commit 96c00ece76be83d99dc7f66fd15e5641524791cf
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Dec 20 10:05:01 2017 +0100

    Linux 4.4.107

commit a815c0a370cf9bab9f209e11b954a63b419827ad
Author: Miaoqing Pan <miaoqing@codeaurora.org>
Date:   Wed Sep 27 09:13:34 2017 +0800

    ath9k: fix tx99 potential info leak
    
    
    [ Upstream commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 ]
    
    When the user sets count to zero the string buffer would remain
    completely uninitialized which causes the kernel to parse its
    own stack data, potentially leading to an info leak. In addition
    to that, the string might be not terminated properly when the
    user data does not contain a 0-terminator.
    
    Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
    Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at>
    Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 26c66554d7bf86ca332200e77c3279c9a220bf27
Author: Alex Vesker <valex@mellanox.com>
Date:   Tue Oct 10 10:36:41 2017 +0300

    IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop
    
    
    [ Upstream commit b4b678b06f6eef18bff44a338c01870234db0bc9 ]
    
    When ndo_open and ndo_stop are called RTNL lock should be held.
    In this specific case ipoib_ib_dev_open calls the offloaded ndo_open
    which re-sets the number of TX queue assuming RTNL lock is held.
    Since RTNL lock is not held, RTNL assert will fail.
    
    Signed-off-by: Alex Vesker <valex@mellanox.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 112814db6ec47d62943945754cf54fe5067d1a8f
Author: Bart Van Assche <bart.vanassche@wdc.com>
Date:   Wed Oct 11 10:48:45 2017 -0700

    RDMA/cma: Avoid triggering undefined behavior
    
    
    [ Upstream commit c0b64f58e8d49570aa9ee55d880f92c20ff0166b ]
    
    According to the C standard the behavior of computations with
    integer operands is as follows:
    * A computation involving unsigned operands can never overflow,
      because a result that cannot be represented by the resulting
      unsigned integer type is reduced modulo the number that is one
      greater than the largest value that can be represented by the
      resulting type.
    * The behavior for signed integer underflow and overflow is
      undefined.
    
    Hence only use unsigned integers when checking for integer
    overflow.
    
    This patch is what I came up with after having analyzed the
    following smatch warnings:
    
    drivers/infiniband/core/cma.c:3448: cma_resolve_ib_udp() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len'
    drivers/infiniband/core/cma.c:3505: cma_connect_ib() warn: signed overflow undefined. 'offset + conn_param->private_data_len < conn_param->private_data_len'
    
    Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
    Acked-by: Sean Hefty <sean.hefty@intel.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4bbb49138f4ac262389754e0e0fad4b1d809a570
Author: Alexander Duyck <alexander.h.duyck@intel.com>
Date:   Fri Oct 13 13:40:24 2017 -0700

    macvlan: Only deliver one copy of the frame to the macvlan interface
    
    
    [ Upstream commit dd6b9c2c332b40f142740d1b11fb77c653ff98ea ]
    
    This patch intoduces a slight adjustment for macvlan to address the fact
    that in source mode I was seeing two copies of any packet addressed to the
    macvlan interface being delivered where there should have been only one.
    
    The issue appears to be that one copy was delivered based on the source MAC
    address and then the second copy was being delivered based on the
    destination MAC address. To fix it I am just treating a unicast address
    match as though it is not a match since source based macvlan isn't supposed
    to be matching based on the destination MAC anyway.
    
    Fixes: 79cf79abce71 ("macvlan: add source mode")
    Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b8d510ff71651f2058e947c8004cdcb809c15d61
Author: Jan Kara <jack@suse.cz>
Date:   Mon Oct 16 11:38:11 2017 +0200

    udf: Avoid overflow when session starts at large offset
    
    
    [ Upstream commit abdc0eb06964fe1d2fea6dd1391b734d0590365d ]
    
    When session starts beyond offset 2^31 the arithmetics in
    udf_check_vsd() would overflow. Make sure the computation is done in
    large enough type.
    
    Reported-by: Cezary Sliwa <sliwa@ifpan.edu.pl>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a114af87c0ba390b0146411f89a2a953ffe3c31f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Oct 4 10:50:37 2017 +0300

    scsi: bfa: integer overflow in debugfs
    
    
    [ Upstream commit 3e351275655d3c84dc28abf170def9786db5176d ]
    
    We could allocate less memory than intended because we do:
    
            bfad->regdata = kzalloc(len << 2, GFP_KERNEL);
    
    The shift can overflow leading to a crash.  This is debugfs code so the
    impact is very small.  I fixed the network version of this in March with
    commit 13e2d5187f6b ("bna: integer overflow bug in debugfs").
    
    Fixes: ab2a9ba189e8 ("[SCSI] bfa: add debugfs support")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 798f085014243bf3239130889f69bb18a71e5a3e
Author: weiping zhang <zhangweiping@didichuxing.com>
Date:   Thu Oct 12 14:56:44 2017 +0800

    scsi: sd: change allow_restart to bool in sysfs interface
    
    
    [ Upstream commit 658e9a6dc1126f21fa417cd213e1cdbff8be0ba2 ]
    
    /sys/class/scsi_disk/0:2:0:0/allow_restart can be changed to 0
    unexpectedly by writing an invalid string such as the following:
    
    echo asdf > /sys/class/scsi_disk/0:2:0:0/allow_restart
    
    Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c387c02d604d8ff4d422968e5348bb245e443b9e
Author: weiping zhang <zhangweiping@didichuxing.com>
Date:   Thu Oct 12 14:57:06 2017 +0800

    scsi: sd: change manage_start_stop to bool in sysfs interface
    
    
    [ Upstream commit 623401ee33e42cee64d333877892be8db02951eb ]
    
    /sys/class/scsi_disk/0:2:0:0/manage_start_stop can be changed to 0
    unexpectly by writing an invalid string.
    
    Signed-off-by: weiping zhang <zhangweiping@didichuxing.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2e03af22f65c67c1b0dcb0f98eee9061fe3bc0da
Author: Jia-Ju Bai <baijiaju1990@163.com>
Date:   Mon Oct 9 16:45:55 2017 +0800

    vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend
    
    
    [ Upstream commit 42c8eb3f6e15367981b274cb79ee4657e2c6949d ]
    
    The driver may sleep under a spinlock, and the function call path is:
    vt6655_suspend (acquire the spinlock)
      pci_set_power_state
        __pci_start_power_transition (drivers/pci/pci.c)
          msleep --> may sleep
    
    To fix it, pci_set_power_state is called without having a spinlock.
    
    This bug is found by my static analysis tool and my code review.
    
    Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 930fb06d16171744f3ec3ca23cb3618f27bfd01b
Author: Kurt Garloff <garloff@suse.de>
Date:   Tue Oct 17 09:10:45 2017 +0200

    scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry
    
    
    [ Upstream commit 909cf3e16a5274fe2127cf3cea5c8dba77b2c412 ]
    
    All EMC SYMMETRIX support REPORT_LUNS, even if configured to report
    SCSI-2 for whatever reason.
    
    Signed-off-by: Kurt Garloff <garloff@suse.de>
    Signed-off-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24bc48af0aee2e144655b3b1d36a96def03480d0
Author: NeilBrown <neilb@suse.com>
Date:   Tue Oct 17 16:18:36 2017 +1100

    raid5: Set R5_Expanded on parity devices as well as data.
    
    
    [ Upstream commit 235b6003fb28f0dd8e7ed8fbdb088bb548291766 ]
    
    When reshaping a fully degraded raid5/raid6 to a larger
    nubmer of devices, the new device(s) are not in-sync
    and so that can make the newly grown stripe appear to be
    "failed".
    To avoid this, we set the R5_Expanded flag to say "Even though
    this device is not fully in-sync, this block is safe so
    don't treat the device as failed for this stripe".
    This flag is set for data devices, not not for parity devices.
    
    Consequently, if you have a RAID6 with two devices that are partly
    recovered and a spare, and start a reshape to include the spare,
    then when the reshape gets past the point where the recovery was
    up to, it will think the stripes are failed and will get into
    an infinite loop, failing to make progress.
    
    So when contructing parity on an EXPAND_READY stripe,
    set R5_Expanded.
    
    Reported-by: Curt <lightspd@gmail.com>
    Signed-off-by: NeilBrown <neilb@suse.com>
    Signed-off-by: Shaohua Li <shli@fb.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 09379498aff08a64e1b7f366145e7e26209501dc
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Wed Oct 11 11:57:15 2017 +0200

    pinctrl: adi2: Fix Kconfig build problem
    
    
    [ Upstream commit 1c363531dd814dc4fe10865722bf6b0f72ce4673 ]
    
    The build robot is complaining on Blackfin:
    
    drivers/pinctrl/pinctrl-adi2.c: In function 'port_setup':
    >> drivers/pinctrl/pinctrl-adi2.c:221:21: error: dereferencing
       pointer to incomplete type 'struct gpio_port_t'
          writew(readw(&regs->port_fer) & ~BIT(offset),
                            ^~
    drivers/pinctrl/pinctrl-adi2.c: In function 'adi_gpio_ack_irq':
    >> drivers/pinctrl/pinctrl-adi2.c:266:18: error: dereferencing
    pointer to incomplete type 'struct bfin_pint_regs'
          if (readl(&regs->invert_set) & pintbit)
                         ^~
    It seems the driver need to include <asm/gpio.h> and <asm/irq.h>
    to compile.
    
    The Blackfin architecture was re-defining the Kconfig
    PINCTRL symbol which is not OK, so replaced this with
    PINCTRL_BLACKFIN_ADI2 which selects PINCTRL and PINCTRL_ADI2
    just like most arches do.
    
    Further, the old GPIO driver symbol GPIO_ADI was possible to
    select at the same time as selecting PINCTRL. This was not
    working because the arch-local <asm/gpio.h> header contains
    an explicit #ifndef PINCTRL clause making compilation break
    if you combine them. The same is true for DEBUG_MMRS.
    
    Make sure the ADI2 pinctrl driver is not selected at the same
    time as the old GPIO implementation. (This should be converted
    to use gpiolib or pincontrol and move to drivers/...) Also make
    sure the old GPIO_ADI driver or DEBUG_MMRS is not selected at
    the same time as the new PINCTRL implementation, and only make
    PINCTRL_ADI2 selectable for the Blackfin families that actually
    have it.
    
    This way it is still possible to add e.g. I2C-based pin
    control expanders on the Blackfin.
    
    Cc: Steven Miao <realmz6@gmail.com>
    Cc: Huanhuan Feng <huanhuan.feng@analog.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5f2dbdff20e02e381e557bd9b6dd8111d3b89997
Author: Bin Liu <b-liu@ti.com>
Date:   Tue Dec 5 08:45:30 2017 -0600

    usb: musb: da8xx: fix babble condition handling
    
    commit bd3486ded7a0c313a6575343e6c2b21d14476645 upstream.
    
    When babble condition happens, the musb controller might automatically
    turns off VBUS. On DA8xx platform, the controller generates drvvbus
    interrupt for turning off VBUS along with the babble interrupt.
    
    In this case, we should handle the babble interrupt first and recover
    from the babble condition.
    
    This change ignores the drvvbus interrupt if babble interrupt is also
    generated at the same time, so the babble recovery routine works
    properly.
    
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 68d3bc40f5ca75c2927a9deaf887412976918bf9
Author: nixiaoming <nixiaoming@huawei.com>
Date:   Fri Sep 15 17:45:56 2017 +0800

    tty fix oops when rmmod 8250
    
    
    [ Upstream commit c79dde629d2027ca80329c62854a7635e623d527 ]
    
    After rmmod 8250.ko
    tty_kref_put starts kwork (release_one_tty) to release proc interface
    oops when accessing driver->driver_name in proc_tty_unregister_driver
    
    Use jprobe, found driver->driver_name point to 8250.ko
    static static struct uart_driver serial8250_reg
    .driver_name= serial,
    
    Use name in proc_dir_entry instead of driver->driver_name to fix oops
    
    test on linux 4.1.12:
    
    BUG: unable to handle kernel paging request at ffffffffa01979de
    IP: [<ffffffff81310f40>] strchr+0x0/0x30
    PGD 1a0d067 PUD 1a0e063 PMD 851c1f067 PTE 0
    Oops: 0000 [#1] PREEMPT SMP
    Modules linked in: ... ...  [last unloaded: 8250]
    CPU: 7 PID: 116 Comm: kworker/7:1 Tainted: G           O    4.1.12 #1
    Hardware name: Insyde RiverForest/Type2 - Board Product Name1, BIOS NE5KV904 12/21/2015
    Workqueue: events release_one_tty
    task: ffff88085b684960 ti: ffff880852884000 task.ti: ffff880852884000
    RIP: 0010:[<ffffffff81310f40>]  [<ffffffff81310f40>] strchr+0x0/0x30
    RSP: 0018:ffff880852887c90  EFLAGS: 00010282
    RAX: ffffffff81a5eca0 RBX: ffffffffa01979de RCX: 0000000000000004
    RDX: ffff880852887d10 RSI: 000000000000002f RDI: ffffffffa01979de
    RBP: ffff880852887cd8 R08: 0000000000000000 R09: ffff88085f5d94d0
    R10: 0000000000000195 R11: 0000000000000000 R12: ffffffffa01979de
    R13: ffff880852887d00 R14: ffffffffa01979de R15: ffff88085f02e840
    FS:  0000000000000000(0000) GS:ffff88085f5c0000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffffffffa01979de CR3: 0000000001a0c000 CR4: 00000000001406e0
    Stack:
     ffffffff812349b1 ffff880852887cb8 ffff880852887d10 ffff88085f5cd6c2
     ffff880852800a80 ffffffffa01979de ffff880852800a84 0000000000000010
     ffff88085bb28bd8 ffff880852887d38 ffffffff812354f0 ffff880852887d08
    Call Trace:
     [<ffffffff812349b1>] ? __xlate_proc_name+0x71/0xd0
     [<ffffffff812354f0>] remove_proc_entry+0x40/0x180
     [<ffffffff815f6811>] ? _raw_spin_lock_irqsave+0x41/0x60
     [<ffffffff813be520>] ? destruct_tty_driver+0x60/0xe0
     [<ffffffff81237c68>] proc_tty_unregister_driver+0x28/0x40
     [<ffffffff813be548>] destruct_tty_driver+0x88/0xe0
     [<ffffffff813be5bd>] tty_driver_kref_put+0x1d/0x20
     [<ffffffff813becca>] release_one_tty+0x5a/0xd0
     [<ffffffff81074159>] process_one_work+0x139/0x420
     [<ffffffff810745a1>] worker_thread+0x121/0x450
     [<ffffffff81074480>] ? process_scheduled_works+0x40/0x40
     [<ffffffff8107a16c>] kthread+0xec/0x110
     [<ffffffff81080000>] ? tg_rt_schedulable+0x210/0x220
     [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
     [<ffffffff815f7292>] ret_from_fork+0x42/0x70
     [<ffffffff8107a080>] ? kthread_freezable_should_stop+0x80/0x80
    
    Signed-off-by: nixiaoming <nixiaoming@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit afa8f0a7af7041665443603ee3c20609733ce940
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Mon Oct 9 21:52:44 2017 +1100

    powerpc/perf/hv-24x7: Fix incorrect comparison in memord
    
    
    [ Upstream commit 05c14c03138532a3cb2aa29c2960445c8753343b ]
    
    In the hv-24x7 code there is a function memord() which tries to
    implement a sort function return -1, 0, 1. However one of the
    conditions is incorrect, such that it can never be true, because we
    will have already returned.
    
