commit cdd48f386d7e6671e7cc21e517ae258b298ec877
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Oct 3 17:01:55 2018 -0700

    Linux 4.9.131

commit ec964c3c00457e7ce6b633a33d1c6b61e0091557
Author: Sakari Ailus <sakari.ailus@linux.intel.com>
Date:   Tue Sep 11 05:32:37 2018 -0400

    media: v4l: event: Prevent freeing event subscriptions while accessed
    
    commit ad608fbcf166fec809e402d548761768f602702c upstream.
    
    The event subscriptions are added to the subscribed event list while
    holding a spinlock, but that lock is subsequently released while still
    accessing the subscription object. This makes it possible to unsubscribe
    the event --- and freeing the subscription object's memory --- while
    the subscription object is simultaneously accessed.
    
    Prevent this by adding a mutex to serialise the event subscription and
    unsubscription. This also gives a guarantee to the callback ops that the
    add op has returned before the del op is called.
    
    This change also results in making the elems field less special:
    subscriptions are only added to the event list once they are fully
    initialised.
    
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Cc: stable@vger.kernel.org # for 4.14 and up
    Fixes: c3b5b0241f62 ("V4L/DVB: V4L: Events: Add backend")
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 53819c17ecbee86089396e6e7ae1f3e6de958db9
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Thu Sep 27 16:53:22 2018 +0100

    arm64: KVM: Sanitize PSTATE.M when being set from userspace
    
    commit 2a3f93459d689d990b3ecfbe782fec89b97d3279 upstream.
    
    Not all execution modes are valid for a guest, and some of them
    depend on what the HW actually supports. Let's verify that what
    userspace provides is compatible with both the VM settings and
    the HW capabilities.
    
    Cc: <stable@vger.kernel.org>
    Fixes: 0d854a60b1d7 ("arm64: KVM: enable initialization of a 32bit vcpu")
    Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
    Reviewed-by: Mark Rutland <mark.rutland@arm.com>
    Reviewed-by: Dave Martin <Dave.Martin@arm.com>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 563f2d01a1e8e38e24a03289e66505ba18a9b889
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Thu Aug 30 11:50:13 2018 +0300

    i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
    
    [ Upstream commit 7fd6d98b89f382d414e1db528e29a67bbd749457 ]
    
    Commit 7ae81952cda ("i2c: i801: Allow ACPI SystemIO OpRegion to conflict
    with PCI BAR") made it possible for AML code to access SMBus I/O ports
    by installing custom SystemIO OpRegion handler and blocking i80i driver
    access upon first AML read/write to this OpRegion.
    
    However, while ThinkPad T560 does have SystemIO OpRegion declared under
    the SMBus device, it does not access any of the SMBus registers:
    
        Device (SMBU)
        {
            ...
    
            OperationRegion (SMBP, PCI_Config, 0x50, 0x04)
            Field (SMBP, DWordAcc, NoLock, Preserve)
            {
                ,   5,
                TCOB,   11,
                Offset (0x04)
            }
    
            Name (TCBV, 0x00)
            Method (TCBS, 0, NotSerialized)
            {
                If ((TCBV == 0x00))
                {
                TCBV = (\_SB.PCI0.SMBU.TCOB << 0x05)
                }
    
                Return (TCBV) /* \_SB_.PCI0.SMBU.TCBV */
            }
    
            OperationRegion (TCBA, SystemIO, TCBS (), 0x10)
            Field (TCBA, ByteAcc, NoLock, Preserve)
            {
                Offset (0x04),
                ,   9,
                CPSC,   1
            }
        }
    
    Problem with the current approach is that it blocks all I/O port access
    and because this system has touchpad connected to the SMBus controller
    after first AML access (happens during suspend/resume cycle) the
    touchpad fails to work anymore.
    
    Fix this so that we allow ACPI AML I/O port access if it does not touch
    the region reserved for the SMBus.
    
    Fixes: 7ae81952cda ("i2c: i801: Allow ACPI SystemIO OpRegion to conflict with PCI BAR")
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=200737
    Reported-by: Yussuf Khalil <dev@pp3345.net>
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Reviewed-by: Jean Delvare <jdelvare@suse.de>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4f689d02c0bfa3cac11e5f805d46c702be2fb372
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Fri Aug 24 15:08:30 2018 +0100

    arm/arm64: smccc-1.1: Handle function result as parameters
    
    [ Upstream commit 755a8bf5579d22eb5636685c516d8dede799e27b ]
    
    If someone has the silly idea to write something along those lines:
    
            extern u64 foo(void);
    
            void bar(struct arm_smccc_res *res)
            {
                    arm_smccc_1_1_smc(0xbad, foo(), res);
            }
    
    they are in for a surprise, as this gets compiled as:
    
            0000000000000588 <bar>:
             588:   a9be7bfd        stp     x29, x30, [sp, #-32]!
             58c:   910003fd        mov     x29, sp
             590:   f9000bf3        str     x19, [sp, #16]
             594:   aa0003f3        mov     x19, x0
             598:   aa1e03e0        mov     x0, x30
             59c:   94000000        bl      0 <_mcount>
             5a0:   94000000        bl      0 <foo>
             5a4:   aa0003e1        mov     x1, x0
             5a8:   d4000003        smc     #0x0
             5ac:   b4000073        cbz     x19, 5b8 <bar+0x30>
             5b0:   a9000660        stp     x0, x1, [x19]
             5b4:   a9010e62        stp     x2, x3, [x19, #16]
             5b8:   f9400bf3        ldr     x19, [sp, #16]
             5bc:   a8c27bfd        ldp     x29, x30, [sp], #32
             5c0:   d65f03c0        ret
             5c4:   d503201f        nop
    
    The call to foo "overwrites" the x0 register for the return value,
    and we end up calling the wrong secure service.
    
    A solution is to evaluate all the parameters before assigning
    anything to specific registers, leading to the expected result:
    
            0000000000000588 <bar>:
             588:   a9be7bfd        stp     x29, x30, [sp, #-32]!
             58c:   910003fd        mov     x29, sp
             590:   f9000bf3        str     x19, [sp, #16]
             594:   aa0003f3        mov     x19, x0
             598:   aa1e03e0        mov     x0, x30
             59c:   94000000        bl      0 <_mcount>
             5a0:   94000000        bl      0 <foo>
             5a4:   aa0003e1        mov     x1, x0
             5a8:   d28175a0        mov     x0, #0xbad
             5ac:   d4000003        smc     #0x0
             5b0:   b4000073        cbz     x19, 5bc <bar+0x34>
             5b4:   a9000660        stp     x0, x1, [x19]
             5b8:   a9010e62        stp     x2, x3, [x19, #16]
             5bc:   f9400bf3        ldr     x19, [sp, #16]
             5c0:   a8c27bfd        ldp     x29, x30, [sp], #32
             5c4:   d65f03c0        ret
    
    Reported-by: Julien Grall <julien.grall@arm.com>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e757c1e6e71bf84ef741d05f3e0c802ab0141e16
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Fri Aug 24 15:08:29 2018 +0100

    arm/arm64: smccc-1.1: Make return values unsigned long
    
    [ Upstream commit 1d8f574708a3fb6f18c85486d0c5217df893c0cf ]
    
    An unfortunate consequence of having a strong typing for the input
    values to the SMC call is that it also affects the type of the
    return values, limiting r0 to 32 bits and r{1,2,3} to whatever
    was passed as an input.
    
    Let's turn everything into "unsigned long", which satisfies the
    requirements of both architectures, and allows for the full
    range of return values.
    
    Reported-by: Julien Grall <julien.grall@arm.com>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2c83e77a3e35dc91350cea077d1aaefdc0a61297
Author: Rex Zhu <Rex.Zhu@amd.com>
Date:   Fri Aug 24 16:17:54 2018 +0800

    drm/amdgpu: Update power state at the end of smu hw_init.
    
    [ Upstream commit 2ab4d0e74256fc49b7b270f63c1d1e47c2455abc ]
    
    For SI/Kv, the power state is managed by function
    amdgpu_pm_compute_clocks.
    
    when dpm enabled, we should call amdgpu_pm_compute_clocks
    to update current power state instand of set boot state.
    
    this change can fix the oops when kfd driver was enabled on Kv.
    
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Tested-by: Michel Dänzer <michel.daenzer@amd.com>
    Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d79d8b599188cfb54c1b84f82aab7ec786080e7d
Author: Rex Zhu <Rex.Zhu@amd.com>
Date:   Fri Aug 24 17:26:23 2018 +0800

    drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode
    
    [ Upstream commit 8ef23364b654d44244400d79988e677e504b21ba ]
    
    This is required by gfx hw and can fix the rlc hang when
    do s3 stree test on Cz/St.
    
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Hang Zhou <hang.zhou@amd.com>
    Signed-off-by: Rex Zhu <Rex.Zhu@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8ccd9e428f392d7f06e17e620f3d150e7bb42a0f
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Aug 14 13:07:47 2018 +0300

    hwmon: (adt7475) Make adt7475_read_word() return errors
    
    [ Upstream commit f196dec6d50abb2e65fb54a0621b2f1b4d922995 ]
    
    The adt7475_read_word() function was meant to return negative error
    codes on failure.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Tokunori Ikegami <ikegami@allied-telesis.co.jp>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fc63de901ec7af748a53f8279428f5804a60a8ff
Author: Lothar Felten <lothar.felten@gmail.com>
Date:   Tue Aug 14 09:09:37 2018 +0200

    hwmon: (ina2xx) fix sysfs shunt resistor read access
    
    [ Upstream commit 3ad867001c91657c46dcf6656d52eb6080286fd5 ]
    
    fix the sysfs shunt resistor read access: return the shunt resistor
    value, not the calibration register contents.
    
    update email address
    
    Signed-off-by: Lothar Felten <lothar.felten@gmail.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1158961a593ed94f9aca1a844ef05abc464bebb3
Author: Bo Chen <chenbo@pdx.edu>
Date:   Mon Jul 23 09:01:30 2018 -0700

    e1000: ensure to free old tx/rx rings in set_ringparam()
    
    [ Upstream commit ee400a3f1bfe7004a3e14b81c38ccc5583c26295 ]
    
    In 'e1000_set_ringparam()', the tx_ring and rx_ring are updated with new value
    and the old tx/rx rings are freed only when the device is up. There are resource
    leaks on old tx/rx rings when the device is not up. This bug is reported by COD,
    a tool for testing kernel module binaries I am building.
    
    This patch fixes the bug by always calling 'kfree()' on old tx/rx rings in
    'e1000_set_ringparam()'.
    
    Signed-off-by: Bo Chen <chenbo@pdx.edu>
    Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 17c3ad93576ecc36e708a47798429b564fdbc0d9
Author: Bo Chen <chenbo@pdx.edu>
Date:   Mon Jul 23 09:01:29 2018 -0700

    e1000: check on netif_running() before calling e1000_up()
    
    [ Upstream commit cf1acec008f8d7761aa3fd7c4bca7e17b2d2512d ]
    
    When the device is not up, the call to 'e1000_up()' from the error handling path
    of 'e1000_set_ringparam()' causes a kernel oops with a null-pointer
    dereference. The null-pointer dereference is triggered in function
    'e1000_alloc_rx_buffers()' at line 'buffer_info = &rx_ring->buffer_info[i]'.
    
