received */
+ #define NFS_ODIRECT_RESCHED_WRITES (2) /* write verification failed */
++ /* for read */
++#define NFS_ODIRECT_SHOULD_DIRTY (3) /* dirty user-space page after read */
+ struct nfs_writeverf verf; /* unstable write verifier */
+ };
+
+@@ -422,7 +425,8 @@ static void nfs_direct_read_completion(struct nfs_pgio_header *hdr)
+ struct nfs_page *req = nfs_list_entry(hdr->pages.next);
+ struct page *page = req->wb_page;
+
+- if (!PageCompound(page) && bytes < hdr->good_bytes)
++ if (!PageCompound(page) && bytes < hdr->good_bytes &&
++ (dreq->flags == NFS_ODIRECT_SHOULD_DIRTY))
+ set_page_dirty(page);
+ bytes += req->wb_bytes;
+ nfs_list_remove_request(req);
+@@ -597,6 +601,9 @@ ssize_t nfs_file_direct_read(struct kiocb *iocb, struct iov_iter *iter)
+ if (!is_sync_kiocb(iocb))
+ dreq->iocb = iocb;
+
++ if (iter_is_iovec(iter))
++ dreq->flags = NFS_ODIRECT_SHOULD_DIRTY;
++
+ nfs_start_io_direct(inode);
+
+ NFS_I(inode)->read_io += count;
+--
+2.19.1
+
--- /dev/null
+From aea1dc9f1599a7fc655a6467d98648cec274879d Mon Sep 17 00:00:00 2001
+From: Israel Rukshin <israelr@mellanox.com>
+Date: Wed, 5 Dec 2018 16:54:57 +0000
+Subject: nvmet-rdma: fix response use after free
+
+[ Upstream commit d7dcdf9d4e15189ecfda24cc87339a3425448d5c ]
+
+nvmet_rdma_release_rsp() may free the response before using it at error
+flow.
+
+Fixes: 8407879 ("nvmet-rdma: fix possible bogus dereference under heavy load")
+Signed-off-by: Israel Rukshin <israelr@mellanox.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/rdma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
+index 2dfd877974d7..486393fa4f3e 100644
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -524,6 +524,7 @@ static void nvmet_rdma_send_done(struct ib_cq *cq, struct ib_wc *wc)
+ {
+ struct nvmet_rdma_rsp *rsp =
+ container_of(wc->wr_cqe, struct nvmet_rdma_rsp, send_cqe);
++ struct nvmet_rdma_queue *queue = cq->cq_context;
+
+ nvmet_rdma_release_rsp(rsp);
+
+@@ -531,7 +532,7 @@ static void nvmet_rdma_send_done(struct ib_cq *cq, struct ib_wc *wc)
+ wc->status != IB_WC_WR_FLUSH_ERR)) {
+ pr_err("SEND for CQE 0x%p failed with status %s (%d).\n",
+ wc->wr_cqe, ib_wc_status_msg(wc->status), wc->status);
+- nvmet_rdma_error_comp(rsp->queue);
++ nvmet_rdma_error_comp(queue);
+ }
+ }
+
+--
+2.19.1
+
--- /dev/null
+From 8995f93dcd7f91e9ccb0a870966a799d9301da3e Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Tue, 20 Nov 2018 08:30:40 -0500
+Subject: sbus: char: add of_node_put()
+
+[ Upstream commit 87d81a23e24f24ebe014891e8bdf3ff8785031e8 ]
+
+use of_node_put() to release the refcount.