    I don't believe there is a bug in practice though, because the
    comparisons are an optimisation prior to calling memcmp().
    
    Fix it by swapping the second comparision, so it can be true.
    
    Reported-by: David Binderman <dcb314@hotmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 28a5b0e438f18bbacc977a38cf47b3d265ac3d27
Author: Martin Wilck <mwilck@suse.de>
Date:   Fri Oct 20 16:51:08 2017 -0500

    scsi: hpsa: destroy sas transport properties before scsi_host
    
    
    [ Upstream commit dfb2e6f46b3074eb85203d8f0888b71ec1c2e37a ]
    
    This patch cleans up a lot of warnings when unloading the driver.
    
    A current example of the stack trace starts with:
        [  142.570715] sysfs group 'power' not found for kobject 'port-5:0'
    There can be hundreds of these messages during a driver unload.
    
    I am resubmitting this patch on behalf of Martin Wilck with his
    permission.
    
    His original patch can be found here:
    https://www.spinics.net/lists/linux-scsi/msg102085.html
    
    This patch did not help until Hannes's
    commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod")
    was applied to the kernel.
    
    ---------------------------
    Original patch description:
    ---------------------------
    
    Unloading the hpsa driver causes warnings
    
    [ 1063.793652] WARNING: CPU: 1 PID: 4850 at ../fs/sysfs/group.c:237 device_del+0x54/0x240()
    [ 1063.793659] sysfs group ffffffff81cf21a0 not found for kobject 'port-2:0'
    
    with two different stacks:
    1)
    [ 1063.793774]  [<ffffffff81448af4>] device_del+0x54/0x240
    [ 1063.793780]  [<ffffffff8145178a>] transport_remove_classdev+0x4a/0x60
    [ 1063.793784]  [<ffffffff81451216>] attribute_container_device_trigger+0xa6/0xb0
    [ 1063.793802]  [<ffffffffa0105d46>] sas_port_delete+0x126/0x160 [scsi_transport_sas]
    [ 1063.793819]  [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa]
    
    2)
    [ 1063.797103]  [<ffffffff81448af4>] device_del+0x54/0x240
    [ 1063.797118]  [<ffffffffa0105d4e>] sas_port_delete+0x12e/0x160 [scsi_transport_sas]
    [ 1063.797134]  [<ffffffffa036ebcc>] hpsa_free_sas_port+0x3c/0x70 [hpsa]
    
    This is caused by the fact that host device hostX is deleted before the
    SAS transport devices hostX/port-a:b.
    
    This patch fixes this by reverting the order of device deletions.
    
    Tested-by: Don Brace <don.brace@microsemi.com>
    Reviewed-by: Don Brace <don.brace@microsemi.com>
    Signed-off-by: Martin Wilck <mwilck@suse.de>
    Signed-off-by: Don Brace <don.brace@microsemi.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 942eb7dd5e42702e3743852b151b307f1181fd45
Author: Martin Wilck <mwilck@suse.de>
Date:   Fri Oct 20 16:51:14 2017 -0500

    scsi: hpsa: cleanup sas_phy structures in sysfs when unloading
    
    
    [ Upstream commit 55ca38b4255bb336c2d35990bdb2b368e19b435a ]
    
    I am resubmitting this patch on behalf of Martin Wilck with his
    permission.
    
    The original patch can be found here:
    https://www.spinics.net/lists/linux-scsi/msg102083.html
    
    This patch did not help until Hannes's
    commit 9441284fbc39 ("scsi-fixup-kernel-warning-during-rmmod")
    was applied to the kernel.
    
    --------------------------------------
    Original patch description from Martin:
    --------------------------------------
    
    When the hpsa module is unloaded using rmmod, dangling
    symlinks remain under /sys/class/sas_phy. Fix this by
    calling sas_phy_delete() rather than sas_phy_free (which,
    according to comments, should not be called for PHYs that
    have been set up successfully, anyway).
    
    Tested-by: Don Brace <don.brace@microsemi.com>
    Reviewed-by: Don Brace <don.brace@microsemi.com>
    Signed-off-by: Martin Wilck <mwilck@suse.de>
    Signed-off-by: Don Brace <don.brace@microsemi.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec662d6560733ea730535069426c2eacec0ff908
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Wed Oct 11 15:35:56 2017 -0600

    PCI: Detach driver before procfs & sysfs teardown on device remove
    
    
    [ Upstream commit 16b6c8bb687cc3bec914de09061fcb8411951fda ]
    
    When removing a device, for example a VF being removed due to SR-IOV
    teardown, a "soft" hot-unplug via 'echo 1 > remove' in sysfs, or an actual
    hot-unplug, we first remove the procfs and sysfs attributes for the device
    before attempting to release the device from any driver bound to it.
    Unbinding the driver from the device can take time.  The device might need
    to write out data or it might be actively in use.  If it's in use by
    userspace through a vfio driver, the unbind might block until the user
    releases the device.  This leads to a potentially non-trivial amount of
    time where the device exists, but we've torn down the interfaces that
    userspace uses to examine devices, for instance lspci might generate this
    sort of error:
    
      pcilib: Cannot open /sys/bus/pci/devices/0000:01:0a.3/config
      lspci: Unable to read the standard configuration space header of device 0000:01:0a.3
    
    We don't seem to have any dependence on this teardown ordering in the
    kernel, so let's unbind the driver first, which is also more symmetric with
    the instantiation of the device in pci_bus_add_device().
    
    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 02922f3bb37f864ec2057ecc42f1d8c1a394b574
Author: Christoph Hellwig <hch@lst.de>
Date:   Tue Oct 17 14:16:19 2017 -0700

    xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real
    
    
    [ Upstream commit 5e422f5e4fd71d18bc6b851eeb3864477b3d842e ]
    
    There was one spot in xfs_bmap_add_extent_unwritten_real that didn't use the
    passed in new extent state but always converted to normal, leading to wrong
    behavior when converting from normal to unwritten.
    
    Only found by code inspection, it seems like this code path to move partial
    extent from written to unwritten while merging it with the next extent is
    rarely exercised.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Brian Foster <bfoster@redhat.com>
    Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f267a1390b419c46007351fae4eccaf00d204ab9
Author: Brian Foster <bfoster@redhat.com>
Date:   Thu Oct 26 09:31:16 2017 -0700

    xfs: fix log block underflow during recovery cycle verification
    
    
    [ Upstream commit 9f2a4505800607e537e9dd9dea4f55c4b0c30c7a ]
    
    It is possible for mkfs to format very small filesystems with too
    small of an internal log with respect to the various minimum size
    and block count requirements. If this occurs when the log happens to
    be smaller than the scan window used for cycle verification and the
    scan wraps the end of the log, the start_blk calculation in
    xlog_find_head() underflows and leads to an attempt to scan an
    invalid range of log blocks. This results in log recovery failure
    and a failed mount.
    
    Since there may be filesystems out in the wild with this kind of
    geometry, we cannot simply refuse to mount. Instead, cap the scan
    window for cycle verification to the size of the physical log. This
    ensures that the cycle verification proceeds as expected when the
    scan wraps the end of the log.
    
    Reported-by: Zorro Lang <zlang@redhat.com>
    Signed-off-by: Brian Foster <bfoster@redhat.com>
    Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 92eff81ad96ad64f26df6c15eb6a734a1a13e8e0
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Wed Oct 25 15:57:55 2017 +0200

    l2tp: cleanup l2tp_tunnel_delete calls
    
    
    [ Upstream commit 4dc12ffeaeac939097a3f55c881d3dc3523dff0c ]
    
    l2tp_tunnel_delete does not return anything since commit 62b982eeb458
    ("l2tp: fix race condition in l2tp_tunnel_delete").  But call sites of
    l2tp_tunnel_delete still do casts to void to avoid unused return value
    warnings.
    
    Kill these now useless casts.
    
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Cc: Sabrina Dubroca <sd@queasysnail.net>
    Cc: Guillaume Nault <g.nault@alphalink.fr>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: netdev@vger.kernel.org
    Acked-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 230c4ba404d35ca035e76ebb268a1d86187a581b
Author: tang.junhui <tang.junhui@zte.com.cn>
Date:   Mon Oct 30 14:46:34 2017 -0700

    bcache: fix wrong cache_misses statistics
    
    
    [ Upstream commit c157313791a999646901b3e3c6888514ebc36d62 ]
    
    Currently, Cache missed IOs are identified by s->cache_miss, but actually,
    there are many situations that missed IOs are not assigned a value for
    s->cache_miss in cached_dev_cache_miss(), for example, a bypassed IO
    (s->iop.bypass = 1), or the cache_bio allocate failed. In these situations,
    it will go to out_put or out_submit, and s->cache_miss is null, which leads
    bch_mark_cache_accounting() to treat this IO as a hit IO.
    
    [ML: applied by 3-way merge]
    
    Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
    Reviewed-by: Michael Lyle <mlyle@lyle.org>
    Reviewed-by: Coly Li <colyli@suse.de>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2712523730272e74d21fd7720a0f0c8e7b91b24e
Author: Liang Chen <liangchen.linux@gmail.com>
Date:   Mon Oct 30 14:46:35 2017 -0700

    bcache: explicitly destroy mutex while exiting
    
    
    [ Upstream commit 330a4db89d39a6b43f36da16824eaa7a7509d34d ]
    
    mutex_destroy does nothing most of time, but it's better to call
    it to make the code future proof and it also has some meaning
    for like mutex debug.
    
    As Coly pointed out in a previous review, bcache_exit() may not be
    able to handle all the references properly if userspace registers
    cache and backing devices right before bch_debug_init runs and
    bch_debug_init failes later. So not exposing userspace interface
    until everything is ready to avoid that issue.
    
    Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
    Reviewed-by: Michael Lyle <mlyle@lyle.org>
    Reviewed-by: Coly Li <colyli@suse.de>
    Reviewed-by: Eric Wheeler <bcache@linux.ewheeler.net>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ab9b3db4082872109372c39e4c730778752bd823
Author: Bob Peterson <rpeterso@redhat.com>
Date:   Wed Sep 20 08:30:04 2017 -0500

    GFS2: Take inode off order_write list when setting jdata flag
    
    
    [ Upstream commit cc555b09d8c3817aeebda43a14ab67049a5653f7 ]
    
    This patch fixes a deadlock caused when the jdata flag is set for
    inodes that are already on the ordered write list. Since it is
    on the ordered write list, log_flush calls gfs2_ordered_write which
    calls filemap_fdatawrite. But since the inode had the jdata flag
    set, that calls gfs2_jdata_writepages, which tries to start a new
    transaction. A new transaction cannot be started because it tries
    to acquire the log_flush rwsem which is already locked by the log
    flush operation.
    
    The bottom line is: We cannot switch an inode from ordered to jdata
    until we eliminate any ordered data pages (via log flush) or any
    log_flush operation afterward will create the circular dependency
    above. So we need to flush the log before setting the diskflags to
    switch the file mode, then we need to remove the inode from the
    ordered writes list.
    
    Before this patch, the log flush was done for jdata->ordered, but
    that's wrong. If we're going from jdata to ordered, we don't need
    to call gfs2_log_flush because the call to filemap_fdatawrite will
    do it for us:
    
       filemap_fdatawrite() -> __filemap_fdatawrite_range()
          __filemap_fdatawrite_range() -> do_writepages()
             do_writepages() -> gfs2_jdata_writepages()
                gfs2_jdata_writepages() -> gfs2_log_flush()
    
    This patch modifies function do_gfs2_set_flags so that if a file
    has its jdata flag set, and it's already on the ordered write list,
    the log will be flushed and it will be removed from the list
    before setting the flag.
    
    Signed-off-by: Bob Peterson <rpeterso@redhat.com>
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
    Acked-by: Abhijith Das <adas@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2a5bb1284e72ba1363320284b23b2da9ad72a7d6
Author: Daniel Lezcano <daniel.lezcano@linaro.org>
Date:   Thu Oct 19 19:05:58 2017 +0200

    thermal/drivers/step_wise: Fix temperature regulation misbehavior
    
    
    [ Upstream commit 07209fcf33542c1ff1e29df2dbdf8f29cdaacb10 ]
    
    There is a particular situation when the cooling device is cpufreq and the heat
    dissipation is not efficient enough where the temperature increases little by
    little until reaching the critical threshold and leading to a SoC reset.
    
    The behavior is reproducible on a hikey6220 with bad heat dissipation (eg.
    stacked with other boards).
    
    Running a simple C program doing while(1); for each CPU of the SoC makes the
    temperature to reach the passive regulation trip point and ends up to the
    maximum allowed temperature followed by a reset.
    
    This issue has been also reported by running the libhugetlbfs test suite.
    
    What is observed is a ping pong between two cpu frequencies, 1.2GHz and 900MHz
    while the temperature continues to grow.
    
    It appears the step wise governor calls get_target_state() the first time with
    the throttle set to true and the trend to 'raising'. The code selects logically
    the next state, so the cpu frequency decreases from 1.2GHz to 900MHz, so far so
    good. The temperature decreases immediately but still stays greater than the
    trip point, then get_target_state() is called again, this time with the
    throttle set to true *and* the trend to 'dropping'. From there the algorithm
    assumes we have to step down the state and the cpu frequency jumps back to
    1.2GHz. But the temperature is still higher than the trip point, so
    get_target_state() is called with throttle=1 and trend='raising' again, we jump
    to 900MHz, then get_target_state() is called with throttle=1 and
    trend='dropping', we jump to 1.2GHz, etc ... but the temperature does not
    stabilizes and continues to increase.
    
    [  237.922654] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
    [  237.922678] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
    [  237.922690] thermal cooling_device0: cur_state=0
    [  237.922701] thermal cooling_device0: old_target=0, target=1
    [  238.026656] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
    [  238.026680] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
    [  238.026694] thermal cooling_device0: cur_state=1
    [  238.026707] thermal cooling_device0: old_target=1, target=0
    [  238.134647] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
    [  238.134667] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
    [  238.134679] thermal cooling_device0: cur_state=0
    [  238.134690] thermal cooling_device0: old_target=0, target=1
    
    In this situation the temperature continues to increase while the trend is
    oscillating between 'dropping' and 'raising'. We need to keep the current state
    untouched if the throttle is set, so the temperature can decrease or a higher
    state could be selected, thus preventing this oscillation.
    