    This bug was reported by COD, a tool for testing kernel module binaries I am
    building. This bug was also detected by KFI from Dr. Kai Cong.
    
    This patch fixes the bug by checking on 'netif_running()' before calling
    'e1000_up()' in 'e1000_set_ringparam()'.
    
    Signed-off-by: Bo Chen <chenbo@pdx.edu>
    Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 58c29919644d5d64d66e185677423f447035f080
Author: Huazhong Tan <tanhuazhong@huawei.com>
Date:   Thu Aug 23 11:10:12 2018 +0800

    net: hns: fix skb->truesize underestimation
    
    [ Upstream commit b1ccd4c0ab6ef499f47dd84ed4920502a7147bba ]
    
    skb->truesize is not meant to be tracking amount of used bytes in a skb,
    but amount of reserved/consumed bytes in memory.
    
    For instance, if we use a single byte in last page fragment, we have to
    account the full size of the fragment.
    
    So skb_add_rx_frag needs to calculate the length of the entire buffer into
    turesize.
    
    Fixes: 9cbe9fd5214e ("net: hns: optimize XGE capability by reducing cpu usage")
    Signed-off-by: Huazhong tan <tanhuazhong@huawei.com>
    Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44b4ae8248453bd6216776edb177edf6d994f791
Author: Huazhong Tan <tanhuazhong@huawei.com>
Date:   Thu Aug 23 11:10:10 2018 +0800

    net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
    
    [ Upstream commit 3ed614dce3ca9912d22be215ff0f11104b69fe62 ]
    
    When enable the config item "CONFIG_ARM64_64K_PAGES", the size of PAGE_SIZE
    is 65536(64K). But the  type of length and page_offset are u16, they will
    overflow. So change them to u32.
    
    Fixes: 6fe6611ff275 ("net: add Hisilicon Network Subsystem hnae framework support")
    Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
    Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6ad98847580cd20ead2bec0d717d13a1fc846753
Author: Anson Huang <Anson.Huang@nxp.com>
Date:   Tue Jul 31 00:56:49 2018 +0800

    thermal: of-thermal: disable passive polling when thermal zone is disabled
    
    [ Upstream commit 152395fd03d4ce1e535a75cdbf58105e50587611 ]
    
    When thermal zone is in passive mode, disabling its mode from
    sysfs is NOT taking effect at all, it is still polling the
    temperature of the disabled thermal zone and handling all thermal
    trips, it makes user confused. The disabling operation should
    disable the thermal zone behavior completely, for both active and
    passive mode, this patch clears the passive_delay when thermal
    zone is disabled and restores it when it is enabled.
    
    Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
    Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6972b6dfe7c85834233618d6e1abe2ba24ec1b48
Author: Tomer Tayar <Tomer.Tayar@cavium.com>
Date:   Mon Aug 20 00:01:43 2018 +0300

    qed: Wait for MCP halt and resume commands to take place
    
    [ Upstream commit 76271809f49056f079e202bf6513d17b0d6dd34d ]
    
    Successive iterations of halting and resuming the management chip (MCP)
    might fail, since currently the driver doesn't wait for these operations to
    actually take place.
    This patch prevents the driver from moving forward before the operations
    are reflected in the state register.
    
    Signed-off-by: Tomer Tayar <Tomer.Tayar@cavium.com>
    Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c92f3fd58489ff848ac4cb64d928d27988a2d5a7
Author: Tomer Tayar <Tomer.Tayar@cavium.com>
Date:   Mon Aug 20 00:01:42 2018 +0300

    qed: Wait for ready indication before rereading the shmem
    
    [ Upstream commit f00d25f3154b676fcea4502a25b94bd7f142ca74 ]
    
    The MFW might be reset and re-update its shared memory.
    Upon the detection of such a reset the driver rereads this memory, but it
    has to wait till the data is valid.
    This patch adds the missing wait for a data ready indication.
    
    Signed-off-by: Tomer Tayar <Tomer.Tayar@cavium.com>
    Signed-off-by: Ariel Elior <Ariel.Elior@cavium.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3a282476161c54df1a2ef1ba664c8a3514ef49f4
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Sat Jun 16 15:40:48 2018 -0400

    ext4: never move the system.data xattr out of the inode body
    
    commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream.
    
    When expanding the extra isize space, we must never move the
    system.data xattr out of the inode body.  For performance reasons, it
    doesn't make any sense, and the inline data implementation assumes
    that system.data xattr is never in the external xattr block.
    
    This addresses CVE-2018-10880
    
    https://bugzilla.kernel.org/show_bug.cgi?id=200005
    
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org
    [groeck: Context changes]
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc769c0148cd9820c8db785a2a1298a6489125ae
Author: Dave Martin <Dave.Martin@arm.com>
Date:   Thu Sep 27 16:53:21 2018 +0100

    arm64: KVM: Tighten guest core register access from userspace
    
    commit d26c25a9d19b5976b319af528886f89cf455692d upstream.
    
    We currently allow userspace to access the core register file
    in about any possible way, including straddling multiple
    registers and doing unaligned accesses.
    
    This is not the expected use of the ABI, and nobody is actually
    using it that way. Let's tighten it by explicitly checking
    the size and alignment for each field of the register file.
    
    Cc: <stable@vger.kernel.org>
    Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface")
    Reviewed-by: Christoffer Dall <christoffer.dall@arm.com>
    Reviewed-by: Mark Rutland <mark.rutland@arm.com>
    Signed-off-by: Dave Martin <Dave.Martin@arm.com>
    [maz: rewrote Dave's initial patch to be more easily backported]
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7eb3b86dc7f0183f1d7c880f6921d1f36e1eabe8
Author: Ira Weiny <ira.weiny@intel.com>
Date:   Thu Sep 20 12:58:46 2018 -0700

    IB/hfi1: Fix SL array bounds check
    
    commit 0dbfaa9f2813787679e296eb5476e40938ab48c8 upstream.
    
    The SL specified by a user needs to be a valid SL.
    
    Add a range check to the user specified SL value which protects from
    running off the end of the SL to SC table.
    
    CC: stable@vger.kernel.org
    Fixes: 7724105686e7 ("IB/hfi1: add driver files")
    Signed-off-by: Ira Weiny <ira.weiny@intel.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 61b5997ba333e44e7c58e8caa26e463c40ada5db
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Thu Sep 20 14:11:17 2018 +0200

    serial: imx: restore handshaking irq for imx1
    
    commit 7e620984b62532783912312e334f3c48cdacbd5d upstream.
    
    Back in 2015 when irda was dropped from the driver imx1 was broken. This
    change reintroduces the support for the third interrupt of the UART.
    
    Fixes: afe9cbb1a6ad ("serial: imx: drop support for IRDA")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Reviewed-by: Leonard Crestez <leonard.crestez@nxp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3d04174b0bcfe5d0cb6ee8ba7458b0d4c1293257
Author: Vincent Pelletier <plr.vincent@gmail.com>
Date:   Sun Sep 9 04:09:27 2018 +0000

    scsi: target: iscsi: Use bin2hex instead of a re-implementation
    
    commit 8c39e2699f8acb2e29782a834e56306da24937fe upstream.
    
    Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
    Reviewed-by: Mike Christie <mchristi@redhat.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    [plr.vincent@gmail.com: hunk context change for 4.4 and 4.9, no code change]
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b2e232022a9503cbb5d48744dc5b89bd44fb918e
Author: Michael J. Ruhl <michael.j.ruhl@intel.com>
Date:   Thu Sep 20 12:59:05 2018 -0700

    IB/hfi1: Fix context recovery when PBC has an UnsupportedVL
    
    commit d623500b3c4efd8d4e945ac9003c6b87b469a9ab upstream.
    
    If a packet stream uses an UnsupportedVL (virtual lane), the send
    engine will not send the packet, and it will not indicate that an
    error has occurred.  This will cause the packet stream to block.
    
    HFI has 8 virtual lanes available for packet streams.  Each lane can
    be enabled or disabled using the UnsupportedVL mask.  If a lane is
    disabled, adding a packet to the send context must be disallowed.
    
    The current mask for determining unsupported VLs defaults to 0 (allow
    all).  This is incorrect.  Only the VLs that are defined should be
    allowed.
    
    Determine which VLs are disabled (mtu == 0), and set the appropriate
    unsupported bit in the mask.  The correct mask will allow the send
    engine to error on the invalid VL, and error recovery will work
    correctly.
    
    Cc: <stable@vger.kernel.org> # 4.9.x+
    Fixes: 7724105686e7 ("IB/hfi1: add driver files")
    Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
    Reviewed-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
    Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 98ed866e260d1554389f1ac128c72ac9920332e9
Author: Michael J. Ruhl <michael.j.ruhl@intel.com>
Date:   Thu Sep 20 12:58:56 2018 -0700

    IB/hfi1: Invalid user input can result in crash
    
    commit 94694d18cf27a6faad91487a38ce516c2b16e7d9 upstream.
    
    If the number of packets in a user sdma request does not match
    the actual iovectors being sent, sdma_cleanup can be called on
    an uninitialized request structure, resulting in a crash similar
    to this:
    
    BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
    IP: [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0 [hfi1]
    PGD 8000001044f61067 PUD 1052706067 PMD 0
    Oops: 0000 [#1] SMP
    CPU: 30 PID: 69912 Comm: upsm Kdump: loaded Tainted: G           OE
    ------------   3.10.0-862.el7.x86_64 #1
    Hardware name: Intel Corporation S2600KPR/S2600KPR, BIOS
    SE5C610.86B.01.01.0019.101220160604 10/12/2016
    task: ffff8b331c890000 ti: ffff8b2ed1f98000 task.ti: ffff8b2ed1f98000
    RIP: 0010:[<ffffffffc0ae8bb7>]  [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0
    [hfi1]
    RSP: 0018:ffff8b2ed1f9bab0  EFLAGS: 00010286
    RAX: 0000000000008b2b RBX: ffff8b2adf6e0000 RCX: 0000000000000000
    RDX: 00000000000000a0 RSI: ffff8b2e9eedc540 RDI: ffff8b2adf6e0000
    RBP: ffff8b2ed1f9bad8 R08: 0000000000000000 R09: ffffffffc0b04a06
    R10: ffff8b331c890190 R11: ffffe6ed00bf1840 R12: ffff8b3315480000
    R13: ffff8b33154800f0 R14: 00000000fffffff2 R15: ffff8b2e9eedc540
    FS:  00007f035ac47740(0000) GS:ffff8b331e100000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000008 CR3: 0000000c03fe6000 CR4: 00000000001607e0
    Call Trace:
     [<ffffffffc0b0570d>] user_sdma_send_pkts+0xdcd/0x1990 [hfi1]
     [<ffffffff9fe75fb0>] ? gup_pud_range+0x140/0x290
     [<ffffffffc0ad3105>] ? hfi1_mmu_rb_insert+0x155/0x1b0 [hfi1]
     [<ffffffffc0b0777b>] hfi1_user_sdma_process_request+0xc5b/0x11b0 [hfi1]
     [<ffffffffc0ac193a>] hfi1_aio_write+0xba/0x110 [hfi1]
     [<ffffffffa001a2bb>] do_sync_readv_writev+0x7b/0xd0
     [<ffffffffa001bede>] do_readv_writev+0xce/0x260
     [<ffffffffa022b089>] ? tty_ldisc_deref+0x19/0x20
     [<ffffffffa02268c0>] ? n_tty_ioctl+0xe0/0xe0
     [<ffffffffa001c105>] vfs_writev+0x35/0x60
     [<ffffffffa001c2bf>] SyS_writev+0x7f/0x110
     [<ffffffffa051f7d5>] system_call_fastpath+0x1c/0x21
    Code: 06 49 c7 47 18 00 00 00 00 0f 87 89 01 00 00 5b 41 5c 41 5d 41 5e 41 5f
    5d c3 66 2e 0f 1f 84 00 00 00 00 00 48 8b 4e 10 48 89 fb <48> 8b 51 08 49 89 d4
    83 e2 0c 41 81 e4 00 e0 00 00 48 c1 ea 02
    RIP  [<ffffffffc0ae8bb7>] __sdma_txclean+0x57/0x1e0 [hfi1]
     RSP <ffff8b2ed1f9bab0>
    CR2: 0000000000000008
    