+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/sbus/char/display7seg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/sbus/char/display7seg.c b/drivers/sbus/char/display7seg.c
+index 33fbe8249fd5..044cffbc45e8 100644
+--- a/drivers/sbus/char/display7seg.c
++++ b/drivers/sbus/char/display7seg.c
+@@ -221,6 +221,7 @@ static int d7s_probe(struct platform_device *op)
+ dev_set_drvdata(&op->dev, p);
+ d7s_device = p;
+ err = 0;
++ of_node_put(opts);
+
+ out:
+ return err;
+--
+2.19.1
+
--- /dev/null
+From 84267f4fe40296659a8f379871b4a0490a3fa567 Mon Sep 17 00:00:00 2001
+From: Fred Herard <fred.herard@oracle.com>
+Date: Tue, 20 Nov 2018 20:22:45 -0500
+Subject: scsi: libiscsi: Fix NULL pointer dereference in
+ iscsi_eh_session_reset
+
+[ Upstream commit 5db6dd14b31397e8cccaaddab2ff44ebec1acf25 ]
+
+This commit addresses NULL pointer dereference in iscsi_eh_session_reset.
+Reference should not be made to session->leadconn when session->state is
+set to ISCSI_STATE_TERMINATE.
+
+Signed-off-by: Fred Herard <fred.herard@oracle.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libiscsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
+index cc8f2a7c2463..c79743de48f9 100644
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -2414,8 +2414,8 @@ int iscsi_eh_session_reset(struct scsi_cmnd *sc)
+ failed:
+ ISCSI_DBG_EH(session,
+ "failing session reset: Could not log back into "
+- "%s, %s [age %d]\n", session->targetname,
+- conn->persistent_address, session->age);
++ "%s [age %d]\n", session->targetname,
++ session->age);
+ spin_unlock_bh(&session->frwd_lock);
+ mutex_unlock(&session->eh_mutex);
+ return FAILED;
+--
+2.19.1
+
--- /dev/null
+From 46748d03a317f859e5cad3e71a35484693aec319 Mon Sep 17 00:00:00 2001
+From: Cathy Avery <cavery@redhat.com>
+Date: Tue, 27 Nov 2018 14:28:53 -0500
+Subject: scsi: vmw_pscsi: Rearrange code to avoid multiple calls to free_irq
+ during unload
+
+[ Upstream commit 02f425f811cefcc4d325d7a72272651e622dc97e ]
+
+Currently pvscsi_remove calls free_irq more than once as
+pvscsi_release_resources and __pvscsi_shutdown both call
+pvscsi_shutdown_intr. This results in a 'Trying to free already-free IRQ'
+warning and stack trace. To solve the problem pvscsi_shutdown_intr has been
+moved out of pvscsi_release_resources.
+
+Signed-off-by: Cathy Avery <cavery@redhat.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/vmw_pvscsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/vmw_pvscsi.c b/drivers/scsi/vmw_pvscsi.c
+index 874e9f085326..fcfbe2dcd025 100644
+--- a/drivers/scsi/vmw_pvscsi.c
++++ b/drivers/scsi/vmw_pvscsi.c
+@@ -1233,8 +1233,6 @@ static void pvscsi_shutdown_intr(struct pvscsi_adapter *adapter)
+
+ static void pvscsi_release_resources(struct pvscsi_adapter *adapter)
+ {
+- pvscsi_shutdown_intr(adapter);
+-
+ if (adapter->workqueue)
+ destroy_workqueue(adapter->workqueue);
+
+@@ -1563,6 +1561,7 @@ static int pvscsi_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ out_reset_adapter:
+ ll_adapter_reset(adapter);
+ out_release_resources:
++ pvscsi_shutdown_intr(adapter);
+ pvscsi_release_resources(adapter);
+ scsi_host_put(host);
+ out_disable_device:
+@@ -1571,6 +1570,7 @@ out_disable_device:
+ return error;
+
+ out_release_resources_and_disable:
++ pvscsi_shutdown_intr(adapter);
+ pvscsi_release_resources(adapter);
+ goto out_disable_device;
+ }
+--
+2.19.1
+
locking-qspinlock-x86-increase-_q_pending_loops-uppe.patch
locking-qspinlock-x86-provide-liveness-guarantee.patch