    Keeping the next_target untouched when 'throttle' is true at 'dropping' time
    fixes the issue.
    
    The following traces show the governor does not change the next state if
    trend==2 (dropping) and throttle==1.
    
    [ 2306.127987] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
    [ 2306.128009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
    [ 2306.128021] thermal cooling_device0: cur_state=0
    [ 2306.128031] thermal cooling_device0: old_target=0, target=1
    [ 2306.231991] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
    [ 2306.232016] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=1
    [ 2306.232030] thermal cooling_device0: cur_state=1
    [ 2306.232042] thermal cooling_device0: old_target=1, target=1
    [ 2306.335982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
    [ 2306.336006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=1
    [ 2306.336021] thermal cooling_device0: cur_state=1
    [ 2306.336034] thermal cooling_device0: old_target=1, target=1
    [ 2306.439984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
    [ 2306.440008] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
    [ 2306.440022] thermal cooling_device0: cur_state=1
    [ 2306.440034] thermal cooling_device0: old_target=1, target=0
    
    [ ... ]
    
    After a while, if the temperature continues to increase, the next state becomes
    2 which is 720MHz on the hikey. That results in the temperature stabilizing
    around the trip point.
    
    [ 2455.831982] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
    [ 2455.832006] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=0
    [ 2455.832019] thermal cooling_device0: cur_state=1
    [ 2455.832032] thermal cooling_device0: old_target=1, target=1
    [ 2455.935985] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
    [ 2455.936013] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
    [ 2455.936027] thermal cooling_device0: cur_state=1
    [ 2455.936040] thermal cooling_device0: old_target=1, target=1
    [ 2456.043984] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=0,throttle=1
    [ 2456.044009] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=0,throttle=0
    [ 2456.044023] thermal cooling_device0: cur_state=1
    [ 2456.044036] thermal cooling_device0: old_target=1, target=1
    [ 2456.148001] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=1,throttle=1
    [ 2456.148028] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=1,throttle=1
    [ 2456.148042] thermal cooling_device0: cur_state=1
    [ 2456.148055] thermal cooling_device0: old_target=1, target=2
    [ 2456.252009] thermal thermal_zone0: Trip0[type=1,temp=65000]:trend=2,throttle=1
    [ 2456.252041] thermal thermal_zone0: Trip1[type=1,temp=75000]:trend=2,throttle=0
    [ 2456.252058] thermal cooling_device0: cur_state=2
    [ 2456.252075] thermal cooling_device0: old_target=2, target=1
    
    IOW, this change is needed to keep the state for a cooling device if the
    temperature trend is oscillating while the temperature increases slightly.
    
    Without this change, the situation above leads to a catastrophic crash by a
    hardware reset on hikey. This issue has been reported to happen on an OMAP
    dra7xx also.
    
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Cc: Keerthy <j-keerthy@ti.com>
    Cc: John Stultz <john.stultz@linaro.org>
    Cc: Leo Yan <leo.yan@linaro.org>
    Tested-by: Keerthy <j-keerthy@ti.com>
    Reviewed-by: Keerthy <j-keerthy@ti.com>
    Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 561b9d998e654801d439529adb7aa09e3a0d33d4
Author: Gao Feng <gfree.wind@vip.163.com>
Date:   Tue Oct 31 18:25:37 2017 +0800

    ppp: Destroy the mutex when cleanup
    
    
    [ Upstream commit f02b2320b27c16b644691267ee3b5c110846f49e ]
    
    The mutex_destroy only makes sense when enable DEBUG_MUTEX. For the
    good readbility, it's better to invoke it in exit func when the init
    func invokes mutex_init.
    
    Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
    Acked-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 083dd685aebd7ed22320a3e02c405a67c5c0cbd0
Author: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Date:   Tue Sep 19 04:48:10 2017 +0200

    clk: tegra: Fix cclk_lp divisor register
    
    
    [ Upstream commit 54eff2264d3e9fd7e3987de1d7eba1d3581c631e ]
    
    According to comments in code and common sense, cclk_lp uses its
    own divisor, not cclk_g's.
    
    Fixes: b08e8c0ecc42 ("clk: tegra: add clock support for Tegra30")
    Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
    Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f56be2ce49c120f76243be425ec3d9e3ee44ae12
Author: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Date:   Tue Aug 1 12:40:07 2017 +0200

    clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU
    
    
    [ Upstream commit c68ee58d9ee7b856ac722f18f4f26579c8fbd2b4 ]
    
    On i.MX6 SoCs without VPU (in my case MCIMX6D4AVT10AC), the hdmi driver
    fails to probe:
    
    [    2.540030] dwhdmi-imx 120000.hdmi: Unsupported HDMI controller
    (0000:00:00)
    [    2.548199] imx-drm display-subsystem: failed to bind 120000.hdmi
    (ops dw_hdmi_imx_ops): -19
    [    2.557403] imx-drm display-subsystem: master bind failed: -19
    
    That's because hdmi_isfr's parent, video_27m, is not correctly ungated.
    As explained in commit 5ccc248cc537 ("ARM: imx6q: clk: Add support for
    mipi_core_cfg clock as a shared clock gate"), video_27m is gated by
    CCM_CCGR3[CG8].
    
    On i.MX6 SoCs with VPU, the hdmi is working thanks to the
    CCM_CMEOR[mod_en_ov_vpu] bit which makes the video_27m ungated whatever
    is in CCM_CCGR3[CG8]. The issue can be reproduced by setting
    CCMEOR[mod_en_ov_vpu] to 0.
    
    Make the HDMI work in every case by setting hdmi_isfr's parent to
    mipi_core_cfg.
    
    Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
    Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 22a1e337ed68e1a660f6b1c5fcef76b7c7ac63e1
Author: Chen Zhong <chen.zhong@mediatek.com>
Date:   Thu Oct 5 11:50:23 2017 +0800

    clk: mediatek: add the option for determining PLL source clock
    
    
    [ Upstream commit c955bf3998efa3355790a4d8c82874582f1bc727 ]
    
    Since the previous setup always sets the PLL using crystal 26MHz, this
    doesn't always happen in every MediaTek platform. So the patch added
    flexibility for assigning extra member for determining the PLL source
    clock.
    
    Signed-off-by: Chen Zhong <chen.zhong@mediatek.com>
    Signed-off-by: Sean Wang <sean.wang@mediatek.com>
    Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b59614cfd2d3619eedc1b711ac51efb7636efba6
Author: Jan Kara <jack@suse.cz>
Date:   Fri Nov 3 12:21:21 2017 +0100

    mm: Handle 0 flags in _calc_vm_trans() macro
    
    
    [ Upstream commit 592e254502041f953e84d091eae2c68cba04c10b ]
    
    _calc_vm_trans() does not handle the situation when some of the passed
    flags are 0 (which can happen if these VM flags do not make sense for
    the architecture). Improve the _calc_vm_trans() macro to return 0 in
    such situation. Since all passed flags are constant, this does not add
    any runtime overhead.
    
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44de70ecec2d9aaf2a0f0c790ae4bba592c6ca3a
Author: Robert Baronescu <robert.baronescu@nxp.com>
Date:   Tue Oct 10 13:22:00 2017 +0300

    crypto: tcrypt - fix buffer lengths in test_aead_speed()
    
    
    [ Upstream commit 7aacbfcb331ceff3ac43096d563a1f93ed46e35e ]
    
    Fix the way the length of the buffers used for
    encryption / decryption are computed.
    For e.g. in case of encryption, input buffer does not contain
    an authentication tag.
    
    Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b397507641fb1e4b657dc93c38a9180971af8d8f
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Fri Nov 3 11:45:18 2017 +0000

    arm-ccn: perf: Prevent module unload while PMU is in use
    
    
    [ Upstream commit c7f5828bf77dcbd61d51f4736c1d5aa35663fbb4 ]
    
    When the PMU driver is built as a module, the perf expects the
    pmu->module to be valid, so that the driver is prevented from
    being unloaded while it is in use. Fix the CCN pmu driver to
    fill in this field.
    
    Fixes: a33b0daab73a0 ("bus: ARM CCN PMU driver")
    Cc: Pawel Moll <pawel.moll@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Acked-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 75ee360a5114a702cda274efb42c4416046e5ab4
Author: Jiang Yi <jiangyilism@gmail.com>
Date:   Fri Aug 11 11:29:44 2017 +0800

    target/file: Do not return error for UNMAP if length is zero
    
    
    [ Upstream commit 594e25e73440863981032d76c9b1e33409ceff6e ]
    
    The function fd_execute_unmap() in target_core_file.c calles
    
    ret = file->f_op->fallocate(file, mode, pos, len);
    
    Some filesystems implement fallocate() to return error if
    length is zero (e.g. btrfs) but according to SCSI Block
    Commands spec UNMAP should return success for zero length.
    
    Signed-off-by: Jiang Yi <jiangyilism@gmail.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 646191449e769c29f1c01a945491c4ca2005eedf
Author: tangwenji <tang.wenji@zte.com.cn>
Date:   Thu Aug 24 19:59:37 2017 +0800

    target:fix condition return in core_pr_dump_initiator_port()
    
    
    [ Upstream commit 24528f089d0a444070aa4f715ace537e8d6bf168 ]
    
    When is pr_reg->isid_present_at_reg is false,this function should return.
    
    This fixes a regression originally introduced by:
    
      commit d2843c173ee53cf4c12e7dfedc069a5bc76f0ac5
      Author: Andy Grover <agrover@redhat.com>
      Date:   Thu May 16 10:40:55 2013 -0700
    
          target: Alter core_pr_dump_initiator_port for ease of use
    
    Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e14086b2c9bcc10b54e674078e606b1b0a0a6916
Author: tangwenji <tang.wenji@zte.com.cn>
Date:   Fri Sep 15 16:03:13 2017 +0800

    iscsi-target: fix memory leak in lio_target_tiqn_addtpg()
    
    
    [ Upstream commit 12d5a43b2dffb6cd28062b4e19024f7982393288 ]
    
    tpg must free when call core_tpg_register() return fail
    
    Signed-off-by: tangwenji <tang.wenji@zte.com.cn>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7d93603ddb655df966e3feee669009ff6f335994
Author: Bart Van Assche <bart.vanassche@wdc.com>
Date:   Tue Oct 31 11:03:17 2017 -0700

    target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd()
    
    
    [ Upstream commit cfe2b621bb18d86e93271febf8c6e37622da2d14 ]
    
    Avoid that cmd->se_cmd.se_tfo is read after a command has already been
    freed.
    
    Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Mike Christie <mchristi@redhat.com>
    Reviewed-by: Hannes Reinecke <hare@suse.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 09f29c7a953d81344a78516e04de16aecc238a67
Author: Christophe Leroy <christophe.leroy@c-s.fr>
Date:   Wed Oct 18 11:16:47 2017 +0200

    powerpc/ipic: Fix status get and status clear
    
    
    [ Upstream commit 6b148a7ce72a7f87c81cbcde48af014abc0516a9 ]
    
    IPIC Status is provided by register IPIC_SERSR and not by IPIC_SERMR
    which is the mask register.
    
    Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c6c3637ee8ab7cbfd2ca458c5c01b0e2d3d91b79
Author: William A. Kennington III <wak@google.com>
Date:   Fri Sep 22 16:58:00 2017 -0700

    powerpc/opal: Fix EBUSY bug in acquiring tokens
    
    
    [ Upstream commit 71e24d7731a2903b1ae2bba2b2971c654d9c2aa6 ]
    
    The current code checks the completion map to look for the first token
    that is complete. In some cases, a completion can come in but the
    token can still be on lease to the caller processing the completion.
    If this completed but unreleased token is the first token found in the
    bitmap by another tasks trying to acquire a token, then the
    __test_and_set_bit call will fail since the token will still be on
    lease. The acquisition will then fail with an EBUSY.
    
    This patch reorganizes the acquisition code to look at the
    opal_async_token_map for an unleased token. If the token has no lease
    it must have no outstanding completions so we should never see an
    EBUSY, unless we have leased out too many tokens. Since
    opal_async_get_token_inrerruptible is protected by a semaphore, we
    will practically never see EBUSY anymore.
    
    Fixes: 8d7248232208 ("powerpc/powernv: Infrastructure to support OPAL async completion")
    Signed-off-by: William A. Kennington III <wak@google.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 59720463cf28d178321612de38ebc376022c7095
Author: KUWAZAWA Takuya <albatross0@gmail.com>
Date:   Sun Oct 15 20:54:10 2017 +0900

    netfilter: ipvs: Fix inappropriate output of procfs
    
    
    [ Upstream commit c5504f724c86ee925e7ffb80aa342cfd57959b13 ]
    
    Information about ipvs in different network namespace can be seen via procfs.
    
    How to reproduce:
    
      # ip netns add ns01
      # ip netns add ns02
      # ip netns exec ns01 ip a add dev lo 127.0.0.1/8
      # ip netns exec ns02 ip a add dev lo 127.0.0.1/8
      # ip netns exec ns01 ipvsadm -A -t 10.1.1.1:80
      # ip netns exec ns02 ipvsadm -A -t 10.1.1.2:80
    
    The ipvsadm displays information about its own network namespace only.
    
      # ip netns exec ns01 ipvsadm -Ln
      IP Virtual Server version 1.2.1 (size=4096)
      Prot LocalAddress:Port Scheduler Flags
        -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
      TCP  10.1.1.1:80 wlc
    
      # ip netns exec ns02 ipvsadm -Ln
      IP Virtual Server version 1.2.1 (size=4096)
      Prot LocalAddress:Port Scheduler Flags
        -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
      TCP  10.1.1.2:80 wlc
    
    But I can see information about other network namespace via procfs.
    
      # ip netns exec ns01 cat /proc/net/ip_vs
      IP Virtual Server version 1.2.1 (size=4096)
      Prot LocalAddress:Port Scheduler Flags
        -> RemoteAddress:Port Forward Weight ActiveConn InActConn
      TCP  0A010101:0050 wlc
      TCP  0A010102:0050 wlc
    
      # ip netns exec ns02 cat /proc/net/ip_vs
      IP Virtual Server version 1.2.1 (size=4096)
      Prot LocalAddress:Port Scheduler Flags
        -> RemoteAddress:Port Forward Weight ActiveConn InActConn
      TCP  0A010102:0050 wlc
    
    Signed-off-by: KUWAZAWA Takuya <albatross0@gmail.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f46b4bab4e93d035ca0b11c8c1fb2babae41f527
Author: Shriya <shriyak@linux.vnet.ibm.com>
Date:   Fri Oct 13 10:06:41 2017 +0530

    powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
    
    
    [ Upstream commit cd77b5ce208c153260ed7882d8910f2395bfaabd ]
    
    The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which
    returns the last frequency requested by the kernel, but may not
    reflect the actual frequency the processor is running at. This patch
    makes a call to cpufreq_get() instead which returns the current
    frequency reported by the hardware.
    
    Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()")
    Signed-off-by: Shriya <shriyak@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef476a74f8edf332adb89d83dbba36c4c2ce77c5
Author: Qiang <zhengqiang10@huawei.com>
Date:   Thu Sep 28 11:54:34 2017 +0800

    PCI/PME: Handle invalid data when reading Root Status
    
    
    [ Upstream commit 3ad3f8ce50914288731a3018b27ee44ab803e170 ]
    
    PCIe PME and native hotplug share the same interrupt number, so hotplug
    interrupts are also processed by PME.  In some cases, e.g., a Link Down
    interrupt, a device may be present but unreachable, so when we try to
    read its Root Status register, the read fails and we get all ones data
    (0xffffffff).
    
    Previously, we interpreted that data as PCI_EXP_RTSTA_PME being set, i.e.,
    "some device has asserted PME," so we scheduled pcie_pme_work_fn().  This
    caused an infinite loop because pcie_pme_work_fn() tried to handle PME
    requests until PCI_EXP_RTSTA_PME is cleared, but with the link down,
    PCI_EXP_RTSTA_PME can't be cleared.
    
    Check for the invalid 0xffffffff data everywhere we read the Root Status
    register.
    
    1469d17dd341 ("PCI: pciehp: Handle invalid data when reading from
    non-existent devices") added similar checks in the hotplug driver.
    
    Signed-off-by: Qiang Zheng <zhengqiang10@huawei.com>
    [bhelgaas: changelog, also check in pcie_pme_work_fn(), use "~0" to follow
    other similar checks]
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e6d8207a84b0050df467ec7f5f600f4fef79c0a0
Author: Peter Ujfalusi <peter.ujfalusi@ti.com>
Date:   Wed Nov 8 12:02:25 2017 +0200

    dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type
    
    
    [ Upstream commit 288e7560e4d3e259aa28f8f58a8dfe63627a1bf6 ]
    
    The used 0x1f mask is only valid for am335x family of SoC, different family
    using this type of crossbar might have different number of electable
    events. In case of am43xx family 0x3f mask should have been used for
    example.
    Instead of trying to handle each family's mask, just use u8 type to store
    the mux value since the event offsets are aligned to byte offset.
    
    Fixes: 42dbdcc6bf965 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx")
    Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 600b973fc56f91a6daf9d640ce3ecd6555875fdb
Author: Philipp Zabel <p.zabel@pengutronix.de>
Date:   Tue Nov 7 13:12:17 2017 +0100

    rtc: pcf8563: fix output clock rate
    
    
    [ Upstream commit a3350f9c57ffad569c40f7320b89da1f3061c5bb ]
    
    The pcf8563_clkout_recalc_rate function erroneously ignores the
    frequency index read from the CLKO register and always returns
    32768 Hz.
    
    Fixes: a39a6405d5f9 ("rtc: pcf8563: add CLKOUT to common clock framework")
    Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ac0468efee605b6a6260223cbac53aea37412615
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Thu Nov 9 18:09:28 2017 +0100

    video: fbdev: au1200fb: Return an error code if a memory allocation fails
    
    
    [ Upstream commit 8cae353e6b01ac3f18097f631cdbceb5ff28c7f3 ]
    
    'ret' is known to be 0 at this point.
    In case of memory allocation error in 'framebuffer_alloc()', return
    -ENOMEM instead.
    
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Cc: Tejun Heo <tj@kernel.org>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 033d20b727f31fe047ea2f314eb0ac3a87df71ce
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Thu Nov 9 18:09:28 2017 +0100

    video: fbdev: au1200fb: Release some resources if a memory allocation fails
    
    
    [ Upstream commit 451f130602619a17c8883dd0b71b11624faffd51 ]
    
    We should go through the error handling code instead of returning -ENOMEM
    directly.
    
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Cc: Tejun Heo <tj@kernel.org>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 314ce05757950210dea77a043c33ad2bb28c2a42
Author: Ladislav Michl <ladis@linux-mips.org>
Date:   Thu Nov 9 18:09:30 2017 +0100

    video: udlfb: Fix read EDID timeout
    
    
    [ Upstream commit c98769475575c8a585f5b3952f4b5f90266f699b ]
    
    While usb_control_msg function expects timeout in miliseconds, a value
    of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error
    message which looks like:
    udlfb: Read EDID byte 78 failed err ffffff92
    as error is either negative errno or number of bytes transferred use %d
    format specifier.
    
    Returned EDID is in second byte, so return error when less than two bytes
    are received.
    
    Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support")
    Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
    Cc: Bernie Thompson <bernie@plugable.com>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2f5427451738a4449b69438e079ad13b405ebfc6
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Thu Nov 9 18:09:33 2017 +0100

    fbdev: controlfb: Add missing modes to fix out of bounds access
    
    
    [ Upstream commit ac831a379d34109451b3c41a44a20ee10ecb615f ]
    
    Dan's static analysis says:
    
        drivers/video/fbdev/controlfb.c:560 control_setup()
        error: buffer overflow 'control_mac_modes' 20 <= 21
    
    Indeed, control_mac_modes[] has only 20 elements, while VMODE_MAX is 22,
    which may lead to an out of bounds read when parsing vmode commandline
    options.
    
    The bug was introduced in v2.4.5.6, when 2 new modes were added to
    macmodes.h, but control_mac_modes[] wasn't updated:
    
    https://kernel.opensuse.org/cgit/kernel/diff/include/video/macmodes.h?h=v2.5.2&id=29f279c764808560eaceb88fef36cbc35c529aad
    
    Augment control_mac_modes[] with the two new video modes to fix this.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 57fa76a466731f94b183dadeb97aae05115e5153
Author: Robert Stonehouse <rstonehouse@solarflare.com>
Date:   Tue Nov 7 17:30:30 2017 +0000

    sfc: don't warn on successful change of MAC
    
    
    [ Upstream commit cbad52e92ad7f01f0be4ca58bde59462dc1afe3a ]
    
    Fixes: 535a61777f44e ("sfc: suppress handled MCDI failures when changing the MAC address")
    Signed-off-by: Bert Kenward <bkenward@solarflare.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c9b79738c0ab9c54d95760403cfd17f67f956a45
Author: Mike Christie <mchristi@redhat.com>
Date:   Thu Mar 2 04:59:50 2017 -0600

    target: fix race during implicit transition work flushes
    
    
    [ Upstream commit 760bf578edf8122f2503a3a6a3f4b0de3b6ce0bb ]
    
    This fixes the following races:
    
    1. core_alua_do_transition_tg_pt could have read
    tg_pt_gp_alua_access_state and gone into this if chunk:
    
    if (!explicit &&
            atomic_read(&tg_pt_gp->tg_pt_gp_alua_access_state) ==
               ALUA_ACCESS_STATE_TRANSITION) {
    
    and then core_alua_do_transition_tg_pt_work could update the
    state. core_alua_do_transition_tg_pt would then only set
    tg_pt_gp_alua_pending_state and the tg_pt_gp_alua_access_state would
    not get updated with the second calls state.
    
    2. core_alua_do_transition_tg_pt could be setting
    tg_pt_gp_transition_complete while the tg_pt_gp_transition_work
    is already completing. core_alua_do_transition_tg_pt then waits on the
    completion that will never be called.
    
    To handle these issues, we just call flush_work which will return when
    core_alua_do_transition_tg_pt_work has completed so there is no need
    to do the complete/wait. And, if core_alua_do_transition_tg_pt_work
    was running, instead of trying to sneak in the state change, we just
    schedule up another core_alua_do_transition_tg_pt_work call.
    
    Note that this does not handle a possible race where there are multiple
    threads call core_alua_do_transition_tg_pt at the same time. I think
    we need a mutex in target_tg_pt_gp_alua_access_state_store.
    
    Signed-off-by: Mike Christie <mchristi@redhat.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dfd6deed831348fc8d6cb3efca1c68c3d5b195c7
Author: Mike Christie <mchristi@redhat.com>
Date:   Thu Mar 2 04:59:48 2017 -0600

    target: fix ALUA transition timeout handling
    
    
    [ Upstream commit d7175373f2745ed4abe5b388d5aabd06304f801e ]
    
    The implicit transition time tells initiators the min time
    to wait before timing out a transition. We currently schedule
    the transition to occur in tg_pt_gp_implicit_trans_secs
    seconds so there is no room for delays. If
    core_alua_do_transition_tg_pt_work->core_alua_update_tpg_primary_metadata
    needs to write out info to a remote file, then the initiator can
    easily time out the operation.
    
    Signed-off-by: Mike Christie <mchristi@redhat.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7f5084b98f8990317e13f6fe42238684896842f0
Author: Mike Christie <mchristi@redhat.com>
Date:   Wed Mar 1 23:13:26 2017 -0600

    target: Use system workqueue for ALUA transitions
    
    
    [ Upstream commit 207ee84133c00a8a2a5bdec94df4a5b37d78881c ]
    
    If tcmu-runner is processing a STPG and needs to change the kernel's
    ALUA state then we cannot use the same work queue for task management
    requests and ALUA transitions, because we could deadlock. The problem
    occurs when a STPG times out before tcmu-runner is able to
    call into target_tg_pt_gp_alua_access_state_store->
    core_alua_do_port_transition -> core_alua_do_transition_tg_pt ->
    queue_work. In this case, the tmr is on the work queue waiting for
    the STPG to complete, but the STPG transition is now queued behind
    the waiting tmr.
    
    Note:
    This bug will also be fixed by this patch:
    http://www.spinics.net/lists/target-devel/msg14560.html
    which switches the tmr code to use the system workqueues.
    
    For both, I am not sure if we need a dedicated workqueue since
    it is not a performance path and I do not think we need WQ_MEM_RECLAIM
    to make forward progress to free up memory like the block layer does.
    
    Signed-off-by: Mike Christie <mchristi@redhat.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9b4a2e04c22969d474394df0f882411ddfa3cd7
Author: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Date:   Fri Mar 10 16:45:44 2017 -0500

    btrfs: add missing memset while reading compressed inline extents
    
    
    [ Upstream commit e1699d2d7bf6e6cce3e1baff19f9dd4595a58664 ]
    
    This is a story about 4 distinct (and very old) btrfs bugs.
    
    Commit c8b978188c ("Btrfs: Add zlib compression support") added
    three data corruption bugs for inline extents (bugs #1-3).
    
    Commit 93c82d5750 ("Btrfs: zero page past end of inline file items")
    fixed bug #1:  uncompressed inline extents followed by a hole and more
    extents could get non-zero data in the hole as they were read.  The fix
    was to add a memset in btrfs_get_extent to zero out the hole.
    
    Commit 166ae5a418 ("btrfs: fix inline compressed read err corruption")
    fixed bug #2:  compressed inline extents which contained non-zero bytes
    might be replaced with zero bytes in some cases.  This patch removed an
    unhelpful memset from uncompress_inline, but the case where memset is
    required was missed.
    
    There is also a memset in the decompression code, but this only covers
    decompressed data that is shorter than the ram_bytes from the extent
    ref record.  This memset doesn't cover the region between the end of the
    decompressed data and the end of the page.  It has also moved around a
    few times over the years, so there's no single patch to refer to.
    
    This patch fixes bug #3:  compressed inline extents followed by a hole
    and more extents could get non-zero data in the hole as they were read
    (i.e. bug #3 is the same as bug #1, but s/uncompressed/compressed/).
    The fix is the same:  zero out the hole in the compressed case too,
    by putting a memset back in uncompress_inline, but this time with
    correct parameters.
    
    The last and oldest bug, bug #0, is the cause of the offending inline
    extent/hole/extent pattern.  Bug #0 is a subtle and mostly-harmless quirk
    of behavior somewhere in the btrfs write code.  In a few special cases,
    an inline extent and hole are allowed to persist where they normally
    would be combined with later extents in the file.
    
    A fast reproducer for bug #0 is presented below.  A few offending extents
    are also created in the wild during large rsync transfers with the -S
    flag.  A Linux kernel build (git checkout; make allyesconfig; make -j8)
    will produce a handful of offending files as well.  Once an offending
    file is created, it can present different content to userspace each
    time it is read.
    
    Bug #0 is at least 4 and possibly 8 years old.  I verified every vX.Y
    kernel back to v3.5 has this behavior.  There are fossil records of this
    bug's effects in commits all the way back to v2.6.32.  I have no reason
    to believe bug #0 wasn't present at the beginning of btrfs compression
    support in v2.6.29, but I can't easily test kernels that old to be sure.
    
    It is not clear whether bug #0 is worth fixing.  A fix would likely
    require injecting extra reads into currently write-only paths, and most
    of the exceptional cases caused by bug #0 are already handled now.
    
    Whether we like them or not, bug #0's inline extents followed by holes
    are part of the btrfs de-facto disk format now, and we need to be able
    to read them without data corruption or an infoleak.  So enough about
    bug #0, let's get back to bug #3 (this patch).
    
    An example of on-disk structure leading to data corruption found in
    the wild:
    
            item 61 key (606890 INODE_ITEM 0) itemoff 9662 itemsize 160
                    inode generation 50 transid 50 size 47424 nbytes 49141
                    block group 0 mode 100644 links 1 uid 0 gid 0
                    rdev 0 flags 0x0(none)
            item 62 key (606890 INODE_REF 603050) itemoff 9642 itemsize 20
                    inode ref index 3 namelen 10 name: DB_File.so
            item 63 key (606890 EXTENT_DATA 0) itemoff 8280 itemsize 1362
                    inline extent data size 1341 ram 4085 compress(zlib)
            item 64 key (606890 EXTENT_DATA 4096) itemoff 8227 itemsize 53
                    extent data disk byte 5367308288 nr 20480
                    extent data offset 0 nr 45056 ram 45056
                    extent compression(zlib)
    
    Different data appears in userspace during each read of the 11 bytes
    between 4085 and 4096.  The extent in item 63 is not long enough to
    fill the first page of the file, so a memset is required to fill the
    space between item 63 (ending at 4085) and item 64 (beginning at 4096)
    with zero.
    