    There are two exit points from user_sdma_send_pkts().  One (free_tx)
    merely frees the slab entry and one (free_txreq) cleans the sdma_txreq
    prior to freeing the slab entry.   The free_txreq variation can only be
    called after one of the sdma_init*() variations has been called.
    
    In the panic case, the slab entry had been allocated but not inited.
    
    Fix the issue by exiting through free_tx thus avoiding sdma_clean().
    
    Cc: <stable@vger.kernel.org> # 4.9.x+
    Fixes: 7724105686e7 ("IB/hfi1: add driver files")
    Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
    Reviewed-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
    Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>

commit 94b7698c3d23e90c24b89bd7e6b5ab578fc8620c
Author: Bart Van Assche <bvanassche@acm.org>
Date:   Mon Sep 17 18:10:05 2018 -0700

    IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
    
    commit ee92efe41cf358f4b99e73509f2bfd4733609f26 upstream.
    
    Use different loop variables for the inner and outer loop. This avoids
    that an infinite loop occurs if there are more RDMA channels than
    target->req_ring_size.
    
    Fixes: d92c0da71a35 ("IB/srp: Add multichannel support")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aa749266a9407e446b231a636eba4e65d155d69b
Author: Aaron Ma <aaron.ma@canonical.com>
Date:   Tue Sep 18 09:32:22 2018 -0700

    Input: elantech - enable middle button of touchpad on ThinkPad P72
    
    commit 91a97507323e1ad4bfc10f4a5922e67cdaf8b3cd upstream.
    
    Adding 2 new touchpad IDs to support middle button support.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 56d298ab32fc3d74e3f3b691a75eb0c6b8955344
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Mon Sep 10 13:58:51 2018 -0400

    USB: remove LPM management from usb_driver_claim_interface()
    
    commit c183813fcee44a249339b7c46e1ad271ca1870aa upstream.
    
    usb_driver_claim_interface() disables and re-enables Link Power
    Management, but it shouldn't do either one, for the reasons listed
    below.  This patch removes the two LPM-related function calls from the
    routine.
    
    The reason for disabling LPM in the analogous function
    usb_probe_interface() is so that drivers won't have to deal with
    unwanted LPM transitions in their probe routine.  But
    usb_driver_claim_interface() doesn't call the driver's probe routine
    (or any other callbacks), so that reason doesn't apply here.
    
    Furthermore, no driver other than usbfs will ever call
    usb_driver_claim_interface() unless it is already bound to another
    interface in the same device, which means disabling LPM here would be
    redundant.  usbfs doesn't interact with LPM at all.
    
    Lastly, the error return from usb_unlocked_disable_lpm() isn't handled
    properly; the code doesn't clean up its earlier actions before
    returning.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Fixes: 8306095fd2c1 ("USB: Disable USB 3.0 LPM in critical sections.")
    CC: <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5c82d4a60c2f0315a8a550a54a79c80a64101a80
Author: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date:   Tue Sep 11 10:00:44 2018 +0200

    Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()"
    
    commit e871db8d78df1c411032cbb3acfdf8930509360e upstream.
    
    This reverts commit 6e22e3af7bb3a7b9dc53cb4687659f6e63fca427.
    
    The bug the patch describes to, has been already fixed in commit
    2df6948428542 ("USB: cdc-wdm: don't enable interrupts in USB-giveback")
    so need to this, revert it.
    
    Fixes: 6e22e3af7bb3 ("usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 35d7a3bb6d5dd8214f61e7de7289acffd3f8ee22
Author: Oliver Neukum <oneukum@suse.com>
Date:   Wed Sep 5 12:07:03 2018 +0200

    USB: usbdevfs: restore warning for nonsensical flags
    
    commit 81e0403b26d94360abd1f6a57311337973bc82cd upstream.
    
    If we filter flags before they reach the core we need to generate our
    own warnings.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Fixes: 0cb54a3e47cb ("USB: debugging code shouldn't alter control flow")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a2ecf4329fe1c334b7341c20beb90ba02bf9e76c
Author: Oliver Neukum <oneukum@suse.com>
Date:   Wed Sep 5 12:07:02 2018 +0200

    USB: usbdevfs: sanitize flags more
    
    commit 7a68d9fb851012829c29e770621905529bd9490b upstream.
    
    Requesting a ZERO_PACKET or not is sensible only for output.
    In the input direction the device decides.
    Likewise accepting short packets makes sense only for input.
    
    This allows operation with panic_on_warn without opening up
    a local DOS.
    
    Signed-off-by: Oliver Neukum <oneukum@suse.com>
    Reported-by: syzbot+843efa30c8821bd69f53@syzkaller.appspotmail.com
    Fixes: 0cb54a3e47cb ("USB: debugging code shouldn't alter control flow")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 143c0f1ce18d33915dff42c4f2fe3b45b02578e1
Author: ming_qian <ming_qian@realsil.com.cn>
Date:   Tue May 8 22:13:08 2018 -0400

    media: uvcvideo: Support realtek's UVC 1.5 device
    
    commit f620d1d7afc7db57ab59f35000752840c91f67e7 upstream.
    
    media: uvcvideo: Support UVC 1.5 video probe & commit controls
    
    The length of UVC 1.5 video control is 48, and it is 34 for UVC 1.1.
    Change it to 48 for UVC 1.5 device, and the UVC 1.5 device can be
    recognized.
    
    More changes to the driver are needed for full UVC 1.5 compatibility.
    However, at least the UVC 1.5 Realtek RTS5847/RTS5852 cameras have been
    reported to work well.
    
    [laurent.pinchart@ideasonboard.com: Factor out code to helper function, update size checks]
    
    Cc: stable@vger.kernel.org
    Signed-off-by: ming_qian <ming_qian@realsil.com.cn>
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Tested-by: Ana Guerrero Lopez <ana.guerrero@collabora.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b052d04aa3fe44be2417d77f52c5a600aacec45c
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date:   Thu Apr 5 16:21:10 2018 -0700

    slub: make ->cpu_partial unsigned int
    
    commit e5d9998f3e09359b372a037a6ac55ba235d95d57 upstream.
    
            /*
             * cpu_partial determined the maximum number of objects
             * kept in the per cpu partial lists of a processor.
             */
    
    Can't be negative.
    
    Link: http://lkml.kernel.org/r/20180305200730.15812-15-adobriyan@gmail.com
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Acked-by: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: zhong jiang <zhongjiang@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 08bbab4af04b6087f3b7fba3aa4a79bf7a23244c
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Mon Sep 10 14:00:53 2018 -0400

    USB: handle NULL config in usb_find_alt_setting()
    
    commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream.
    
    usb_find_alt_setting() takes a pointer to a struct usb_host_config as
    an argument; it searches for an interface with specified interface and
    alternate setting numbers in that config.  However, it crashes if the
    usb_host_config pointer argument is NULL.
    
    Since this is a general-purpose routine, available for use in many
    places, we want to to be more robust.  This patch makes it return NULL
    whenever the config argument is NULL.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
    CC: <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49bdc6be0ffc0abd32dbca0d061df04b5ed7e075
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Mon Sep 10 13:59:59 2018 -0400

    USB: fix error handling in usb_driver_claim_interface()
    
    commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream.
    
    The syzbot fuzzing project found a use-after-free bug in the USB
    core.  The bug was caused by usbfs not unbinding from an interface
    when the USB device file was closed, which led another process to
    attempt the unbind later on, after the private data structure had been
    deallocated.
    
    The reason usbfs did not unbind the interface at the appropriate time
    was because it thought the interface had never been claimed in the
    first place.  This was caused by the fact that
    usb_driver_claim_interface() does not clean up properly when
    device_bind_driver() returns an error.  Although the error code gets
    passed back to the caller, the iface->dev.driver pointer remains set
    and iface->condition remains equal to USB_INTERFACE_BOUND.
    
    This patch adds proper error handling to usb_driver_claim_interface().
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com
    CC: <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 720ecd0588430fdb73d4ab12fefd912fa9afe034
Author: Yu Zhao <yuzhao@google.com>
Date:   Wed Sep 19 15:30:51 2018 -0600

    regulator: fix crash caused by null driver data
    
    commit fb6de923ca3358a91525552b4907d4cb38730bdd upstream.
    
    dev_set_drvdata() needs to be called before device_register()
    exposes device to userspace. Otherwise kernel crashes after it
    gets null pointer from dev_get_drvdata() when userspace tries
    to access sysfs entries.
    
    [Removed backtrace for length -- broonie]
    
    Signed-off-by: Yu Zhao <yuzhao@google.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 49e062ef7bc1854ee2f5c4ea51d4d0ab48ed405b
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Wed Sep 5 10:49:39 2018 +0200

    spi: rspi: Fix interrupted DMA transfers
    
    commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream.
    
    When interrupted, wait_event_interruptible_timeout() returns
    -ERESTARTSYS, and the SPI transfer in progress will fail, as expected:
    
        m25p80 spi0.0: SPI transfer failed: -512
        spi_master spi0: failed to transfer one message from queue
    
    However, as the underlying DMA transfers may not have completed, all
    subsequent SPI transfers may start to fail:
    
        spi_master spi0: receive timeout
        qspi_transfer_out_in() returned -110
        m25p80 spi0.0: SPI transfer failed: -110
        spi_master spi0: failed to transfer one message from queue
    
    Fix this by calling dmaengine_terminate_all() not only for timeouts, but
    also for errors.
    
    This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed
    by CTRL-C.
    
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit afd56cd8831117a1e58df603941fc9f1d2cee110
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Wed Sep 5 10:49:38 2018 +0200

    spi: rspi: Fix invalid SPI use during system suspend
    
    commit c1ca59c22c56930b377a665fdd1b43351887830b upstream.
    