locking-qspinlock-fix-build-for-anonymous-union-in-o.patch
+mac80211_hwsim-fix-module-init-error-paths-for-netli.patch
+scsi-libiscsi-fix-null-pointer-dereference-in-iscsi_.patch
+scsi-vmw_pscsi-rearrange-code-to-avoid-multiple-call.patch
+x86-earlyprintk-efi-fix-infinite-loop-on-some-screen.patch
+drm-msm-grab-a-vblank-reference-when-waiting-for-com.patch
+arc-io.h-implement-reads-x-writes-x.patch
+bonding-fix-802.3ad-state-sent-to-partner-when-unbin.patch
+nfs-don-t-dirty-kernel-pages-read-by-direct-io.patch
+sunrpc-fix-a-potential-race-in-xprt_connect.patch
+sbus-char-add-of_node_put.patch
+drivers-sbus-char-add-of_node_put.patch
+drivers-tty-add-missing-of_node_put.patch
+ide-pmac-add-of_node_put.patch
+clk-mvebu-off-by-one-bugs-in-cp110_of_clk_get.patch
+clk-mmp-off-by-one-in-mmp_clk_add.patch
+input-omap-keypad-fix-keyboard-debounce-configuratio.patch
+libata-whitelist-all-samsung-mz7km-solid-state-disks.patch
+mv88e6060-disable-hardware-level-mac-learning.patch
+net-mlx4_en-fix-build-break-when-config_inet-is-off.patch
+bpf-check-pending-signals-while-verifying-programs.patch
+arm-8814-1-mm-improve-fix-arm-v7_dma_inv_range-unali.patch
+arm-8815-1-v7m-align-v7m_dma_inv_range-with-v7-count.patch
+ethernet-fman-fix-wrong-of_node_put-in-probe-functio.patch
+drm-ast-fix-connector-leak-during-driver-unload.patch
+cifs-in-kconfig-config_cifs_posix-needs-depends-on-l.patch
+vhost-vsock-fix-reset-orphans-race-with-close-timeou.patch
+i2c-axxia-properly-handle-master-timeout.patch
+i2c-scmi-fix-probe-error-on-devices-with-an-empty-sm.patch
+nvmet-rdma-fix-response-use-after-free.patch
--- /dev/null
+From c7093e5356d9bedf612ccc58ed5e3d0285ef2b58 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Sat, 1 Dec 2018 23:18:00 -0500
+Subject: SUNRPC: Fix a potential race in xprt_connect()
+
+[ Upstream commit 0a9a4304f3614e25d9de9b63502ca633c01c0d70 ]
+
+If an asynchronous connection attempt completes while another task is
+in xprt_connect(), then the call to rpc_sleep_on() could end up
+racing with the call to xprt_wake_pending_tasks().
+So add a second test of the connection state after we've put the
+task to sleep and set the XPRT_CONNECTING flag, when we know that there
+can be no asynchronous connection attempts still in progress.
+
+Fixes: 0b9e79431377d ("SUNRPC: Move the test for XPRT_CONNECTING into...")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprt.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
+index 685e6d225414..1a8df242d26a 100644
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -778,8 +778,15 @@ void xprt_connect(struct rpc_task *task)
+ return;
+ if (xprt_test_and_set_connecting(xprt))
+ return;
+- xprt->stat.connect_start = jiffies;
+- xprt->ops->connect(xprt, task);
++ /* Race breaker */
++ if (!xprt_connected(xprt)) {
++ xprt->stat.connect_start = jiffies;
++ xprt->ops->connect(xprt, task);
++ } else {
++ xprt_clear_connecting(xprt);
++ task->tk_status = 0;
++ rpc_wake_up_queued_task(&xprt->pending, task);
++ }
+ }
+ xprt_release_write(xprt, task);
+ }
+--
+2.19.1
+
--- /dev/null
+From a2c638c3703a66753c9ce7b981d2ad474389dcfb Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 6 Dec 2018 19:14:34 +0000
+Subject: vhost/vsock: fix reset orphans race with close timeout
+
+[ Upstream commit c38f57da428b033f2721b611d84b1f40bde674a8 ]
+
+If a local process has closed a connected socket and hasn't received a
+RST packet yet, then the socket remains in the table until a timeout
+expires.