    Here is a reproducer from Liu Bo, which demonstrates another method
    of creating the same inline extent and hole pattern:
    
    Using 'page_poison=on' kernel command line (or enable
    CONFIG_PAGE_POISONING) run the following:
    
            # touch foo
            # chattr +c foo
            # xfs_io -f -c "pwrite -W 0 1000" foo
            # xfs_io -f -c "falloc 4 8188" foo
            # od -x foo
            # echo 3 >/proc/sys/vm/drop_caches
            # od -x foo
    
    This produce the following on my box:
    
    Correct output:  file contains 1000 data bytes followed
    by zeros:
    
            0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
            *
            0001740 cdcd cdcd cdcd cdcd 0000 0000 0000 0000
            0001760 0000 0000 0000 0000 0000 0000 0000 0000
            *
            0020000
    
    Actual output:  the data after the first 1000 bytes
    will be different each run:
    
            0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd
            *
            0001740 cdcd cdcd cdcd cdcd 6c63 7400 635f 006d
            0001760 5f74 6f43 7400 435f 0053 5f74 7363 7400
            0002000 435f 0056 5f74 6164 7400 645f 0062 5f74
            (...)
    
    Signed-off-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
    Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
    Reviewed-by: Chris Mason <clm@fb.com>
    Signed-off-by: Chris Mason <clm@fb.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 248aa3accad95cb1e381188bb41beceb7a4ac49e
Author: Olga Kornievskaia <kolga@netapp.com>
Date:   Wed Mar 8 14:39:15 2017 -0500

    NFSv4.1 respect server's max size in CREATE_SESSION
    
    
    [ Upstream commit 033853325fe3bdc70819a8b97915bd3bca41d3af ]
    
    Currently client doesn't respect max sizes server returns in CREATE_SESSION.
    nfs4_session_set_rwsize() gets called and server->rsize, server->wsize are 0
    so they never get set to the sizes returned by the server.
    
    Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a49aa7aadbd36395d3463bcadcdf187477c048ad
Author: Daniel Drake <drake@endlessm.com>
Date:   Tue Feb 7 13:08:23 2017 -0600

    efi/esrt: Cleanup bad memory map log messages
    
    
    [ Upstream commit 822f5845f710e57d7e2df1fd1ee00d6e19d334fe ]
    
    The Intel Compute Stick STCK1A8LFC and Weibu F3C platforms both
    log 2 error messages during boot:
    
       efi: requested map not found.
       esrt: ESRT header is not in the memory map.
    
    Searching the web, this seems to affect many other platforms too.
    Since these messages are logged as errors, they appear on-screen during
    the boot process even when using the "quiet" boot parameter used by
    distros.
    
    Demote the ESRT error to a warning so that it does not appear on-screen,
    and delete the error logging from efi_mem_desc_lookup; both callsites
    of that function log more specific messages upon failure.
    
    Out of curiosity I looked closer at the Weibu F3C. There is no entry in
    the UEFI-provided memory map which corresponds to the ESRT pointer, but
    hacking the code to map it anyway, the ESRT does appear to be valid with
    2 entries.
    
    Signed-off-by: Daniel Drake <drake@endlessm.com>
    Cc: Matt Fleming <matt@codeblueprint.co.uk>
    Acked-by: Peter Jones <pjones@redhat.com>
    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dc81417eedf55a92503b718ecd7b5b356a2c7d97
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Wed Mar 15 22:53:37 2017 +0100

    perf symbols: Fix symbols__fixup_end heuristic for corner cases
    
    
    [ Upstream commit e7ede72a6d40cb3a30c087142d79381ca8a31dab ]
    
    The current symbols__fixup_end() heuristic for the last entry in the rb
    tree is suboptimal as it leads to not being able to recognize the symbol
    in the call graph in a couple of corner cases, for example:
    
     i) If the symbol has a start address (f.e. exposed via kallsyms)
        that is at a page boundary, then the roundup(curr->start, 4096)
        for the last entry will result in curr->start == curr->end with
        a symbol length of zero.
    
    ii) If the symbol has a start address that is shortly before a page
        boundary, then also here, curr->end - curr->start will just be
        very few bytes, where it's unrealistic that we could perform a
        match against.
    
    Instead, change the heuristic to roundup(curr->start, 4096) + 4096, so
    that we can catch such corner cases and have a better chance to find
    that specific symbol. It's still just best effort as the real end of the
    symbol is unknown to us (and could even be at a larger offset than the
    current range), but better than the current situation.
    
    Alexei reported that he recently run into case i) with a JITed eBPF
    program (these are all page aligned) as the last symbol which wasn't
    properly shown in the call graph (while other eBPF program symbols in
    the rb tree were displayed correctly). Since this is a generic issue,
    lets try to improve the heuristic a bit.
    
    Reported-and-Tested-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Fixes: 2e538c4a1847 ("perf tools: Improve kernel/modules symbol lookup")
    Link: http://lkml.kernel.org/r/bb5c80d27743be6f12afc68405f1956a330e1bc9.1489614365.git.daniel@iogearbox.net
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit acc7d1bd901cde5acc6891ebc6be6cfc614fb868
Author: Jack Morgenstein <jackm@dev.mellanox.co.il>
Date:   Mon Mar 13 19:29:08 2017 +0200

    net/mlx4_core: Avoid delays during VF driver device shutdown
    
    
    [ Upstream commit 4cbe4dac82e423ecc9a0ba46af24a860853259f4 ]
    
    Some Hypervisors detach VFs from VMs by instantly causing an FLR event
    to be generated for a VF.
    
    In the mlx4 case, this will cause that VF's comm channel to be disabled
    before the VM has an opportunity to invoke the VF device's "shutdown"
    method.
    
    For such Hypervisors, there is a race condition between the VF's
    shutdown method and its internal-error detection/reset thread.
    
    The internal-error detection/reset thread (which runs every 5 seconds) also
    detects a disabled comm channel. If the internal-error detection/reset
    flow wins the race, we still get delays (while that flow tries repeatedly
    to detect comm-channel recovery).
    
    The cited commit fixed the command timeout problem when the
    internal-error detection/reset flow loses the race.
    
    This commit avoids the unneeded delays when the internal-error
    detection/reset flow wins.
    
    Fixes: d585df1c5ccf ("net/mlx4_core: Avoid command timeouts during VF driver device shutdown")
    Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
    Reported-by: Simon Xiao <sixiao@microsoft.com>
    Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5e469e44c8fd338183ea08adb143bb6e9a645ff1
Author: David Howells <dhowells@redhat.com>
Date:   Thu Mar 16 16:27:48 2017 +0000

    afs: Fix afs_kill_pages()
    
    
    [ Upstream commit 7286a35e893176169b09715096a4aca557e2ccd2 ]
    
    Fix afs_kill_pages() in two ways:
    
     (1) If a writeback has been partially flushed, then if we try and kill the
         pages it contains, some of them may no longer be undergoing writeback
         and end_page_writeback() will assert.
    
         Fix this by checking to see whether the page in question is actually
         undergoing writeback before ending that writeback.
    
     (2) The loop that scans for pages to kill doesn't increase the first page
         index, and so the loop may not terminate, but it will try to process
         the same pages over and over again.
    
         Fix this by increasing the first page index to one after the last page
         we processed.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80f74cef482f3ea77f918eeb739e588aeaeb20f9
Author: David Howells <dhowells@redhat.com>
Date:   Thu Mar 16 16:27:48 2017 +0000

    afs: Fix page leak in afs_write_begin()
    
    
    [ Upstream commit 6d06b0d25209c80e99c1e89700f1e09694a3766b ]
    
    afs_write_begin() leaks a ref and a lock on a page if afs_fill_page()
    fails.  Fix the leak by unlocking and releasing the page in the error path.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c58d7796ab9329241d54c143658132980ad536a5
Author: Marc Dionne <marc.dionne@auristor.com>
Date:   Thu Mar 16 16:27:47 2017 +0000

    afs: Populate and use client modification time
    
    
    [ Upstream commit ab94f5d0dd6fd82e7eeca5e7c8096eaea0a0261f ]
    
    The inode timestamps should be set from the client time
    in the status received from the server, rather than the
    server time which is meant for internal server use.
    
    Set AFS_SET_MTIME and populate the mtime for operations
    that take an input status, such as file/dir creation
    and StoreData.  If an input time is not provided the
    server will set the vnode times based on the current server
    time.
    
    In a situation where the server has some skew with the
    client, this could lead to the client seeing a timestamp
    in the future for a file that it just created or wrote.
    
    Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fa034538cb041dd79eba2affd76c232eb7aefa2c
Author: David Howells <dhowells@redhat.com>
Date:   Thu Mar 16 16:27:47 2017 +0000

    afs: Fix the maths in afs_fs_store_data()
    
    
    [ Upstream commit 146a1192783697810b63a1e41c4d59fc93387340 ]
    
    afs_fs_store_data() works out of the size of the write it's going to make,
    but it uses 32-bit unsigned subtraction in one place that gets
    automatically cast to loff_t.
    
    However, if to < offset, then the number goes negative, but as the result
    isn't signed, this doesn't get sign-extended to 64-bits when placed in a
    loff_t.
    
    Fix by casting the operands to loff_t.
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1efae6ca3418855d3106aef4d763bf2f29b4c04d
Author: Tina Ruchandani <ruchandani.tina@gmail.com>
Date:   Thu Mar 16 16:27:46 2017 +0000

    afs: Prevent callback expiry timer overflow
    
    
    [ Upstream commit 56e714312e7dbd6bb83b2f78d3ec19a404c7649f ]
    
    get_seconds() returns real wall-clock seconds. On 32-bit systems
    this value will overflow in year 2038 and beyond. This patch changes
    afs_vnode record to use ktime_get_real_seconds() instead, for the
    fields cb_expires and cb_expires_at.
    
    Signed-off-by: Tina Ruchandani <ruchandani.tina@gmail.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43e68e3725df183ec3b3eeb0207d6265a96477d2
Author: Tina Ruchandani <ruchandani.tina@gmail.com>
Date:   Thu Mar 16 16:27:46 2017 +0000

    afs: Migrate vlocation fields to 64-bit
    
    
    [ Upstream commit 8a79790bf0b7da216627ffb85f52cfb4adbf1e4e ]
    
    get_seconds() returns real wall-clock seconds. On 32-bit systems
    this value will overflow in year 2038 and beyond. This patch changes
    afs's vlocation record to use ktime_get_real_seconds() instead, for the
    fields time_of_death and update_at.
    
    Signed-off-by: Tina Ruchandani <ruchandani.tina@gmail.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9d8d20570f39fd38a78333ea2404250041288f43
Author: David Howells <dhowells@redhat.com>
Date:   Thu Mar 16 16:27:45 2017 +0000

    afs: Flush outstanding writes when an fd is closed
    
    
    [ Upstream commit 58fed94dfb17e89556b5705f20f90e5b2971b6a1 ]
    
    Flush outstanding writes in afs when an fd is closed.  This is what NFS and
    CIFS do.
    
    Reported-by: Marc Dionne <marc.c.dionne@gmail.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 549d7b98f55e61aa30b2db241509f43265c7175e
Author: Marc Dionne <marc.dionne@auristor.com>
Date:   Thu Mar 16 16:27:44 2017 +0000

    afs: Adjust mode bits processing
    
    
    [ Upstream commit 627f46943ff90bcc32ddeb675d881c043c6fa2ae ]
    
    Mode bits for an afs file should not be enforced in the usual
    way.
    
    For files, the absence of user bits can restrict file access
    with respect to what is granted by the server.
    
    These bits apply regardless of the owner or the current uid; the
    rest of the mode bits (group, other) are ignored.
    
    Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bb7a7cd6194f9d1f789ce4f83a086024bc93941f
Author: Marc Dionne <marc.dionne@auristor.com>
Date:   Thu Mar 16 16:27:43 2017 +0000

    afs: Populate group ID from vnode status
    
    
    [ Upstream commit 6186f0788b31f44affceeedc7b48eb10faea120d ]
    
    The group was hard coded to GLOBAL_ROOT_GID; use the group
    ID that was received from the server.
    
    Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1c277e9ebba6ee648b70e4dc4794e67c3d2d80cd
Author: David Howells <dhowells@redhat.com>
Date:   Thu Mar 16 16:27:43 2017 +0000

    afs: Fix missing put_page()
    
    
    [ Upstream commit 29c8bbbd6e21daa0997d1c3ee886b897ee7ad652 ]
    
    In afs_writepages_region(), inside the loop where we find dirty pages to
    deal with, one of the if-statements is missing a put_page().
    
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fec8348008b5b7ab934b1553e34dfff37a03ade2
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Mar 15 21:11:46 2017 -0400

    drm/radeon: reinstate oland workaround for sclk
    
    
    [ Upstream commit 66822d815ae61ecb2d9dba9031517e8a8476969d ]
    
    Higher sclks seem to be unstable on some boards.
    
    bug: https://bugs.freedesktop.org/show_bug.cgi?id=100222
    
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6a51e93b2fe340708110899605fa36877db4c29c
Author: yong mao <yong.mao@mediatek.com>
Date:   Sat Mar 4 15:10:03 2017 +0800

    mmc: mediatek: Fixed bug where clock frequency could be set wrong
    
    
    [ Upstream commit 40ceda09c8c84694c2ca6b00bcc6dc71e8e62d96 ]
    
    This patch can fix two issues:
    
    Issue 1:
    In previous code, div may be overflow when setting clock frequency
    as f_min. We can use DIV_ROUND_UP to fix this boundary related
    issue.
    
    Issue 2:
    In previous code, we can not set the correct clock frequency when
    div equals 0xff.
    
    Signed-off-by: Yong Mao <yong.mao@mediatek.com>
    Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
    Reviewed-by: Daniel Kurtz <djkurtz@chromium.org>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 51b3eac39a6ce8e90b1faad510f8fdaed2805b62
Author: Steven Rostedt (VMware) <rostedt@goodmis.org>
Date:   Thu Mar 2 15:10:59 2017 +0100

    sched/deadline: Use deadline instead of period when calculating overflow
    
    
    [ Upstream commit 2317d5f1c34913bac5971d93d69fb6c31bb74670 ]
    
    I was testing Daniel's changes with his test case, and tweaked it a
    little. Instead of having the runtime equal to the deadline, I
    increased the deadline ten fold.
    
    Daniel's test case had:
    
            attr.sched_runtime  = 2 * 1000 * 1000;          /* 2 ms */
            attr.sched_deadline = 2 * 1000 * 1000;          /* 2 ms */
            attr.sched_period   = 2 * 1000 * 1000 * 1000;   /* 2 s */
    
    To make it more interesting, I changed it to:
    
            attr.sched_runtime  =  2 * 1000 * 1000;         /* 2 ms */
            attr.sched_deadline = 20 * 1000 * 1000;         /* 20 ms */
            attr.sched_period   =  2 * 1000 * 1000 * 1000;  /* 2 s */
    
    The results were rather surprising. The behavior that Daniel's patch
    was fixing came back. The task started using much more than .1% of the
    CPU. More like 20%.
    