    If the SPI queue is running during system suspend, the system may lock
    up.
    
    Fix this by stopping/restarting the queue during system suspend/resume,
    by calling spi_master_suspend()/spi_master_resume() from the PM
    callbacks.  In-kernel users will receive an -ESHUTDOWN error while
    system suspend/resume is in progress.
    
    Based on a patch for sh-msiof by Gaku Inami.
    
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b6581ea1fd2eeb3ce538c42434adb7c9082d6339
Author: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
Date:   Wed Sep 5 10:49:37 2018 +0200

    spi: sh-msiof: Fix handling of write value for SISTR register
    
    commit 31a5fae4c5a009898da6d177901d5328051641ff upstream.
    
    This patch changes writing to the SISTR register according to the H/W
    user's manual.
    
    The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written
    their initial values of zero.
    
    Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
    [geert: reword]
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 228cc0731f40fade83aa60bd30eefb47ee7631bd
Author: Gaku Inami <gaku.inami.xw@bp.renesas.com>
Date:   Wed Sep 5 10:49:36 2018 +0200

    spi: sh-msiof: Fix invalid SPI use during system suspend
    
    commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream.
    
    If the SPI queue is running during system suspend, the system may lock
    up.
    
    Fix this by stopping/restarting the queue during system suspend/resume
    by calling spi_master_suspend()/spi_master_resume() from the PM
    callbacks.  In-kernel users will receive an -ESHUTDOWN error while
    system suspend/resume is in progress.
    
    Signed-off-by: Gaku Inami <gaku.inami.xw@bp.renesas.com>
    Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
    [geert: Cleanup, reword]
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 072a82bd851afae81f850f8f2e87bd788cb440f4
Author: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Date:   Wed Aug 29 08:47:57 2018 +0200

    spi: tegra20-slink: explicitly enable/disable clock
    
    commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream.
    
    Depending on the SPI instance one may get an interrupt storm upon
    requesting resp. interrupt unless the clock is explicitly enabled
    beforehand. This has been observed trying to bring up instance 4 on
    T20.
    
    Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 96d39a06a90eefbb4af649cd5e0628a4747a615b
Author: Christophe Leroy <christophe.leroy@c-s.fr>
Date:   Fri Sep 14 10:32:50 2018 +0000

    serial: cpm_uart: return immediately from console poll
    
    commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream.
    
    kgdb expects poll function to return immediately and
    returning NO_POLL_CHAR when no character is available.
    
    Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll")
    Cc: Jason Wessel <jason.wessel@windriver.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c5347cd505fd0affa636e1ea0b39591b364c2d04
Author: Stefan Agner <stefan@agner.ch>
Date:   Tue Aug 28 12:44:24 2018 +0200

    tty: serial: lpuart: avoid leaking struct tty_struct
    
    commit 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 upstream.
    
    The function tty_port_tty_get() gets a reference to the tty. Since
    the code is not using tty_port_tty_set(), the reference is kept
    even after closing the tty.
    
    Avoid using tty_port_tty_get() by directly access the tty instance.
    Since lpuart_start_rx_dma() is called from the .startup() and
    .set_termios() callback, it is safe to assume the tty instance is
    valid.
    
    Cc: stable@vger.kernel.org # v4.9+
    Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
    Signed-off-by: Stefan Agner <stefan@agner.ch>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3da4db1dfc217c6f330be87baf5759ef4a4b8d93
Author: Andy Whitcroft <apw@canonical.com>
Date:   Thu Sep 20 09:09:48 2018 -0600

    floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
    
    commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.
    
    The final field of a floppy_struct is the field "name", which is a pointer
    to a string in kernel memory.  The kernel pointer should not be copied to
    user memory.  The FDGETPRM ioctl copies a floppy_struct to user memory,
    including this "name" field.  This pointer cannot be used by the user
    and it will leak a kernel address to user-space, which will reveal the
    location of kernel code and data and undermine KASLR protection.
    
    Model this code after the compat ioctl which copies the returned data
    to a previously cleared temporary structure on the stack (excluding the
    name pointer) and copy out to userspace from there.  As we already have
    an inparam union with an appropriate member and that memory is already
    cleared even for read only calls make use of that as a temporary store.
    
    Based on an initial patch by Brian Belleville.
    
    CVE-2018-7755
    Signed-off-by: Andy Whitcroft <apw@canonical.com>
    Broke up long line.
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a5f1735d55e79f3a074da8223c059a1513092ef6
Author: Kevin Hilman <khilman@baylibre.com>
Date:   Mon May 21 13:08:32 2018 -0700

    ARM: dts: dra7: fix DCAN node addresses
    
    [ Upstream commit 949bdcc8a97c6078f21c8d4966436b117f2e4cd3 ]
    
    Fix the DT node addresses to match the reg property addresses,
    which were verified to match the TRM:
    http://www.ti.com/lit/pdf/sprui30
    
    Cc: Roger Quadros <rogerq@ti.com>
    Signed-off-by: Kevin Hilman <khilman@baylibre.com>
    Acked-by: Roger Quadros <rogerq@ti.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b9ce6bd2971df7a57fb07e9b83145e75e2c203c6
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Jun 12 14:43:34 2018 +0200

    EDAC: Fix memleak in module init error path
    
    [ Upstream commit 4708aa85d50cc6e962dfa8acf5ad4e0d290a21db ]
    
    Make sure to use put_device() to free the initialised struct device so
    that resources managed by driver core also gets released in the event of
    a registration failure.
    
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Cc: Denis Kirjanov <kirjanov@gmail.com>
    Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
    Cc: linux-edac <linux-edac@vger.kernel.org>
    Fixes: 2d56b109e3a5 ("EDAC: Handle error path in edac_mc_sysfs_init() properly")
    Link: http://lkml.kernel.org/r/20180612124335.6420-1-johan@kernel.org
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cacafc212394253d7e941ae0c0b8b5a64feb64e0
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Wed Jun 13 15:21:35 2018 -0400

    nfsd: fix corrupted reply to badly ordered compound
    
    [ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ]
    
    We're encoding a single op in the reply but leaving the number of ops
    zero, so the reply makes no sense.
    
    Somewhat academic as this isn't a case any real client will hit, though
    in theory perhaps that could change in a future protocol extension.
    
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 78448534ff1cbc56b170a2812cd18bd5e0796235
Author: Nadav Amit <namit@vmware.com>
Date:   Mon Jun 4 06:58:14 2018 -0700

    gpio: Fix wrong rounding in gpio-menz127
    
    [ Upstream commit 7279d9917560bbd0d82813d6bf00490a82c06783 ]
    
    men_z127_debounce() tries to round up and down, but uses functions which
    are only suitable when the divider is a power of two, which is not the
    case. Use the appropriate ones.
    
    Found by static check. Compile tested.
    
    Fixes: f436bc2726c64 ("gpio: add driver for MEN 16Z127 GPIO controller")
    Signed-off-by: Nadav Amit <namit@vmware.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f5b9595f033ccea1fdc90e7256c9d918896f9e66
Author: Jessica Yu <jeyu@kernel.org>
Date:   Tue Jun 5 10:22:52 2018 +0200

    module: exclude SHN_UNDEF symbols from kallsyms api
    
    [ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ]
    
    Livepatch modules are special in that we preserve their entire symbol
    tables in order to be able to apply relocations after module load. The
    unwanted side effect of this is that undefined (SHN_UNDEF) symbols of
    livepatch modules are accessible via the kallsyms api and this can
    confuse symbol resolution in livepatch (klp_find_object_symbol()) and
    cause subtle bugs in livepatch.
    
    Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols
    are usually not available for normal modules anyway as we cut down their
    symbol tables to just the core (non-undefined) symbols, so this should
    really just affect livepatch modules. Note that this patch doesn't
    affect the display of undefined symbols in /proc/kallsyms.
    
    Reported-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Tested-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Jessica Yu <jeyu@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dfbf508f3151f5ca2d7b35af2e52eaf31ef64de3
Author: Liam Girdwood <liam.r.girdwood@linux.intel.com>
Date:   Thu Jun 14 20:26:42 2018 +0100

    ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
    
    [ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ]
    
    Sometime a component or topology may configure a DAI widget with no
    private data leading to a dev_dbg() dereferencne of this data.
    
    Fix this to check for non NULL private data and let users know if widget
    is missing DAI.
    
    Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 64e5837e85c7984d192fd54b11c98ab091b5fa46
Author: Johan Hovold <johan@kernel.org>
Date:   Tue Jun 12 14:43:35 2018 +0200

    EDAC, i7core: Fix memleaks and use-after-free on probe and remove
    
    [ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ]
    
    Make sure to free and deregister the addrmatch and chancounts devices
    allocated during probe in all error paths. Also fix use-after-free in a
    probe error path and in the remove success path where the devices were
    being put before before deregistration.
    
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
    Cc: linux-edac <linux-edac@vger.kernel.org>
    Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy")
    Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4fa0de88105f946619ffffb924fb254f925b0798
Author: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
Date:   Mon Jun 4 03:45:10 2018 -0700

    scsi: megaraid_sas: Update controller info during resume
    
    [ Upstream commit c3b10a55abc943a526aaecd7e860b15671beb906 ]
    
    There is a possibility that firmware on the controller was upgraded before
    system was suspended. During resume, driver needs to read updated
    controller properties.
    
    Signed-off-by: Shivasharan S <shivasharan.srikanteshwara@broadcom.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0c603de17d0283c55d26963d1c945898c2a682a5
Author: Zhouyang Jia <jiazhouyang09@gmail.com>
Date:   Tue Jun 12 11:13:00 2018 +0800

    scsi: bnx2i: add error handling for ioremap_nocache
    
    [ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ]
    
    When ioremap_nocache fails, the lack of error-handling code may cause
    unexpected results.
    
    This patch adds error-handling code after calling ioremap_nocache.
    
    Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Acked-by: Manish Rangankar <Manish.Rangankar@cavium.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5a206f1593206279e708a00e9859d15660658bb7
Author: Kan Liang <kan.liang@linux.intel.com>
Date:   Tue Jun 5 08:38:45 2018 -0700

    perf/x86/intel/lbr: Fix incomplete LBR call stack
    
    [ Upstream commit 0592e57b24e7e05ec1f4c50b9666c013abff7017 ]
    
    LBR has a limited stack size. If a task has a deeper call stack than
    LBR's stack size, only the overflowed part is reported. A complete call
    stack may not be reconstructed by perf tool.
    
    Current code doesn't access all LBR registers. It only read the ones
    below the TOS. The LBR registers above the TOS will be discarded
    unconditionally.
    
    When a CALL is captured, the TOS is incremented by 1 , modulo max LBR
    stack size. The LBR HW only records the call stack information to the
    register which the TOS points to. It will not touch other LBR
    registers. So the registers above the TOS probably still store the valid
    call stack information for an overflowed call stack, which need to be
    reported.
    