+
+When a vhost_vsock instance is released with the timeout still pending,
+the socket is never freed because vhost_vsock has already set the
+SOCK_DONE flag.
+
+Check if the close timer is pending and let it close the socket. This
+prevents the race which can leak sockets.
+
+Reported-by: Maximilian Riemensberger <riemensberger@cadami.net>
+Cc: Graham Whaley <graham.whaley@gmail.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index f800f89068db..46f966d7c328 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -559,13 +559,21 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
+ * executing.
+ */
+
+- if (!vhost_vsock_get(vsk->remote_addr.svm_cid)) {
+- sock_set_flag(sk, SOCK_DONE);
+- vsk->peer_shutdown = SHUTDOWN_MASK;
+- sk->sk_state = SS_UNCONNECTED;
+- sk->sk_err = ECONNRESET;
+- sk->sk_error_report(sk);
+- }
++ /* If the peer is still valid, no need to reset connection */
++ if (vhost_vsock_get(vsk->remote_addr.svm_cid))
++ return;
++
++ /* If the close timeout is pending, let it expire. This avoids races
++ * with the timeout callback.
++ */
++ if (vsk->close_work_scheduled)
++ return;
++
++ sock_set_flag(sk, SOCK_DONE);
++ vsk->peer_shutdown = SHUTDOWN_MASK;
++ sk->sk_state = SS_UNCONNECTED;
++ sk->sk_err = ECONNRESET;
++ sk->sk_error_report(sk);
+ }
+
+ static int vhost_vsock_dev_release(struct inode *inode, struct file *file)
+--
+2.19.1
+
--- /dev/null
+From 0f2d257b194ff898ff758596bb13f8877cd9774b Mon Sep 17 00:00:00 2001
+From: YiFei Zhu <zhuyifei1999@gmail.com>
+Date: Thu, 29 Nov 2018 18:12:30 +0100
+Subject: x86/earlyprintk/efi: Fix infinite loop on some screen widths
+
+[ Upstream commit 79c2206d369b87b19ac29cb47601059b6bf5c291 ]
+
+An affected screen resolution is 1366 x 768, which width is not
+divisible by 8, the default font width. On such screens, when longer
+lines are earlyprintk'ed, overflow-to-next-line can never trigger,
+due to the left-most x-coordinate of the next character always less
+than the screen width. Earlyprintk will infinite loop in trying to
+print the rest of the string but unable to, due to the line being
+full.
+
+This patch makes the trigger consider the right-most x-coordinate,
+instead of left-most, as the value to compare against the screen
+width threshold.
+
+Signed-off-by: YiFei Zhu <zhuyifei1999@gmail.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
+Cc: Bhupesh Sharma <bhsharma@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@intel.com>
+Cc: Eric Snowberg <eric.snowberg@oracle.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Cc: Julien Thierry <julien.thierry@arm.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Cc: Nathan Chancellor <natechancellor@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+Cc: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Link: http://lkml.kernel.org/r/20181129171230.18699-12-ard.biesheuvel@linaro.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/early_printk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/platform/efi/early_printk.c b/arch/x86/platform/efi/early_printk.c
+index 5fdacb322ceb..c3e6be110b7d 100644
+--- a/arch/x86/platform/efi/early_printk.c
++++ b/arch/x86/platform/efi/early_printk.c
+@@ -179,7 +179,7 @@ early_efi_write(struct console *con, const char *str, unsigned int num)
+ num--;
+ }
+
+- if (efi_x >= si->lfb_width) {
++ if (efi_x + font->width > si->lfb_width) {
+ efi_x = 0;
+ efi_y += font->height;
+ }
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