    Looking into this I found that it was due to the dl_entity_overflow()
    constantly returning true. That's because it uses the relative period
    against relative runtime vs the absolute deadline against absolute
    runtime.
    
      runtime / (deadline - t) > dl_runtime / dl_period
    
    There's even a comment mentioning this, and saying that when relative
    deadline equals relative period, that the equation is the same as using
    deadline instead of period. That comment is backwards! What we really
    want is:
    
      runtime / (deadline - t) > dl_runtime / dl_deadline
    
    We care about if the runtime can make its deadline, not its period. And
    then we can say "when the deadline equals the period, the equation is
    the same as using dl_period instead of dl_deadline".
    
    After correcting this, now when the task gets enqueued, it can throttle
    correctly, and Daniel's fix to the throttling of sleeping deadline
    tasks works even when the runtime and deadline are not the same.
    
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
    Cc: Juri Lelli <juri.lelli@arm.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Luca Abeni <luca.abeni@santannapisa.it>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
    Link: http://lkml.kernel.org/r/02135a27f1ae3fe5fd032568a5a2f370e190e8d7.1488392936.git.bristot@redhat.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ca91884bcf7de730344ab13cbcaf4279e7fe38a7
Author: Daniel Bristot de Oliveira <bristot@redhat.com>
Date:   Thu Mar 2 15:10:58 2017 +0100

    sched/deadline: Throttle a constrained deadline task activated after the deadline
    
    
    [ Upstream commit df8eac8cafce7d086be3bd5cf5a838fa37594dfb ]
    
    During the activation, CBS checks if it can reuse the current task's
    runtime and period. If the deadline of the task is in the past, CBS
    cannot use the runtime, and so it replenishes the task. This rule
    works fine for implicit deadline tasks (deadline == period), and the
    CBS was designed for implicit deadline tasks. However, a task with
    constrained deadline (deadine < period) might be awakened after the
    deadline, but before the next period. In this case, replenishing the
    task would allow it to run for runtime / deadline. As in this case
    deadline < period, CBS enables a task to run for more than the
    runtime / period. In a very loaded system, this can cause a domino
    effect, making other tasks miss their deadlines.
    
    To avoid this problem, in the activation of a constrained deadline
    task after the deadline but before the next period, throttle the
    task and set the replenishing timer to the begin of the next period,
    unless it is boosted.
    
    Reproducer:
    
     --------------- %< ---------------
      int main (int argc, char **argv)
      {
            int ret;
            int flags = 0;
            unsigned long l = 0;
            struct timespec ts;
            struct sched_attr attr;
    
            memset(&attr, 0, sizeof(attr));
            attr.size = sizeof(attr);
    
            attr.sched_policy   = SCHED_DEADLINE;
            attr.sched_runtime  = 2 * 1000 * 1000;          /* 2 ms */
            attr.sched_deadline = 2 * 1000 * 1000;          /* 2 ms */
            attr.sched_period   = 2 * 1000 * 1000 * 1000;   /* 2 s */
    
            ts.tv_sec = 0;
            ts.tv_nsec = 2000 * 1000;                       /* 2 ms */
    
            ret = sched_setattr(0, &attr, flags);
    
            if (ret < 0) {
                    perror("sched_setattr");
                    exit(-1);
            }
    
            for(;;) {
                    /* XXX: you may need to adjust the loop */
                    for (l = 0; l < 150000; l++);
                    /*
                     * The ideia is to go to sleep right before the deadline
                     * and then wake up before the next period to receive
                     * a new replenishment.
                     */
                    nanosleep(&ts, NULL);
            }
    
            exit(0);
      }
      --------------- >% ---------------
    
    On my box, this reproducer uses almost 50% of the CPU time, which is
    obviously wrong for a task with 2/2000 reservation.
    
    Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Juri Lelli <juri.lelli@arm.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Luca Abeni <luca.abeni@santannapisa.it>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
    Link: http://lkml.kernel.org/r/edf58354e01db46bf42df8d2dd32418833f68c89.1488392936.git.bristot@redhat.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cd0e18d2f24b58f0793f3c7af2d75def1daec8a2
Author: Daniel Bristot de Oliveira <bristot@redhat.com>
Date:   Thu Mar 2 15:10:57 2017 +0100

    sched/deadline: Make sure the replenishment timer fires in the next period
    
    
    [ Upstream commit 5ac69d37784b237707a7b15d199cdb6c6fdb6780 ]
    
    Currently, the replenishment timer is set to fire at the deadline
    of a task. Although that works for implicit deadline tasks because the
    deadline is equals to the begin of the next period, that is not correct
    for constrained deadline tasks (deadline < period).
    
    For instance:
    
    f.c:
     --------------- %< ---------------
    int main (void)
    {
            for(;;);
    }
     --------------- >% ---------------
    
      # gcc -o f f.c
    
      # trace-cmd record -e sched:sched_switch                              \
                                       -e syscalls:sys_exit_sched_setattr   \
       chrt -d --sched-runtime  490000000                                   \
               --sched-deadline 500000000                                   \
               --sched-period  1000000000 0 ./f
    
      # trace-cmd report | grep "{pid of ./f}"
    
    After setting parameters, the task is replenished and continue running
    until being throttled:
    
             f-11295 [003] 13322.113776: sys_exit_sched_setattr: 0x0
    
    The task is throttled after running 492318 ms, as expected:
    
             f-11295 [003] 13322.606094: sched_switch:   f:11295 [-1] R ==> watchdog/3:32 [0]
    
    But then, the task is replenished 500719 ms after the first
    replenishment:
    
        <idle>-0     [003] 13322.614495: sched_switch:   swapper/3:0 [120] R ==> f:11295 [-1]
    
    Running for 490277 ms:
    
             f-11295 [003] 13323.104772: sched_switch:   f:11295 [-1] R ==>  swapper/3:0 [120]
    
    Hence, in the first period, the task runs 2 * runtime, and that is a bug.
    
    During the first replenishment, the next deadline is set one period away.
    So the runtime / period starts to be respected. However, as the second
    replenishment took place in the wrong instant, the next replenishment
    will also be held in a wrong instant of time. Rather than occurring in
    the nth period away from the first activation, it is taking place
    in the (nth period - relative deadline).
    
    Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Luca Abeni <luca.abeni@santannapisa.it>
    Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Reviewed-by: Juri Lelli <juri.lelli@arm.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Romulo Silva de Oliveira <romulo.deoliveira@ufsc.br>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Tommaso Cucinotta <tommaso.cucinotta@sssup.it>
    Link: http://lkml.kernel.org/r/ac50d89887c25285b47465638354b63362f8adff.1488392936.git.bristot@redhat.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4c6567f5af9ab46754befb953761135b37b249f5
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Tue Mar 14 14:42:03 2017 -0400

    drm/radeon/si: add dpm quirk for Oland
    
    
    [ Upstream commit 0f424de1fd9bc4ab24bd1fe5430ab5618e803e31 ]
    
    OLAND 0x1002:0x6604 0x1028:0x066F 0x00 seems to have problems
    with higher sclks.
    
    Acked-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c383ebf1acd6e30fb6b93078d5c0b20c1769a907
Author: Taku Izumi <izumi.taku@jp.fujitsu.com>
Date:   Wed Mar 15 13:47:50 2017 +0900

    fjes: Fix wrong netdevice feature flags
    
    
    [ Upstream commit fe8daf5fa715f7214952f06a387e4b7de818c5be ]
    
    This patch fixes netdev->features for Extended Socket network device.
    
    Currently Extended Socket network device's netdev->feature claims
    NETIF_F_HW_CSUM, however this is completely wrong. There's no feature
    of checksum offloading.
    That causes invalid TCP/UDP checksum and packet rejection when IP
    forwarding from Extended Socket network device to other network device.
    
    NETIF_F_HW_CSUM should be omitted.
    
    Signed-off-by: Taku Izumi <izumi.taku@jp.fujitsu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a33a9d0c705fefb20a937708314aad65e09da110
Author: Don Brace <don.brace@microsemi.com>
Date:   Fri Mar 10 14:35:17 2017 -0600

    scsi: hpsa: limit outstanding rescans
    
    
    [ Upstream commit 87b9e6aa87d9411f1059aa245c0c79976bc557ac ]
    
    Avoid rescan storms. No need to queue another if one is pending.
    
    Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
    Reviewed-by: Scott Teel <scott.teel@microsemi.com>
    Reviewed-by: Tomas Henzl <thenzl@redhat.com>
    Signed-off-by: Don Brace <don.brace@microsemi.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0a609298214bed0db80da031e9193b2c39a96c3b
Author: Don Brace <don.brace@microsemi.com>
Date:   Fri Mar 10 14:35:11 2017 -0600

    scsi: hpsa: update check for logical volume status
    
    
    [ Upstream commit 85b29008d8af6d94a0723aaa8d93cfb6e041158b ]
    
     - Add in a new case for volume offline. Resolves internal testing bug
       for multilun array management.
     - Return correct status for failed TURs.
    
    Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
    Reviewed-by: Scott Teel <scott.teel@microsemi.com>
    Signed-off-by: Don Brace <don.brace@microsemi.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b0def6f1e26b4b3a53865f9e34d95f6cd460a22a
Author: Stafford Horne <shorne@gmail.com>
Date:   Mon Mar 13 07:44:45 2017 +0900

    openrisc: fix issue handling 8 byte get_user calls
    
    
    [ Upstream commit 154e67cd8e8f964809d0e75e44bb121b169c75b3 ]
    
    Was getting the following error with allmodconfig:
    
      ERROR: "__get_user_bad" [lib/test_user_copy.ko] undefined!
    
    This was simply a missing break statement, causing an unwanted fall
    through.
    
    Signed-off-by: Stafford Horne <shorne@gmail.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1236cc3664dc6b5ad9fe5175ef2c033bb25c5102
Author: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Date:   Thu Jun 30 16:10:51 2016 +0300

    intel_th: pci: Add Gemini Lake support
    
    
    [ Upstream commit 340837f985c2cb87ca0868d4aa9ce42b0fab3a21 ]
    
    This adds Intel(R) Trace Hub PCI ID for Gemini Lake SOC.
    
    Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d270d24ee59682db2d84fabc5ee12ff7c75ed43e
Author: Jiri Pirko <jiri@mellanox.com>
Date:   Tue Mar 14 14:00:01 2017 +0100

    mlxsw: reg: Fix SPVMLR max record count
    
    
    [ Upstream commit e9093b1183bbac462d2caef3eac165778c0b1bf1 ]
    
    The num_rec field is 8 bit, so the maximal count number is 255.
    This fixes vlans learning not being enabled for wider ranges than 255.
    
    Fixes: a4feea74cd7a ("mlxsw: reg: Add Switch Port VLAN MAC Learning register definition")
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Reviewed-by: Ido Schimmel <idosch@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e934e13550a0803fae96167515d34a96797edcbd
Author: Jiri Pirko <jiri@mellanox.com>
Date:   Tue Mar 14 14:00:00 2017 +0100

    mlxsw: reg: Fix SPVM max record count
    
    
    [ Upstream commit f004ec065b4879d6bc9ba0211af2169b3ce3097f ]
    
    The num_rec field is 8 bit, so the maximal count number is 255. This
    fixes vlans not being enabled for wider ranges than 255.
    
    Fixes: b2e345f9a454 ("mlxsw: reg: Add Switch Port VID and Switch Port VLAN Membership registers definitions")
    Signed-off-by: Jiri Pirko <jiri@mellanox.com>
    Reviewed-by: Ido Schimmel <idosch@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 677a7aac2ec61af2f8cf6d4ebb59c7a7671bf320
Author: Vlad Yasevich <vyasevich@gmail.com>
Date:   Tue Mar 14 08:58:08 2017 -0400

    net: Resend IGMP memberships upon peer notification.
    
    
    [ Upstream commit 37c343b4f4e70e9dc328ab04903c0ec8d154c1a4 ]
    
    When we notify peers of potential changes,  it's also good to update
    IGMP memberships.  For example, during VM migration, updating IGMP
    memberships will redirect existing multicast streams to the VM at the
    new location.
    
    Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 26af6a8b51f110a4c3b69156a1d9886bbccffabf
Author: Matthias Kaehlcke <mka@chromium.org>
Date:   Mon Mar 13 14:30:29 2017 -0700

    dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
    
    
    [ Upstream commit 23f963e91fd81f44f6b316b1c24db563354c6be8 ]
    
    This fixes the following warning when building with clang and
    CONFIG_DMA_ENGINE_RAID=n :
    
    drivers/dma/dmaengine.c:1102:11: error: array index 2 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
                    return &unmap_pool[2];
                            ^          ~
    drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
    static struct dmaengine_unmap_pool unmap_pool[] = {
    ^
    drivers/dma/dmaengine.c:1104:11: error: array index 3 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
                    return &unmap_pool[3];
                            ^          ~
    drivers/dma/dmaengine.c:1083:1: note: array 'unmap_pool' declared here
    static struct dmaengine_unmap_pool unmap_pool[] = {
    
    Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
    Reviewed-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9cd4b8684621ae667af599db2d3f3062f37c47dd
Author: Johan Hovold <johan@kernel.org>
Date:   Mon Mar 13 13:42:03 2017 +0100

    net: wimax/i2400m: fix NULL-deref at probe
    
    
    [ Upstream commit 6e526fdff7be4f13b24f929a04c0e9ae6761291e ]
    
    Make sure to check the number of endpoints to avoid dereferencing a
    NULL-pointer or accessing memory beyond the endpoint array should a
    malicious device lack the expected endpoints.
    
    The endpoints are specifically dereferenced in the i2400m_bootrom_init
    path during probe (e.g. in i2400mu_tx_bulk_out).
    
    Fixes: f398e4240fce ("i2400m/USB: probe/disconnect, dev init/shutdown
    and reset backends")
    Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com>
    
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b424289863d09900643c8e2dd6fa53a465895258
Author: Tahsin Erdogan <tahsin@google.com>
Date:   Fri Mar 10 12:09:49 2017 -0800

    writeback: fix memory leak in wb_queue_work()
    
    
    [ Upstream commit 4a3a485b1ed0e109718cc8c9d094fa0f552de9b2 ]
    
    When WB_registered flag is not set, wb_queue_work() skips queuing the
    work, but does not perform the necessary clean up. In particular, if
    work->auto_free is true, it should free the memory.
    
    The leak condition can be reprouced by following these steps:
    
       mount /dev/sdb /mnt/sdb
       /* In qemu console: device_del sdb */
       umount /dev/sdb
    
    Above will result in a wb_queue_work() call on an unregistered wb and
    thus leak memory.
    
    Reported-by: John Sperbeck <jsperbeck@google.com>
    Signed-off-by: Tahsin Erdogan <tahsin@google.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fbdf477fcff6b16869665cbf7a38c1b6dbfe0d8a
Author: Florian Westphal <fw@strlen.de>
Date:   Thu Mar 9 23:22:30 2017 +0100

    netfilter: bridge: honor frag_max_size when refragmenting
    
    
    [ Upstream commit 4ca60d08cbe65f501baad64af50fceba79c19fbb ]
    
    consider a bridge with mtu 9000, but end host sending smaller
    packets to another host with mtu < 9000.
    