    To retrieve complete call stack information, we need to start from TOS,
    read all LBR registers until an invalid entry is detected.
    0s can be used to detect the invalid entry, because:
    
     - When a RET is captured, the HW zeros the LBR register which TOS points
       to, then decreases the TOS.
     - The LBR registers are reset to 0 when adding a new LBR event or
       scheduling an existing LBR event.
     - A taken branch at IP 0 is not expected
    
    The context switch code is also modified to save/restore all valid LBR
    registers. Furthermore, the LBR registers, which don't have valid call
    stack information, need to be reset in restore, because they may be
    polluted while swapped out.
    
    Here is a small test program, tchain_deep.
    Its call stack is deeper than 32.
    
     noinline void f33(void)
     {
            int i;
    
            for (i = 0; i < 10000000;) {
                    if (i%2)
                            i++;
                    else
                            i++;
            }
     }
    
     noinline void f32(void)
     {
            f33();
     }
    
     noinline void f31(void)
     {
            f32();
     }
    
     ... ...
    
     noinline void f1(void)
     {
            f2();
     }
    
     int main()
     {
            f1();
     }
    
    Here is the test result on SKX. The max stack size of SKX is 32.
    
    Without the patch:
    
     $ perf record -e cycles --call-graph lbr -- ./tchain_deep
     $ perf report --stdio
     #
     # Children      Self  Command      Shared Object     Symbol
     # ........  ........  ...........  ................  .................
     #
       100.00%    99.99%  tchain_deep    tchain_deep       [.] f33
                |
                 --99.99%--f30
                           f31
                           f32
                           f33
    
    With the patch:
    
     $ perf record -e cycles --call-graph lbr -- ./tchain_deep
     $ perf report --stdio
     # Children      Self  Command      Shared Object     Symbol
     # ........  ........  ...........  ................  ..................
     #
        99.99%     0.00%  tchain_deep    tchain_deep       [.] f1
                |
                ---f1
                   f2
                   f3
                   f4
                   f5
                   f6
                   f7
                   f8
                   f9
                   f10
                   f11
                   f12
                   f13
                   f14
                   f15
                   f16
                   f17
                   f18
                   f19
                   f20
                   f21
                   f22
                   f23
                   f24
                   f25
                   f26
                   f27
                   f28
                   f29
                   f30
                   f31
                   f32
                   f33
    
    Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Vince Weaver <vincent.weaver@maine.edu>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: acme@kernel.org
    Cc: eranian@google.com
    Link: https://lore.kernel.org/lkml/1528213126-4312-1-git-send-email-kan.liang@linux.intel.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 24ae7dcad377c800c434ef0673727567bc6a5f1a
Author: Zhouyang Jia <jiazhouyang09@gmail.com>
Date:   Thu Jun 14 21:37:17 2018 +0800

    HID: hid-ntrig: add error handling for sysfs_create_group
    
    [ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ]
    
    When sysfs_create_group fails, the lack of error-handling code may
    cause unexpected results.
    
    This patch adds error-handling code after calling sysfs_create_group.
    
    Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2d95fb1df3bb7021ef563a77c2177a9056f729d1
Author: Ethan Tuttle <ethan@ethantuttle.com>
Date:   Tue Jun 19 21:31:08 2018 -0700

    ARM: mvebu: declare asm symbols as character arrays in pmsu.c
    
    [ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ]
    
    With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to
    detect buffer overflows.  If src or dest is declared as a char, attempts to
    copy more than byte will result in a fortify_panic().
    
    Address this problem in mvebu_setup_boot_addr_wa() by declaring
    mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays.  Also remove
    a couple addressof operators to avoid "arithmetic on pointer to an
    incomplete type" compiler error.
    
    See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays,
    not single characters") for a similar fix.
    
    Fixes "detected buffer overflow in memcpy" error during init on some mvebu
    systems (armada-370-xp, armada-375):
    
    (fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4)
    (mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204)
    (mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8)
    (do_one_initcall) from (kernel_init_freeable+0x1bc/0x254)
    (kernel_init_freeable) from (kernel_init+0x8/0x114)
    (kernel_init) from (ret_from_fork+0x14/0x2c)
    
    Signed-off-by: Ethan Tuttle <ethan@ethantuttle.com>
    Tested-by: Ethan Tuttle <ethan@ethantuttle.com>
    Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit afeeecc764436f31d4447575bb9007732333818c
Author: Tony Lindgren <tony@atomide.com>
Date:   Tue Jun 19 02:43:35 2018 -0700

    wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
    
    [ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ]
    
    Otherwise we can get:
    
    WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84
    
    I've only seen this few times with the runtime PM patches enabled
    so this one is probably not needed before that. This seems to
    work currently based on the current PM implementation timer. Let's
    apply this separately though in case others are hitting this issue.
    
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f204945c20f9fdd34a982f2cb58f45c91c0adf50
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jun 5 14:31:39 2018 +0300

    rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
    
    [ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ]
    
    This is a static checker fix, not something I have tested.  The issue
    is that on the second iteration through the loop, we jump forward by
    le32_to_cpu(auth_req->length) bytes.  The problem is that if the length
    is more than "buflen" then we end up with a negative "buflen".  A
    negative buflen is type promoted to a high positive value and the loop
    continues but it's accessing beyond the end of the buffer.
    
    I believe the "auth_req->length" comes from the firmware and if the
    firmware is malicious or buggy, you're already toasted so the impact of
    this bug is probably not very severe.
    
    Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7b4a09d167ebed0a6e10695cdfd7e0410057008a
Author: Jernej Skrabec <jernej.skrabec@siol.net>
Date:   Mon Jun 25 14:02:46 2018 +0200

    drm/sun4i: Fix releasing node when enumerating enpoints
    
    [ Upstream commit 367c359aa8637b15ee8df6335c5a29b7623966ec ]
    
    sun4i_drv_add_endpoints() has a memory leak since it uses of_node_put()
    when remote is equal to NULL and does nothing when remote has a valid
    pointer.
    
    Invert the logic to fix memory leak.
    
    Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
    Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20180625120304.7543-7-jernej.skrabec@siol.net
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a5a849c9e8a6c357f84a5e249cb468f20da6d28f
Author: Brandon Maier <brandon.maier@rockwellcollins.com>
Date:   Tue Jun 26 12:50:48 2018 -0500

    net: phy: xgmiitorgmii: Check phy_driver ready before accessing
    
    [ Upstream commit ab4e6ee578e88a659938db8fbf33720bc048d29c ]
    
    Since a phy_device is added to the global mdio_bus list during
    phy_device_register(), but a phy_device's phy_driver doesn't get
    attached until phy_probe(). It's possible of_phy_find_device() in
    xgmiitorgmii will return a valid phy with a NULL phy_driver. Leading to
    a NULL pointer access during the memcpy().
    
    Fixes this Oops:
    
    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    pgd = c0004000
    [00000000] *pgd=00000000
    Internal error: Oops: 5 [#1] PREEMPT SMP ARM
    Modules linked in:
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.40 #1
    Hardware name: Xilinx Zynq Platform
    task: ce4c8d00 task.stack: ce4ca000
    PC is at memcpy+0x48/0x330
    LR is at xgmiitorgmii_probe+0x90/0xe8
    pc : [<c074bc68>]    lr : [<c0529548>]    psr: 20000013
    sp : ce4cbb54  ip : 00000000  fp : ce4cbb8c
    r10: 00000000  r9 : 00000000  r8 : c0c49178
    r7 : 00000000  r6 : cdc14718  r5 : ce762800  r4 : cdc14710
    r3 : 00000000  r2 : 00000054  r1 : 00000000  r0 : cdc14718
    Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
    Control: 18c5387d  Table: 0000404a  DAC: 00000051
    Process swapper/0 (pid: 1, stack limit = 0xce4ca210)
    ...
    [<c074bc68>] (memcpy) from [<c0529548>] (xgmiitorgmii_probe+0x90/0xe8)
    [<c0529548>] (xgmiitorgmii_probe) from [<c0526a94>] (mdio_probe+0x28/0x34)
    [<c0526a94>] (mdio_probe) from [<c04db98c>] (driver_probe_device+0x254/0x414)
    [<c04db98c>] (driver_probe_device) from [<c04dbd58>] (__device_attach_driver+0xac/0x10c)
    [<c04dbd58>] (__device_attach_driver) from [<c04d96f4>] (bus_for_each_drv+0x84/0xc8)
    [<c04d96f4>] (bus_for_each_drv) from [<c04db5bc>] (__device_attach+0xd0/0x134)
    [<c04db5bc>] (__device_attach) from [<c04dbdd4>] (device_initial_probe+0x1c/0x20)
    [<c04dbdd4>] (device_initial_probe) from [<c04da8fc>] (bus_probe_device+0x98/0xa0)
    [<c04da8fc>] (bus_probe_device) from [<c04d8660>] (device_add+0x43c/0x5d0)
    [<c04d8660>] (device_add) from [<c0526cb8>] (mdio_device_register+0x34/0x80)
    [<c0526cb8>] (mdio_device_register) from [<c0580b48>] (of_mdiobus_register+0x170/0x30c)
    [<c0580b48>] (of_mdiobus_register) from [<c05349c4>] (macb_probe+0x710/0xc00)
    [<c05349c4>] (macb_probe) from [<c04dd700>] (platform_drv_probe+0x44/0x80)
    [<c04dd700>] (platform_drv_probe) from [<c04db98c>] (driver_probe_device+0x254/0x414)
    [<c04db98c>] (driver_probe_device) from [<c04dbc58>] (__driver_attach+0x10c/0x118)
    [<c04dbc58>] (__driver_attach) from [<c04d9600>] (bus_for_each_dev+0x8c/0xd0)
    [<c04d9600>] (bus_for_each_dev) from [<c04db1fc>] (driver_attach+0x2c/0x30)
    [<c04db1fc>] (driver_attach) from [<c04daa98>] (bus_add_driver+0x50/0x260)
    [<c04daa98>] (bus_add_driver) from [<c04dc440>] (driver_register+0x88/0x108)
    [<c04dc440>] (driver_register) from [<c04dd6b4>] (__platform_driver_register+0x50/0x58)
    [<c04dd6b4>] (__platform_driver_register) from [<c0b31248>] (macb_driver_init+0x24/0x28)
    [<c0b31248>] (macb_driver_init) from [<c010203c>] (do_one_initcall+0x60/0x1a4)
    [<c010203c>] (do_one_initcall) from [<c0b00f78>] (kernel_init_freeable+0x15c/0x1f8)
    [<c0b00f78>] (kernel_init_freeable) from [<c0763d10>] (kernel_init+0x18/0x124)
    [<c0763d10>] (kernel_init) from [<c0112d74>] (ret_from_fork+0x14/0x20)
    Code: ba000002 f5d1f03c f5d1f05c f5d1f07c (e8b151f8)
    ---[ end trace 3e4ec21905820a1f ]---
    
    Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9d57fa81b2e4286443268bb047bb03ab839ac5c8
Author: Ben Greear <greearb@candelatech.com>
Date:   Mon Jun 18 17:00:56 2018 +0300

    ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
    
    [ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ]
    
    While debugging driver crashes related to a buggy firmware
    crashing under load, I noticed that ath10k_htt_rx_ring_free
    could be called without being under lock.  I'm not sure if this
    is the root cause of the crash or not, but it seems prudent to
    protect it.
    
    Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
    running on 9984 NIC.
    
    Signed-off-by: Ben Greear <greearb@candelatech.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 72233116f96df97d822357a5b5f4ad38da444a7e
Author: Brandon Maier <brandon.maier@rockwellcollins.com>
Date:   Tue Jun 26 12:50:50 2018 -0500

    net: phy: xgmiitorgmii: Check read_status results
    
    [ Upstream commit 8d0752d11312be830c33e84dfd1016e6a47c2938 ]
    
    We're ignoring the result of the attached phy device's read_status().
    Return it so we can detect errors.
    
    Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 22b6598d3474bc32059cd27cf62c2526dd53ca54
Author: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date:   Thu Jun 28 15:28:24 2018 +0800

    ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
    
    [ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ]
    
    This patch can make audio controller in AMD Raven Ridge gets runtime
    suspended to D3, to save ~1W power when it's not in use.
    
    Cc: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
    Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 68fc12437bb33e6c8c65a36050a5bcb8469da6ab
Author: Zhouyang Jia <jiazhouyang09@gmail.com>
Date:   Mon Jun 11 00:39:20 2018 -0400

    media: tm6000: add error handling for dvb_register_adapter
    
    [ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ]
    
    When dvb_register_adapter fails, the lack of error-handling code may
    cause unexpected results.
    
    This patch adds error-handling code after calling dvb_register_adapter.
    
    Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
    [hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter]
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e215a3638f629542559e2e8fa5cef6796b4cee2
Author: Zhouyang Jia <jiazhouyang09@gmail.com>
Date:   Tue Jun 12 12:36:25 2018 +0800

    drivers/tty: add error handling for pcmcia_loop_config
    
    [ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ]
    
    When pcmcia_loop_config fails, the lack of error-handling code may
    cause unexpected results.
    
    This patch adds error-handling code after calling pcmcia_loop_config.
    
    Signed-off-by: Zhouyang Jia <jiazhouyang09@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d4d0edca58841aa5ba63e78835de8dfd54a317d2
Author: Alistair Strachan <astrachan@google.com>
Date:   Tue Jun 19 17:57:35 2018 -0700

    staging: android: ashmem: Fix mmap size validation
    
    [ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ]
    
    The ashmem driver did not check that the size/offset of the vma passed
    to its .mmap() function was not larger than the ashmem object being
    mapped. This could cause mmap() to succeed, even though accessing parts
    of the mapping would later fail with a segmentation fault.
    
    Ensure an error is returned by the ashmem_mmap() function if the vma
    size is larger than the ashmem object size. This enables safer handling
    of the problem in userspace.
    
    Cc: Todd Kjos <tkjos@android.com>
    Cc: devel@driverdev.osuosl.org
    Cc: linux-kernel@vger.kernel.org
    Cc: kernel-team@android.com
    Cc: Joel Fernandes <joel@joelfernandes.org>
    Signed-off-by: Alistair Strachan <astrachan@google.com>
    Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Reviewed-by: Martijn Coenen <maco@android.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3c2855f5c361f91307d144d99b6f4e8075765d18
Author: Javier Martinez Canillas <javierm@redhat.com>
Date:   Sat Jun 9 08:22:45 2018 -0400

    media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
    
    [ Upstream commit 2ec7debd44b49927a6e2861521994cc075a389ed ]
    
    The struct clk_init_data init variable is declared in the isp_xclk_init()
    function so is an automatic variable allocated in the stack. But it's not
    explicitly zero-initialized, so some init fields are left uninitialized.
    
    This causes the data structure to have undefined values that may confuse
    the common clock framework when the clock is registered.
    
    For example, the uninitialized .flags field could have the CLK_IS_CRITICAL
    bit set, causing the framework to wrongly prepare the clk on registration.
    This leads to the isp_xclk_prepare() callback being called, which in turn
    calls to the omap3isp_get() function that increments the isp dev refcount.
    
    Since this omap3isp_get() call is unexpected, this leads to an unbalanced
    omap3isp_get() call that prevents the requested IRQ to be later enabled,
    due the refcount not being 0 when the correct omap3isp_get() call happens.
    
    Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework")
    
    Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
    Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 66459f5c1c535157c68775e361c68a65a8f58538
Author: Akinobu Mita <akinobu.mita@gmail.com>
Date:   Sun Jun 10 11:42:26 2018 -0400

    media: soc_camera: ov772x: correct setting of banding filter
    
    [ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ]
    
    The banding filter ON/OFF is controlled via bit 5 of COM8 register.  It
    is attempted to be enabled in ov772x_set_params() by the following line.
    
            ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1);
    
    But this unexpectedly results disabling the banding filter, because the
    mask and set bits are exclusive.
    
    On the other hand, ov772x_s_ctrl() correctly sets the bit by:
    
            ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF);
    
    The same fix was already applied to non-soc_camera version of ov772x
    driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting
    of banding filter")
    
    Cc: Jacopo Mondi <jacopo+renesas@jmondi.org>
    Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Cc: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 84d068c8646568565ecd5d66d1c6752acd4157c4
Author: Akinobu Mita <akinobu.mita@gmail.com>
Date:   Sun Jun 10 11:42:01 2018 -0400

    media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
    
    [ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ]
    
    When the subdevice doesn't provide s_power core ops callback, the
    v4l2_subdev_call for s_power returns -ENOIOCTLCMD.  If the subdevice
    doesn't have the special handling for its power saving mode, the s_power
    isn't required.  So -ENOIOCTLCMD from the v4l2_subdev_call should be
    ignored.
    
    Cc: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
    Acked-by: Sylwester Nawrocki <sylvester.nawrocki@gmail.com>
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a1003fd88762c9dd80052c4f357ce0dedc4a49f0
Author: Nicholas Mc Guire <hofrat@osadl.org>
Date:   Fri Jun 29 19:07:42 2018 +0200

    ALSA: snd-aoa: add of_node_put() in error path
    
    [ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ]
    
     Both calls to of_find_node_by_name() and of_get_next_child() return a
    node pointer with refcount incremented thus it must be explicidly
    decremented here after the last usage. As we are assured to have a
    refcounted  np  either from the initial
    of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np)
    in the while loop if we reached the error code path below, an
    x of_node_put(np) is needed.
    
    Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
    Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2d81291f71144261bfa782afa60dafb6232b4237
Author: Vasily Gorbik <gor@linux.ibm.com>
Date:   Sun Jun 17 00:30:43 2018 +0200

    s390/extmem: fix gcc 8 stringop-overflow warning
    
    [ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ]
    
    arch/s390/mm/extmem.c: In function '__segment_load':
    arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals
    source length [-Wstringop-overflow=]
      strncat(seg->res_name, " (DCSS)", 7);
    
    What gcc complains about here is the misuse of strncat function, which
    in this case does not limit a number of bytes taken from "src", so it is
    in the end the same as strcat(seg->res_name, " (DCSS)");
    
    Keeping in mind that a res_name is 15 bytes, strncat in this case
    would overflow the buffer and write 0 into alignment byte between the
    fields in the struct. To avoid that increasing res_name size to 16,
    and reusing strlcat.
    
    Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 747128e772dc2c413763050c52c55edcacf7f60c
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Mon Jul 2 09:34:29 2018 +0200

    alarmtimer: Prevent overflow for relative nanosleep
    
    [ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ]
    
    Air Icy reported:
    
      UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7
      signed integer overflow:
      1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int'
      Call Trace:
       alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811
       __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline]
       __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline]
       __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213
       do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290
    
    alarm_timer_nsleep() uses ktime_add() to add the current time and the
    relative expiry value. ktime_add() has no sanity checks so the addition
    can overflow when the relative timeout is large enough.
    
    Use ktime_add_safe() which has the necessary sanity checks in place and
    limits the result to the valid range.
    
    Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers")
    Reported-by: Team OWL337 <icytxw@gmail.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: John Stultz <john.stultz@linaro.org>
    Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 47dd06672f2c87cd542c3bebf7376b75a26a71e7
Author: Alexey Kardashevskiy <aik@ozlabs.ru>
Date:   Fri Jun 1 18:06:16 2018 +1000

    powerpc/powernv/ioda2: Reduce upper limit for DMA window size
    
    [ Upstream commit d3d4ffaae439981e1e441ebb125aa3588627c5d8 ]
    
    We use PHB in mode1 which uses bit 59 to select a correct DMA window.
    However there is mode2 which uses bits 59:55 and allows up to 32 DMA
    windows per a PE.
    
    Even though documentation does not clearly specify that, it seems that
    the actual hardware does not support bits 59:55 even in mode1, in other
    words we can create a window as big as 1<<58 but DMA simply won't work.
    
    This reduces the upper limit from 59 to 55 bits to let the userspace know
    about the hardware limits.
    
    Fixes: 7aafac11e3 "powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested"
    Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad04608260af5216d33ad74ada77bde42239b95d
Author: Julia Lawall <Julia.Lawall@lip6.fr>
Date:   Sun Jul 1 19:32:04 2018 +0200

    usb: wusbcore: security: cast sizeof to int for comparison
    
    [ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ]
    
    Comparing an int to a size, which is unsigned, causes the int to become
    unsigned, giving the wrong result.  usb_get_descriptor can return a
    negative error code.
    
    A simplified version of the semantic match that finds this problem is as
    follows: (http://coccinelle.lip6.fr/)
    
    // <smpl>
    @@
    int x;
    expression e,e1;
    identifier f;
    @@
    
    *x = f(...);
    ... when != x = e1
        when != if (x < 0 || ...) { ... return ...; }
    *x < sizeof(e)
    // </smpl>
    
    Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b789ac6c8eb2f1eaec3bd05dd6420634e7ee6009
Author: Breno Leitao <leitao@debian.org>
Date:   Tue Jun 26 17:35:16 2018 -0300

    scsi: ibmvscsi: Improve strings handling
    
    [ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ]
    
    Currently an open firmware property is copied into partition_name variable
    without keeping a room for \0.
    
    Later one, this variable (partition_name), which is 97 bytes long, is
    strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is
    96 bytes long, possibly truncating it 'again' and removing the \0.
    