    In this case, after reassembly, bridge+defrag would refragment,
    and then attempt to send the reassembled packet as long as it
    was below 9k.
    
    Instead we have to cap by the largest fragment size seen.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7edb2d2d86808c05ea75f4269c41bcc775988b08
Author: Tomi Valkeinen <tomi.valkeinen@ti.com>
Date:   Tue Feb 28 10:11:45 2017 +0200

    drm/omap: fix dmabuf mmap for dma_alloc'ed buffers
    
    
    [ Upstream commit 9fa1d7537242bd580ffa99c4725a0407096aad26 ]
    
    omap_gem_dmabuf_mmap() returns an error (with a WARN) when called for a
    buffer which is allocated with dma_alloc_*(). This prevents dmabuf mmap
    from working on SoCs without DMM, e.g. AM4 and OMAP3.
    
    I could not find any reason for omap_gem_dmabuf_mmap() rejecting such
    buffers, and just removing the if() fixes the limitation.
    
    Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dbfba339c729fa1fc355166b1b77b0a81a4e07ee
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Tue Feb 28 17:14:41 2017 -0800

    Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
    
    
    [ Upstream commit a4c2a13129f7c5bcf81704c06851601593303fd5 ]
    
    TUXEDO BU1406 does not implement active multiplexing mode properly,
    and takes around 550 ms in i8042_set_mux_mode(). Given that the
    device does not have external AUX port, there is no downside in
    disabling the MUX mode.
    
    Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
    Suggested-by: Vojtech Pavlik <vojtech@suse.cz>
    Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit df56784760405b586a94beb94ad513ad45094ae1
Author: NeilBrown <neilb@suse.com>
Date:   Fri Mar 10 11:36:39 2017 +1100

    NFSD: fix nfsd_reset_versions for NFSv4.
    
    
    [ Upstream commit 800a938f0bf9130c8256116649c0cc5806bfb2fd ]
    
    If you write "-2 -3 -4" to the "versions" file, it will
    notice that no versions are enabled, and nfsd_reset_versions()
    is called.
    This enables all major versions, not no minor versions.
    So we lose the invariant that NFSv4 is only advertised when
    at least one minor is enabled.
    
    Fix the code to explicitly enable minor versions for v4,
    change it to use nfsd_vers() to test and set, and simplify
    the code.
    
    Signed-off-by: NeilBrown <neilb@suse.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5b0334584ad613c3ab0009c51828af3c1f3b653e
Author: NeilBrown <neilb@suse.com>
Date:   Fri Mar 10 11:36:39 2017 +1100

    NFSD: fix nfsd_minorversion(.., NFSD_AVAIL)
    
    
    [ Upstream commit 928c6fb3a9bfd6c5b287aa3465226add551c13c0 ]
    
    Current code will return 1 if the version is supported,
    and -1 if it isn't.
    This is confusing and inconsistent with the one place where this
    is used.
    So change to return 1 if it is supported, and zero if not.
    i.e. an error is never returned.
    
    Signed-off-by: NeilBrown <neilb@suse.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 067cb6b2f7162fa11c4f7c423e31bb3c39f29665
Author: Doug Berger <opendmb@gmail.com>
Date:   Thu Mar 9 16:58:48 2017 -0800

    net: bcmgenet: Power up the internal PHY before probing the MII
    
    
    [ Upstream commit 6be371b053dc86f11465cc1abce2e99bda0a0574 ]
    
    When using the internal PHY it must be powered up when the MII is probed
    or the PHY will not be detected.  Since the PHY is powered up at reset
    this has not been a problem.  However, when the kernel is restarted with
    kexec the PHY will likely be powered down when the kernel starts so it
    will not be detected and the Ethernet link will not be established.
    
    This commit explicitly powers up the internal PHY when the GENET driver
    is probed to correct this behavior.
    
    Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a33e082dcaf42ce5813e7368a4c1a6666501fcf8
Author: Doug Berger <opendmb@gmail.com>
Date:   Thu Mar 9 16:58:46 2017 -0800

    net: bcmgenet: power down internal phy if open or resume fails
    
    
    [ Upstream commit 7627409cc4970e8c8b9de6945ad86a575290a94e ]
    
    Since the internal PHY is powered up during the open and resume
    functions it should be powered back down if the functions fail.
    
    Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8aaed873f3b980a85087f2b5347a0acafb4bd63d
Author: Doug Berger <opendmb@gmail.com>
Date:   Thu Mar 9 16:58:45 2017 -0800

    net: bcmgenet: reserved phy revisions must be checked first
    
    
    [ Upstream commit eca4bad73409aedc6ff22f823c18b67a4f08c851 ]
    
    The reserved gphy_rev value of 0x01ff must be tested before the old
    or new scheme for GPHY major versioning are tested, otherwise it will
    be treated as 0xff00 according to the old scheme.
    
    Fixes: b04a2f5b9ff5 ("net: bcmgenet: add support for new GENET PHY revision scheme")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c25da696fca149bb76e7ee37844f872565493c92
Author: Doug Berger <opendmb@gmail.com>
Date:   Thu Mar 9 16:58:44 2017 -0800

    net: bcmgenet: correct MIB access of UniMAC RUNT counters
    
    
    [ Upstream commit 1ad3d225e5a40ca6c586989b4baaca710544c15a ]
    
    The gap between the Tx status counters and the Rx RUNT counters is now
    being added to allow correct reporting of the registers.
    
    Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 296b584763f7d87d475da9eba5090b874b7b50ac
Author: Doug Berger <opendmb@gmail.com>
Date:   Thu Mar 9 16:58:43 2017 -0800

    net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values
    
    
    [ Upstream commit ffff71328a3c321f7c14cc1edd33577717037744 ]
    
    The location of the RBUF overflow and error counters has moved between
    different version of the GENET MAC.  This commit corrects the driver to
    read from the correct locations depending on the version of the GENET
    MAC.
    
    Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit accbd99507b1b22a0402cfd7b385a87a541f404d
Author: Alexander Potapenko <glider@google.com>
Date:   Wed Mar 8 18:08:16 2017 +0100

    net: initialize msg.msg_flags in recvfrom
    
    
    [ Upstream commit 9f138fa609c47403374a862a08a41394be53d461 ]
    
    KMSAN reports a use of uninitialized memory in put_cmsg() because
    msg.msg_flags in recvfrom haven't been initialized properly.
    The flag values don't affect the result on this path, but it's still a
    good idea to initialize them explicitly.
    
    Signed-off-by: Alexander Potapenko <glider@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b5213e1e9f25ccde958aa6364815ee87fef91100
Author: Andrea Arcangeli <aarcange@redhat.com>
Date:   Thu Mar 9 16:17:14 2017 -0800

    userfaultfd: selftest: vm: allow to build in vm/ directory
    
    
    [ Upstream commit 46aa6a302b53f543f8e8b8e1714dc5e449ad36a6 ]
    
    linux/tools/testing/selftests/vm $ make
    
      gcc -Wall -I ../../../../usr/include     compaction_test.c -lrt -o /compaction_test
      /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/../../../../x86_64-pc-linux-gnu/bin/ld: cannot open output file /compaction_test: Permission denied
      collect2: error: ld returned 1 exit status
      make: *** [../lib.mk:54: /compaction_test] Error 1
    
    Since commit a8ba798bc8ec ("selftests: enable O and KBUILD_OUTPUT")
    selftests/vm build fails if run from the "selftests/vm" directory, but
    it works in the selftests/ directory.  It's quicker to be able to do a
    local vm-only build after a tree wipe and this patch allows for it
    again.
    
    Link: http://lkml.kernel.org/r/20170302173738.18994-4-aarcange@redhat.com
    Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
    Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
    Cc: Mike Kravetz <mike.kravetz@oracle.com>
    Cc: Pavel Emelyanov <xemul@parallels.com>
    Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ee9be99630398c907261042ed092612bcbfaa69d
Author: Andrea Arcangeli <aarcange@redhat.com>
Date:   Thu Mar 9 16:16:28 2017 -0800

    userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE
    
    
    [ Upstream commit 6bbc4a4144b1a69743022ac68dfaf6e7d993abb9 ]
    
    __do_fault assumes vmf->page has been initialized and is valid if
    VM_FAULT_NOPAGE is not returned by vma->vm_ops->fault(vma, vmf).
    
    handle_userfault() in turn should return VM_FAULT_NOPAGE if it doesn't
    return VM_FAULT_SIGBUS or VM_FAULT_RETRY (the other two possibilities).
    
    This VM_FAULT_NOPAGE case is only invoked when signal are pending and it
    didn't matter for anonymous memory before.  It only started to matter
    since shmem was introduced.  hugetlbfs also takes a different path and
    doesn't exercise __do_fault.
    
    Link: http://lkml.kernel.org/r/20170228154201.GH5816@redhat.com
    Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0d0456ec2b089457233f4a33c9939dfeff11fbbd
Author: Guoqing Jiang <gqjiang@suse.com>
Date:   Fri Feb 24 11:15:12 2017 +0800

    md-cluster: free md_cluster_info if node leave cluster
    
    
    [ Upstream commit 9c8043f337f14d1743006dfc59c03e80a42e3884 ]
    
    To avoid memory leak, we need to free the cinfo which
    is allocated when node join cluster.
    
    Reviewed-by: NeilBrown <neilb@suse.com>
    Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
    Signed-off-by: Shaohua Li <shli@fb.com>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a1d72bc18e776f8c5fc5918fc4f4a2795f31a416
Author: Javier Martinez Canillas <javier@osg.samsung.com>
Date:   Wed Feb 22 15:23:22 2017 -0300

    usb: phy: isp1301: Add OF device ID table
    
    
    [ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ]
    
    The driver doesn't have a struct of_device_id table but supported devices
    are registered via Device Trees. This is working on the assumption that a
    I2C device registered via OF will always match a legacy I2C device ID and
    that the MODALIAS reported will always be of the form i2c:<device>.
    
    But this could change in the future so the correct approach is to have an
    OF device ID table if the devices are registered via OF.
    
    Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 75252bfe9e493a314d62e820aea07a6c48dea833
Author: Ilan peer <ilan.peer@intel.com>
Date:   Mon Dec 26 18:17:36 2016 +0200

    mac80211: Fix addition of mesh configuration element
    
    commit 57629915d568c522ac1422df7bba4bee5b5c7a7c upstream.
    
    The code was setting the capabilities byte to zero,
    after it was already properly set previously. Fix it.
    
    The bug was found while debugging hwsim mesh tests failures
    that happened since the commit mentioned below.
    
    Fixes: 76f43b4c0a93 ("mac80211: Remove invalid flag operations in mesh TSF synchronization")
    Signed-off-by: Ilan Peer <ilan.peer@intel.com>
    Reviewed-by: Masashi Honma <masashi.honma@gmail.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Cc: Richard Schütz <rschuetz@uni-koblenz.de>
    Cc: Mathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 13e86efb2eee6bd1f2d0aae5b0273e8e65683c9d
Author: Eric Biggers <ebiggers@google.com>
Date:   Fri Dec 8 15:13:27 2017 +0000

    KEYS: add missing permission check for request_key() destination
    
    commit 4dca6ea1d9432052afb06baf2e3ae78188a4410b upstream.
    
    When the request_key() syscall is not passed a destination keyring, it
    links the requested key (if constructed) into the "default" request-key
    keyring.  This should require Write permission to the keyring.  However,
    there is actually no permission check.
    
    This can be abused to add keys to any keyring to which only Search
    permission is granted.  This is because Search permission allows joining
    the keyring.  keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
    then will set the default request-key keyring to the session keyring.
    Then, request_key() can be used to add keys to the keyring.
    
    Both negatively and positively instantiated keys can be added using this
    method.  Adding negative keys is trivial.  Adding a positive key is a
    bit trickier.  It requires that either /sbin/request-key positively
    instantiates the key, or that another thread adds the key to the process
    keyring at just the right time, such that request_key() misses it
    initially but then finds it in construct_alloc_key().
    
    Fix this bug by checking for Write permission to the keyring in
    construct_get_dest_keyring() when the default keyring is being used.
    
    We don't do the permission check for non-default keyrings because that
    was already done by the earlier call to lookup_user_key().  Also,
    request_key_and_link() is currently passed a 'struct key *' rather than
    a key_ref_t, so the "possessed" bit is unavailable.
    
    We also don't do the permission check for the "requestor keyring", to
    continue to support the use case described by commit 8bbf4976b59f
    ("KEYS: Alter use of key instantiation link-to-keyring argument") where
    /sbin/request-key recursively calls request_key() to add keys to the
    original requestor's destination keyring.  (I don't know of any users
    who actually do that, though...)
    
    Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef7ce82bc28065fd916fc1c0f7e00c2151fcd8a0
Author: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Date:   Mon Dec 11 15:00:57 2017 -0500

    ext4: fix crash when a directory's i_size is too small
    
    commit 9d5afec6b8bd46d6ed821aa1579634437f58ef1f upstream.
    
    On a ppc64 machine, when mounting a fuzzed ext2 image (generated by
    fsfuzzer) the following call trace is seen,
    
    VFS: brelse: Trying to free free buffer
    WARNING: CPU: 1 PID: 6913 at /root/repos/linux/fs/buffer.c:1165 .__brelse.part.6+0x24/0x40
    .__brelse.part.6+0x20/0x40 (unreliable)
    .ext4_find_entry+0x384/0x4f0
    .ext4_lookup+0x84/0x250
    .lookup_slow+0xdc/0x230
    .walk_component+0x268/0x400
    .path_lookupat+0xec/0x2d0
    .filename_lookup+0x9c/0x1d0
    .vfs_statx+0x98/0x140
    .SyS_newfstatat+0x48/0x80
    system_call+0x58/0x6c
    
    This happens because the directory that ext4_find_entry() looks up has
    inode->i_size that is less than the block size of the filesystem. This
    causes 'nblocks' to have a value of zero. ext4_bread_batch() ends up not
    reading any of the directory file's blocks. This renders the entries in
    bh_use[] array to continue to have garbage data. buffer_uptodate() on
    bh_use[0] can then return a zero value upon which brelse() function is
    invoked.
    
    This commit fixes the bug by returning -ENOENT when the directory file
    has no associated blocks.
    
    Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
    Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2c367edaba650af3d58fd68b6600fc4cbed77c1a
Author: Eryu Guan <eguan@redhat.com>
Date:   Sun Dec 3 22:52:51 2017 -0500

    ext4: fix fdatasync(2) after fallocate(2) operation
    
    commit c894aa97577e47d3066b27b32499ecf899bfa8b0 upstream.
    
    Currently, fallocate(2) with KEEP_SIZE followed by a fdatasync(2)
    then crash, we'll see wrong allocated block number (stat -c %b), the
    blocks allocated beyond EOF are all lost. fstests generic/468
    exposes this bug.
    
    Commit 67a7d5f561f4 ("ext4: fix fdatasync(2) after extent
    manipulation operations") fixed all the other extent manipulation
    operation paths such as hole punch, zero range, collapse range etc.,
    but forgot the fallocate case.
    
    So similarly, fix it by recording the correct journal tid in ext4
    inode in fallocate(2) path, so that ext4_sync_file() will wait for
    the right tid to be committed on fdatasync(2).
    
    This addresses the test failure in xfstests test generic/468.
    
    Signed-off-by: Eryu Guan <eguan@redhat.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 52425e042843c935f35480192610fca850283578
Author: Adam Wallis <awallis@codeaurora.org>
Date:   Mon Nov 27 10:45:01 2017 -0500

    dmaengine: dmatest: move callback wait queue to thread context
    
    commit 6f6a23a213be51728502b88741ba6a10cda2441d upstream.
    
    Commit adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
    introduced a bug (that is in fact documented by the patch commit text)
    that leaves behind a dangling pointer. Since the done_wait structure is
    allocated on the stack, future invocations to the DMATEST can produce
    undesirable results (e.g., corrupted spinlocks).
    
    Commit a9df21e34b42 ("dmaengine: dmatest: warn user when dma test times
    out") attempted to WARN the user that the stack was likely corrupted but
    did not fix the actual issue.
    
    This patch fixes the issue by pushing the wait queue and callback
    structs into the the thread structure. If a failure occurs due to time,
    dmaengine_terminate_all will force the callback to safely call
    wake_up_all() without possibility of using a freed pointer.
    
    Bug: https://bugzilla.kernel.org/show_bug.cgi?id=197605
    Fixes: adfa543e7314 ("dmatest: don't use set_freezable_with_signal()")
    Reviewed-by: Sinan Kaya <okaya@codeaurora.org>
    Suggested-by: Shunyong Yang <shunyong.yang@hxt-semitech.com>
    Signed-off-by: Adam Wallis <awallis@codeaurora.org>
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit af36d95af55f4bac94128875491671771d3d4916
Author: Steven Rostedt <rostedt@goodmis.org>
Date:   Sat Dec 2 13:04:54 2017 -0500

    sched/rt: Do not pull from current CPU if only one CPU to pull
    
    commit f73c52a5bcd1710994e53fbccc378c42b97a06b6 upstream.
    
    Daniel Wagner reported a crash on the BeagleBone Black SoC.
    
    This is a single CPU architecture, and does not have a functional
    arch_send_call_function_single_ipi() implementation which can crash
    the kernel if that is called.
    
    As it only has one CPU, it shouldn't be called, but if the kernel is
    compiled for SMP, the push/pull RT scheduling logic now calls it for
    irq_work if the one CPU is overloaded, it can use that function to call
    itself and crash the kernel.
    
    Ideally, we should disable the SCHED_FEAT(RT_PUSH_IPI) if the system
    only has a single CPU. But SCHED_FEAT is a constant if sched debugging
    is turned off. Another fix can also be used, and this should also help
    with normal SMP machines. That is, do not initiate the pull code if
    there's only one RT overloaded CPU, and that CPU happens to be the
    current CPU that is scheduling in a lower priority task.
    
    Even on a system with many CPUs, if there's many RT tasks waiting to
    run on a single CPU, and that CPU schedules in another RT task of lower
    priority, it will initiate the PULL logic in case there's a higher
    priority RT task on another CPU that is waiting to run. But if there is
    no other CPU with waiting RT tasks, it will initiate the RT pull logic
    on itself (as it still has RT tasks waiting to run). This is a wasted
    effort.
    
    Not only does this help with SMP code where the current CPU is the only
    one with RT overloaded tasks, it should also solve the issue that
    Daniel encountered, because it will prevent the PULL logic from
    executing, as there's only one CPU on the system, and the check added
    here will cause it to exit the RT pull code.
    
    Reported-by: Daniel Wagner <wagi@monom.org>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Acked-by: Peter Zijlstra <peterz@infradead.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-rt-users <linux-rt-users@vger.kernel.org>
    Fixes: 4bdced5c9 ("sched/rt: Simplify the IPI based RT balancing logic")
    Link: http://lkml.kernel.org/r/20171202130454.4cbbfe8d@vmware.local.home
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f98ee9c0007bfe8f4465fabc762372add67d18fb
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Fri Dec 8 18:10:05 2017 +0200

    xhci: Don't add a virt_dev to the devs array before it's fully allocated
    
    commit 5d9b70f7d52eb14bb37861c663bae44de9521c35 upstream.
    
    Avoid null pointer dereference if some function is walking through the
    devs array accessing members of a new virt_dev that is mid allocation.
    
    Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its
    members are properly allocated.
    
    issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port
    
    "Quick analysis suggests that xhci_alloc_virt_device() is not mutex
    protected. If so, there is a time frame where xhci->devs[slot_id] is set
    but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL."
    
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ffc7565746bb2fc063fc0f484c55ef6d8951a6ee
Author: Sukumar Ghorai <sukumar.ghorai@intel.com>
Date:   Wed Aug 16 14:46:55 2017 -0700

    Bluetooth: btusb: driver to enable the usb-wakeup feature
    
    commit a0085f2510e8976614ad8f766b209448b385492f upstream.
    
    BT-Controller connected as platform non-root-hub device and
    usb-driver initialize such device with wakeup disabled,
    Ref. usb_new_device().
    
    At present wakeup-capability get enabled by hid-input device from usb
    function driver(e.g. BT HID device) at runtime. Again some functional
    driver does not set usb-wakeup capability(e.g LE HID device implement
    as HID-over-GATT), and can't wakeup the host on USB.
    
    Most of the device operation (such as mass storage) initiated from host
    (except HID) and USB wakeup aligned with host resume procedure. For BT
    device, usb-wakeup capability need to enable form btusc driver as a
    generic solution for multiple profile use case and required for USB remote
    wakeup (in-bus wakeup) while host is suspended. Also usb-wakeup feature
    need to enable/disable with HCI interface up and down.
    
    Signed-off-by: Sukumar Ghorai <sukumar.ghorai@intel.com>
    Signed-off-by: Amit K Bag <amit.k.bag@intel.com>
    Acked-by: Oliver Neukum <oneukum@suse.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Cc: Matthias Kaehlcke <mka@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8c7c3d5b785f539da3f45920c7c1ab5de5727ba7
Author: Yan, Zheng <zyan@redhat.com>
Date:   Thu Nov 30 11:59:22 2017 +0800

    ceph: drop negative child dentries before try pruning inode's alias
    
    commit 040d786032bf59002d374b86d75b04d97624005c upstream.
    
    Negative child dentry holds reference on inode's alias, it makes
    d_prune_aliases() do nothing.
    
    Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2862cfca39894ac265fbb5cde9a3ff90c02201f3
Author: Shuah Khan <shuahkh@osg.samsung.com>
Date:   Thu Dec 7 14:16:50 2017 -0700

    usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
    
    commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a upstream.
    
    stub_send_ret_submit() handles urb with a potential null transfer_buffer,
    when it replays a packet with potential malicious data that could contain
    a null buffer. Add a check for the condition when actual_length > 0 and
    transfer_buffer is null.
    
    Reported-by: Secunia Research <vuln@secunia.com>
    Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dfdf5fa3e6647c0fc02be8d857b6b8b7098946ff
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Tue Dec 12 14:25:13 2017 -0500

    USB: core: prevent malicious bNumInterfaces overflow
    
    commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.
    
    A malicious USB device with crafted descriptors can cause the kernel
    to access unallocated memory by setting the bNumInterfaces value too
    high in a configuration descriptor.  Although the value is adjusted
    during parsing, this adjustment is skipped in one of the error return
    paths.
    
    This patch prevents the problem by setting bNumInterfaces to 0
    initially.  The existing code already sets it to the proper value
    after parsing is complete.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 05de6fa5c0e2fbbed4d41eaf2b474a863c544532
Author: David Kozub <zub@linux.fjfi.cvut.cz>
Date:   Tue Dec 5 22:40:04 2017 +0100

    USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
    
    commit 62354454625741f0569c2cbe45b2d192f8fd258e upstream.
    
    There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails
    with the following error:
    
    [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
    [sda] tag#0 Sense Key : Illegal Request [current]
    [sda] tag#0 Add. Sense: Invalid field in cdb
    
    The issue occurs both with UAS (occasionally) and mass storage
    (immediately after mounting a FS on a disk in the enclosure).
    
    Enabling US_FL_BROKEN_FUA quirk solves this issue.
    
    This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure
    for both UAS and mass storage.
    
    Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a34419b3f6a277b4da240f7b7a5e8be4d5c2356b
Author: Changbin Du <changbin.du@intel.com>
Date:   Thu Nov 30 11:39:43 2017 +0800

    tracing: Allocate mask_str buffer dynamically
    
    commit 90e406f96f630c07d631a021fd4af10aac913e77 upstream.
    
    The default NR_CPUS can be very large, but actual possible nr_cpu_ids
    usually is very small. For my x86 distribution, the NR_CPUS is 8192 and
    nr_cpu_ids is 4. About 2 pages are wasted.
    
    Most machines don't have so many CPUs, so define a array with NR_CPUS
    just wastes memory. So let's allocate the buffer dynamically when need.
    
    With this change, the mutext tracing_cpumask_update_lock also can be
    removed now, which was used to protect mask_str.
    
    Link: http://lkml.kernel.org/r/1512013183-19107-1-git-send-email-changbin.du@intel.com
    
    Fixes: 36dfe9252bd4c ("ftrace: make use of tracing_cpumask")
    Signed-off-by: Changbin Du <changbin.du@intel.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c60db4f68593e381571fdf9e2111363e1793cdf4
Author: NeilBrown <neilb@suse.com>
Date:   Thu Dec 14 15:32:38 2017 -0800

    autofs: fix careless error in recent commit
    
    commit 302ec300ef8a545a7fc7f667e5fd743b091c2eeb upstream.
    
    Commit ecc0c469f277 ("autofs: don't fail mount for transient error") was
    meant to replace an 'if' with a 'switch', but instead added the 'switch'
    leaving the case in place.
    
    Link: http://lkml.kernel.org/r/87zi6wstmw.fsf@notabene.neil.brown.name
    Fixes: ecc0c469f277 ("autofs: don't fail mount for transient error")
    Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: NeilBrown <neilb@suse.com>
    Cc: Ian Kent <raven@themaw.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8a311b0462b59d12cb14e82e626d3612d988135b
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Nov 28 20:56:59 2017 -0800

    crypto: salsa20 - fix blkcipher_walk API usage
    
    commit ecaaab5649781c5a0effdaf298a925063020500e upstream.
    
    When asked to encrypt or decrypt 0 bytes, both the generic and x86
    implementations of Salsa20 crash in blkcipher_walk_done(), either when
    doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
    because walk->buffer and walk->page have not been initialized.
    
    The bug is that Salsa20 is calling blkcipher_walk_done() even when
    nothing is in 'walk.nbytes'.  But blkcipher_walk_done() is only meant to
    be called when a nonzero number of bytes have been provided.
    
    The broken code is part of an optimization that tries to make only one
    call to salsa20_encrypt_bytes() to process inputs that are not evenly
    divisible by 64 bytes.  To fix the bug, just remove this "optimization"
    and use the blkcipher_walk API the same way all the other users do.
    
    Reproducer:
    
        #include <linux/if_alg.h>
        #include <sys/socket.h>
        #include <unistd.h>
    
        int main()
        {
                int algfd, reqfd;
                struct sockaddr_alg addr = {
                        .salg_type = "skcipher",
                        .salg_name = "salsa20",
                };
                char key[16] = { 0 };
    
                algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                bind(algfd, (void *)&addr, sizeof(addr));
                reqfd = accept(algfd, 0, 0);
                setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
                read(reqfd, key, sizeof(key));
        }
    
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43cd7f38612df31fbd929588c065cfbc42102aab
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue Nov 28 18:01:38 2017 -0800

    crypto: hmac - require that the underlying hash algorithm is unkeyed
    
    commit af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 upstream.
    
    Because the HMAC template didn't check that its underlying hash
    algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
    through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
    being used without having been keyed, resulting in sha3_update() being
    called without sha3_init(), causing a stack buffer overflow.
    
    This is a very old bug, but it seems to have only started causing real
    problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
    because the innermost hash's state is ->import()ed from a zeroed buffer,
    and it just so happens that other hash algorithms are fine with that,
    but SHA-3 is not.  However, there could be arch or hardware-dependent
    hash algorithms also affected; I couldn't test everything.
    
    Fix the bug by introducing a function crypto_shash_alg_has_setkey()
    which tests whether a shash algorithm is keyed.  Then update the HMAC
    template to require that its underlying hash algorithm is unkeyed.
    
    Here is a reproducer:
    
        #include <linux/if_alg.h>
        #include <sys/socket.h>
    
        int main()
        {
            int algfd;
            struct sockaddr_alg addr = {
                .salg_type = "hash",
                .salg_name = "hmac(hmac(sha3-512-generic))",
            };
            char key[4096] = { 0 };
    
            algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
            bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
            setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
        }
    
    Here was the KASAN report from syzbot:
    
        BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341  [inline]
        BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0  crypto/sha3_generic.c:161
        Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
    
        CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
        Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  Google 01/01/2011
        Call Trace:
          __dump_stack lib/dump_stack.c:17 [inline]
          dump_stack+0x194/0x257 lib/dump_stack.c:53
          print_address_description+0x73/0x250 mm/kasan/report.c:252
          kasan_report_error mm/kasan/report.c:351 [inline]
          kasan_report+0x25b/0x340 mm/kasan/report.c:409
          check_memory_region_inline mm/kasan/kasan.c:260 [inline]
          check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
          memcpy+0x37/0x50 mm/kasan/kasan.c:303
          memcpy include/linux/string.h:341 [inline]
          sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
          crypto_shash_update+0xcb/0x220 crypto/shash.c:109
          shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
          crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
          hmac_finup+0x182/0x330 crypto/hmac.c:152
          crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
          shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
          crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
          hmac_setkey+0x36a/0x690 crypto/hmac.c:66
          crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
          shash_async_setkey+0x47/0x60 crypto/shash.c:207
          crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
          hash_setkey+0x40/0x90 crypto/algif_hash.c:446
          alg_setkey crypto/af_alg.c:221 [inline]
          alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
          SYSC_setsockopt net/socket.c:1851 [inline]
          SyS_setsockopt+0x189/0x360 net/socket.c:1830
          entry_SYSCALL_64_fastpath+0x1f/0x96
    
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>