    This patch simply decreases the partition name to 96 and just copy using
    strlcpy() which guarantees that the string is \0 terminated. I think there
    is no issue if this there is a truncation in this very first copy, i.e,
    when the open firmware property is read and copied into the driver for the
    very first time;
    
    This issue also causes the following warning on GCC 8:
    
            drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning:  strncpy  output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation]
            ...
            inlined from  ibmvscsi_probe  at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7:
            drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning:  strncpy  specified bound 97 equals destination size [-Wstringop-truncation]
    
    CC: Bart Van Assche <bart.vanassche@wdc.com>
    CC: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
    Signed-off-by: Breno Leitao <leitao@debian.org>
    Acked-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4a67b82250b481f0591ba83b2584cf18385fa059
Author: Bart Van Assche <bart.vanassche@wdc.com>
Date:   Fri Jun 22 14:54:49 2018 -0700

    scsi: klist: Make it safe to use klists in atomic context
    
    [ Upstream commit 624fa7790f80575a4ec28fbdb2034097dc18d051 ]
    
    In the scsi_transport_srp implementation it cannot be avoided to
    iterate over a klist from atomic context when using the legacy block
    layer instead of blk-mq. Hence this patch that makes it safe to use
    klists in atomic context. This patch avoids that lockdep reports the
    following:
    
    WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
     Possible interrupt unsafe locking scenario:
    
           CPU0                    CPU1
           ----                    ----
      lock(&(&k->k_lock)->rlock);
                                   local_irq_disable();
                                   lock(&(&q->__queue_lock)->rlock);
                                   lock(&(&k->k_lock)->rlock);
      <Interrupt>
        lock(&(&q->__queue_lock)->rlock);
    
    stack backtrace:
    Workqueue: kblockd blk_timeout_work
    Call Trace:
     dump_stack+0xa4/0xf5
     check_usage+0x6e6/0x700
     __lock_acquire+0x185d/0x1b50
     lock_acquire+0xd2/0x260
     _raw_spin_lock+0x32/0x50
     klist_next+0x47/0x190
     device_for_each_child+0x8e/0x100
     srp_timed_out+0xaf/0x1d0 [scsi_transport_srp]
     scsi_times_out+0xd4/0x410 [scsi_mod]
     blk_rq_timed_out+0x36/0x70
     blk_timeout_work+0x1b5/0x220
     process_one_work+0x4fe/0xad0
     worker_thread+0x63/0x5a0
     kthread+0x1c1/0x1e0
     ret_from_fork+0x24/0x30
    
    See also commit c9ddf73476ff ("scsi: scsi_transport_srp: Fix shost to
    rport translation").
    
    Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
    Cc: Martin K. Petersen <martin.petersen@oracle.com>
    Cc: James Bottomley <jejb@linux.vnet.ibm.com>
    Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 54cbe6e25b2b68ace2fff2fd4576057d759fe012
Author: Bart Van Assche <bart.vanassche@wdc.com>
Date:   Fri Jun 22 14:53:01 2018 -0700

    scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
    
    [ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ]
    
    Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
    Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
    Reviewed-by: Mike Christie <mchristi@redhat.com>
    Cc: Mike Christie <mchristi@redhat.com>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Hannes Reinecke <hare@suse.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8a76e852e44aa63b0e72d0c9b86d835a895e8023
Author: Jan Beulich <JBeulich@suse.com>
Date:   Mon Jul 2 04:47:57 2018 -0600

    x86/entry/64: Add two more instruction suffixes
    
    [ Upstream commit 6709812f094d96543b443645c68daaa32d3d3e77 ]
    
    Sadly, other than claimed in:
    
      a368d7fd2a ("x86/entry/64: Add instruction suffix")
    
    ... there are two more instances which want to be adjusted.
    
    As said there, omitting suffixes from instructions in AT&T mode is bad
    practice when operand size cannot be determined by the assembler from
    register operands, and is likely going to be warned about by upstream
    gas in the future (mine does already).
    
    Add the other missing suffixes here as well.
    
    Signed-off-by: Jan Beulich <jbeulich@suse.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/5B3A02DD02000078001CFB78@prv1-mh.provo.novell.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8214da8ac2600fe894ac059bf0eadfe27ca435ea
Author: Dave Gerlach <d-gerlach@ti.com>
Date:   Thu Jun 21 14:43:08 2018 +0530

    ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
    
    [ Upstream commit 6d609b35c815ba20132b7b64bcca04516bb17c56 ]
    
    When the RTC lock and unlock functions were introduced it was likely
    assumed that they would always be called from irq enabled context, hence
    the use of local_irq_disable/enable. This is no longer true as the
    RTC+DDR path makes a late call during the suspend path after irqs
    have been disabled to enable the RTC hwmod which calls both unlock and
    lock, leading to IRQs being reenabled through the local_irq_enable call
    in omap_hwmod_rtc_lock call.
    
    To avoid this change the local_irq_disable/enable to
    local_irq_save/restore to ensure that from whatever context this is
    called the proper IRQ configuration is maintained.
    
    Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
    Signed-off-by: Keerthy <j-keerthy@ti.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 67d0b2f130a74bf7495705c0efc7a3d329beecdf
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Fri Jun 29 22:31:10 2018 +0300

    x86/tsc: Add missing header to tsc_msr.c
    
    [ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ]
    
    Add a missing header otherwise compiler warns about missed prototype:
    
    CC      arch/x86/kernel/tsc_msr.o
    arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes]
       unsigned long cpu_khz_from_msr(void)
                     ^~~~~~~~~~~~~~~~
    
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Pavel Tatashin <pasha.tatashin@oracle.com>
    Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b22e7f5b2e41288e6faa3cef0b8ac1061819813
Author: Alexey Khoroshilov <khoroshilov@ispras.ru>
Date:   Fri Jun 29 17:49:22 2018 -0400

    media: fsl-viu: fix error handling in viu_of_probe()
    
    [ Upstream commit 662a99e145661c2b35155cf375044deae9b79896 ]
    
    viu_of_probe() ignores fails in i2c_get_adapter(),
    tries to unlock uninitialized mutex on error path.
    
    The patch streamlining the error handling in viu_of_probe().
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5735af39366ea69ce0e3fe02f24e92bb8760d80d
Author: Hari Bathini <hbathini@linux.ibm.com>
Date:   Thu Jun 28 10:49:56 2018 +0530

    powerpc/kdump: Handle crashkernel memory reservation failure
    
    [ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ]
    
    Memory reservation for crashkernel could fail if there are holes around
    kdump kernel offset (128M). Fail gracefully in such cases and print an
    error message.
    
    Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
    Tested-by: David Gibson <dgibson@redhat.com>
    Reviewed-by: Dave Young <dyoung@redhat.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 88fd46e44a6cfa72bc5bdd3e96671f6d2d3806c3
Author: Sylwester Nawrocki <s.nawrocki@samsung.com>
Date:   Tue May 15 05:21:45 2018 -0400

    media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    
    [ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ]
    
    This patch fixes potential NULL pointer dereference as indicated
    by the following static checker warning:
    
    drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane()
    error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'.
    
    Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 163f0fd4a067207cba2e9ad7a470a319f7d846d4
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Jul 4 12:32:12 2018 +0300

    IB/core: type promotion bug in rdma_rw_init_one_mr()
    
    [ Upstream commit c2d7c8ff89b22ddefb1ac2986c0d48444a667689 ]
    
    "nents" is an unsigned int, so if ib_map_mr_sg() returns a negative
    error code then it's type promoted to a high unsigned int which is
    treated as success.
    
    Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e085b03e65f568a6cad0faab64989c50c912185
Author: Guoqing Jiang <gqjiang@suse.com>
Date:   Mon Jul 2 16:26:24 2018 +0800

    md-cluster: clear another node's suspend_area after the copy is finished
    
    [ Upstream commit 010228e4a932ca1e8365e3b58c8e1e44c16ff793 ]
    
    When one node leaves cluster or stops the resyncing
    (resync or recovery) array, then other nodes need to
    call recover_bitmaps to continue the unfinished task.
    
    But we need to clear suspend_area later after other
    nodes copy the resync information to their bitmap
    (by call bitmap_copy_from_slot). Otherwise, all nodes
    could write to the suspend_area even the suspend_area
    is not handled by any node, because area_resyncing
    returns 0 at the beginning of raid1_write_request.
    Which means one node could write suspend_area while
    another node is resyncing the same area, then data
    could be inconsistent.
    
    So let's clear suspend_area later to avoid above issue
    with the protection of bm lock. Also it is straightforward
    to clear suspend_area after nodes have copied the resync
    info to bitmap.
    
    Signed-off-by: Guoqing Jiang <gqjiang@suse.com>
    Reviewed-by: NeilBrown <neilb@suse.com>
    Signed-off-by: Shaohua Li <shli@fb.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3ba28752cca79b825abfc9c6f5a30ecb33c6a4ac
Author: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Date:   Mon Jun 25 09:51:48 2018 +0200

    power: remove possible deadlock when unregistering power_supply
    
    [ Upstream commit 3ffa6583e24e1ad1abab836d24bfc9d2308074e5 ]
    
    If a device gets removed right after having registered a power_supply node,
    we might enter in a deadlock between the remove call (that has a lock on
    the parent device) and the deferred register work.
    
    Allow the deferred register work to exit without taking the lock when
    we are in the remove state.
    
    Stack trace on a Ubuntu 16.04:
    
    [16072.109121] INFO: task kworker/u16:2:1180 blocked for more than 120 seconds.
    [16072.109127]       Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
    [16072.109129] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    [16072.109132] kworker/u16:2   D    0  1180      2 0x80000000
    [16072.109142] Workqueue: events_power_efficient power_supply_deferred_register_work
    [16072.109144] Call Trace:
    [16072.109152]  __schedule+0x3d6/0x8b0
    [16072.109155]  schedule+0x36/0x80
    [16072.109158]  schedule_preempt_disabled+0xe/0x10
    [16072.109161]  __mutex_lock.isra.2+0x2ab/0x4e0
    [16072.109166]  __mutex_lock_slowpath+0x13/0x20
    [16072.109168]  ? __mutex_lock_slowpath+0x13/0x20
    [16072.109171]  mutex_lock+0x2f/0x40
    [16072.109174]  power_supply_deferred_register_work+0x2b/0x50
    [16072.109179]  process_one_work+0x15b/0x410
    [16072.109182]  worker_thread+0x4b/0x460
    [16072.109186]  kthread+0x10c/0x140
    [16072.109189]  ? process_one_work+0x410/0x410
    [16072.109191]  ? kthread_create_on_node+0x70/0x70
    [16072.109194]  ret_from_fork+0x35/0x40
    [16072.109199] INFO: task test:2257 blocked for more than 120 seconds.
    [16072.109202]       Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu
    [16072.109204] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    [16072.109206] test            D    0  2257   2256 0x00000004
    [16072.109208] Call Trace:
    [16072.109211]  __schedule+0x3d6/0x8b0
    [16072.109215]  schedule+0x36/0x80
    [16072.109218]  schedule_timeout+0x1f3/0x360
    [16072.109221]  ? check_preempt_curr+0x5a/0xa0
    [16072.109224]  ? ttwu_do_wakeup+0x1e/0x150
    [16072.109227]  wait_for_completion+0xb4/0x140
    [16072.109230]  ? wait_for_completion+0xb4/0x140
    [16072.109233]  ? wake_up_q+0x70/0x70
    [16072.109236]  flush_work+0x129/0x1e0
    [16072.109240]  ? worker_detach_from_pool+0xb0/0xb0
    [16072.109243]  __cancel_work_timer+0x10f/0x190
    [16072.109247]  ? device_del+0x264/0x310
    [16072.109250]  ? __wake_up+0x44/0x50
    [16072.109253]  cancel_delayed_work_sync+0x13/0x20
    [16072.109257]  power_supply_unregister+0x37/0xb0
    [16072.109260]  devm_power_supply_release+0x11/0x20
    [16072.109263]  release_nodes+0x110/0x200
    [16072.109266]  devres_release_group+0x7c/0xb0
    [16072.109274]  wacom_remove+0xc2/0x110 [wacom]
    [16072.109279]  hid_device_remove+0x6e/0xd0 [hid]
    [16072.109284]  device_release_driver_internal+0x158/0x210
    [16072.109288]  device_release_driver+0x12/0x20
    [16072.109291]  bus_remove_device+0xec/0x160
    [16072.109293]  device_del+0x1de/0x310
    [16072.109298]  hid_destroy_device+0x27/0x60 [hid]
    [16072.109303]  usbhid_disconnect+0x51/0x70 [usbhid]
    [16072.109308]  usb_unbind_interface+0x77/0x270
    [16072.109311]  device_release_driver_internal+0x158/0x210
    [16072.109315]  device_release_driver+0x12/0x20
    [16072.109318]  usb_driver_release_interface+0x77/0x80
    [16072.109321]  proc_ioctl+0x20f/0x250
    [16072.109325]  usbdev_do_ioctl+0x57f/0x1140
    [16072.109327]  ? __wake_up+0x44/0x50
    [16072.109331]  usbdev_ioctl+0xe/0x20
    [16072.109336]  do_vfs_ioctl+0xa4/0x600
    [16072.109339]  ? vfs_write+0x15a/0x1b0
    [16072.109343]  SyS_ioctl+0x79/0x90
    [16072.109347]  entry_SYSCALL_64_fastpath+0x24/0xab
    [16072.109349] RIP: 0033:0x7f20da807f47
    [16072.109351] RSP: 002b:00007ffc422ae398 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
    [16072.109353] RAX: ffffffffffffffda RBX: 00000000010b8560 RCX: 00007f20da807f47
    [16072.109355] RDX: 00007ffc422ae3a0 RSI: 00000000c0105512 RDI: 0000000000000009
    [16072.109356] RBP: 0000000000000000 R08: 00007ffc422ae3e0 R09: 0000000000000010
    [16072.109357] R10: 00000000000000a6 R11: 0000000000000246 R12: 0000000000000000
    [16072.109359] R13: 00000000010b8560 R14: 00007ffc422ae2e0 R15: 0000000000000000
    
    Reported-and-tested-by: Richard Hughes <rhughes@redhat.com>
    Tested-by: Aaron Skomra <Aaron.Skomra@wacom.com>
    Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Fixes: 7f1a57fdd6cb ("power_supply: Fix possible NULL pointer dereference on early uevent")
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2f412c555411748608969fd126a3c120be7893b2
Author: Vasily Gorbik <gor@linux.ibm.com>
Date:   Sun Jun 24 12:17:43 2018 +0200

    s390/mm: correct allocate_pgste proc_handler callback
    
    [ Upstream commit 5bedf8aa03c28cb8dc98bdd32a41b66d8f7d3eaa ]
    
    Since proc_dointvec does not perform value range control,
    proc_dointvec_minmax should be used to limit value range, which is
    clearly intended here, as the internal representation of the value:
    
    unsigned int alloc_pgste:1;
    
    In fact it currently works, since we have
    
          mm->context.alloc_pgste = page_table_allocate_pgste || ...
    
    ... since commit 23fefe119ceb5 ("s390/kvm: avoid global config of vm.alloc_pgste=1")
    
    Before that it was
    
           mm->context.alloc_pgste = page_table_allocate_pgste;
    
    which was broken. That was introduced with commit 0b46e0a3ec0d7 ("s390/kvm:
    remove delayed reallocation of page tables for KVM").
    
    Fixes: 0b46e0a3ec0d7 ("s390/kvm: remove delayed reallocation of page tables for KVM")
    Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
    Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e8e438d8a474a107cd8234602e68f2fb0ef5400
Author: Michael Scott <michael@opensourcefoundries.com>
Date:   Tue Jun 19 16:44:06 2018 -0700

    6lowpan: iphc: reset mac_header after decompress to fix panic
    
    [ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]
    
    After decompression of 6lowpan socket data, an IPv6 header is inserted
    before the existing socket payload.  After this, we reset the
    network_header value of the skb to account for the difference in payload
    size from prior to decompression + the addition of the IPv6 header.
    
    However, we fail to reset the mac_header value.
    
    Leaving the mac_header value untouched here, can cause a calculation
    error in net/packet/af_packet.c packet_rcv() function when an
    AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
    interface.
    
    On line 2088, the data pointer is moved backward by the value returned
    from skb_mac_header().  If skb->data is adjusted so that it is before
    the skb->head pointer (which can happen when an old value of mac_header
    is left in place) the kernel generates a panic in net/core/skbuff.c
    line 1717.
    
    This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
    802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
    sources for compression and decompression.
    
    Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
    Acked-by: Alexander Aring <aring@mojatatu.com>
    Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ad560c0a5fcb8f76fe3d377cf3aacc466a14c6f4
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Jul 4 17:02:18 2018 +0200

    USB: serial: kobil_sct: fix modem-status error handling
    
    [ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ]
    
    Make sure to return -EIO in case of a short modem-status read request.
    
    While at it, split the debug message to not include the (zeroed)
    transfer-buffer content in case of errors.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f63d0c75f2aa9daa87fb9dde705762cf200d6d8a
Author: Jian-Hong Pan <jian-hong@endlessm.com>
Date:   Fri May 25 17:54:52 2018 +0800

    Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    
    [ Upstream commit 45ae68b8cfc25bdbffc11248001c47ab1b76ff6e ]
    
    Without this patch we cannot turn on the Bluethooth adapter on HP
    14-bs007la.
    
    T:  Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#=  4 Spd=12   MxCh= 0
    D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=0bda ProdID=b009 Rev= 2.00
    S:  Manufacturer=Realtek
    S:  Product=802.11n WLAN Adapter
    S:  SerialNumber=00e04c000001
    C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    
    Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5eb06bfce2ec2cad1ef026dbf02eb1bae6aa497b
Author: Zhen Lei <thunder.leizhen@huawei.com>
Date:   Wed Jun 6 10:18:46 2018 +0800

    iommu/amd: make sure TLB to be flushed before IOVA freed
    
    [ Upstream commit 3c120143f584360a13614787e23ae2cdcb5e5ccd ]
    
    Although the mapping has already been removed in the page table, it maybe
    still exist in TLB. Suppose the freed IOVAs is reused by others before the
    flush operation completed, the new user can not correctly access to its
    meomory.
    
    Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
    Fixes: b1516a14657a ('iommu/amd: Implement flush queue')
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0830a976e5d597a890835cee4b92214be3e4b18b
Author: Sudeep Holla <sudeep.holla@arm.com>
Date:   Mon Jun 18 16:54:32 2018 +0100

    power: vexpress: fix corruption in notifier registration
    
    [ Upstream commit 09bebb1adb21ecd04adf7ccb3b06f73e3a851e93 ]
    
    Vexpress platforms provide two different restart handlers: SYS_REBOOT
    that restart the entire system, while DB_RESET only restarts the
    daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT
    if it exists.
    
    notifier_chain_register used in register_restart_handler by design
    relies on notifiers to be registered once only, however vexpress restart
    notifier can get registered twice. When this happen it corrupts list
    of notifiers, as result some notifiers can be not called on proper
    event, traverse on list can be cycled forever, and second unregister
    can access already freed memory.
    
    So far, since this was the only restart handler in the system, no issue
    was observed even if the same notifier was registered twice. However
    commit 6c5c0d48b686 ("watchdog: sp805: add restart handler") added
    support for SP805 restart handlers and since the system under test
    contains two vexpress restart and two SP805 watchdog instances, it was
    observed that during the boot traversing the restart handler list looped
    forever as there's a cycle in that list resulting in boot hang.
    
    This patch fixes the issues by ensuring that the notifier is installed
    only once.
    
    Cc: Sebastian Reichel <sre@kernel.org>
    Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
    Fixes: 46c99ac66222 ("power/reset: vexpress: Register with kernel restart handler")
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ee6dc27c53592479aa6a55cd1d4429aa16a8d917
Author: Anton Vasilyev <vasilyev@ispras.ru>
Date:   Fri Jul 6 15:32:53 2018 +0300

    uwb: hwa-rc: fix memory leak at probe
    
    [ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ]
    
    hwarc_probe() allocates memory for hwarc, but does not free it
    if uwb_rc_add() or hwarc_get_version() fail.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 16d5a6d9c68991764c2481aa8d5c87775a873a44
Author: Colin Ian King <colin.king@canonical.com>
Date:   Mon Jul 2 14:27:35 2018 +0100

    staging: rts5208: fix missing error check on call to rtsx_write_register
    
    [ Upstream commit c5fae4f4fd28189b1062fb8ef7b21fec37cb8b17 ]
    
    Currently the check on error return from the call to rtsx_write_register
    is checking the error status from the previous call. Fix this by adding
    in the missing assignment of retval.
    
    Detected by CoverityScan, CID#709877
    
    Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8540af6de372659b76cc349d29060941bf53019c
Author: Dan Williams <dan.j.williams@intel.com>
Date:   Fri Jul 6 09:08:01 2018 -0700

    x86/numa_emulation: Fix emulated-to-physical node mapping
    
    [ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ]
    
    Without this change the distance table calculation for emulated nodes
    may use the wrong numa node and report an incorrect distance.
    
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Wei Yang <richard.weiyang@gmail.com>
    Cc: linux-mm@kvack.org
    Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 37f43c12f59dd23390183b12d74e7503cd08b6ec
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Jul 4 12:33:34 2018 +0300

    vmci: type promotion bug in qp_host_get_user_memory()
    
    [ Upstream commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c ]
    
    The problem is that if get_user_pages_fast() fails and returns a
    negative error code, it gets type promoted to a high positive value and
    treated as a success.
    
    Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d2b8ae4ad7b2bd385465d816c3e5966cdbff53a
Author: Matt Ranostay <matt.ranostay@konsulko.com>
Date:   Fri Jun 8 23:58:15 2018 -0700

    tsl2550: fix lux1_input error in low light
    
    [ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ]
    
    ADC channel 0 photodiode detects both infrared + visible light,
    but ADC channel 1 just detects infrared. However, the latter is a bit
    more sensitive in that range so complete darkness or low light causes
    a error condition in which the chan0 - chan1 is negative that
    results in a -EAGAIN.
    
    This patch changes the resulting lux1_input sysfs attribute message from
    "Resource temporarily unavailable" to a user-grokable lux value of 0.
    
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 581048527071d09cbaa62943a44296b63a1799d1
Author: Stafford Horne <shorne@gmail.com>
Date:   Mon Jun 25 21:45:37 2018 +0900

    crypto: skcipher - Fix -Wstringop-truncation warnings
    
    [ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ]
    
    As of GCC 9.0.0 the build is reporting warnings like:
    
        crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’:
        crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
          strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           sizeof(rblkcipher.geniv));
           ~~~~~~~~~~~~~~~~~~~~~~~~~
    
    This means the strnycpy might create a non null terminated string.  Fix this by
    explicitly performing '\0' termination.
    
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Max Filippov <jcmvbkbc@gmail.com>
    Cc: Eric Biggers <ebiggers3@gmail.com>
    Cc: Nick Desaulniers <nick.desaulniers@gmail.com>
    Signed-off-by: Stafford Horne <shorne@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>