[PATCH 4.13 002/109] : Fix copy_in_user() declaration

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit f58e76c1c551c7577b25a6fe493d82f5214331b7 upstream.

copy_in_user() copies data from user-space address @from to user-
space address @to. Hence declare both @from and @to as user-space
pointers.

Fixes: commit d597580d3737 ("generic ...copy_..._user primitives")
Signed-off-by: Bart Van Assche 
Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/uaccess.h |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -156,7 +156,7 @@ copy_to_user(void __user *to, const void
 }
 #ifdef CONFIG_COMPAT
 static __always_inline unsigned long __must_check
-copy_in_user(void __user *to, const void *from, unsigned long n)
+copy_in_user(void __user *to, const void __user *from, unsigned long n)
 {
might_fault();
if (access_ok(VERIFY_WRITE, to, n) && access_ok(VERIFY_READ, from, n))

[PATCH 4.13 015/109] pinctrl/amd: save pin registers over suspend/resume

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniel Drake 

commit 79d2c8bede2c93f9432d7da0bc2f76a195c90fc0 upstream.

The touchpad in the Asus laptop models X505BA/BP and X542BA/BP is
unresponsive after suspend/resume. The following error appears during
resume:

  i2c_hid i2c-ELAN1300:00: failed to reset device.

The problem here is that i2c_hid does not notice the interrupt being
generated at this point, because the GPIO is no longer configured
for interrupts.

Fix this by saving pinctrl-amd pin registers during suspend and
restoring them at resume time.

Based on code from pinctrl-intel.

Signed-off-by: Daniel Drake 
Signed-off-by: Linus Walleij 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pinctrl/pinctrl-amd.c |   75 ++
 drivers/pinctrl/pinctrl-amd.h |1 
 2 files changed, 76 insertions(+)

--- a/drivers/pinctrl/pinctrl-amd.c
+++ b/drivers/pinctrl/pinctrl-amd.c
@@ -36,6 +36,7 @@
 #include 
 #include 
 
+#include "core.h"
 #include "pinctrl-utils.h"
 #include "pinctrl-amd.h"
 
@@ -725,6 +726,69 @@ static const struct pinconf_ops amd_pinc
.pin_config_group_set = amd_pinconf_group_set,
 };
 
+#ifdef CONFIG_PM_SLEEP
+static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin)
+{
+   const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin);
+
+   if (!pd)
+   return false;
+
+   /*
+* Only restore the pin if it is actually in use by the kernel (or
+* by userspace).
+*/
+   if (pd->mux_owner || pd->gpio_owner ||
+   gpiochip_line_is_irq(_dev->gc, pin))
+   return true;
+
+   return false;
+}
+
+int amd_gpio_suspend(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+int amd_gpio_resume(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   writel(gpio_dev->saved_regs[i], gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+static const struct dev_pm_ops amd_gpio_pm_ops = {
+   SET_LATE_SYSTEM_SLEEP_PM_OPS(amd_gpio_suspend,
+amd_gpio_resume)
+};
+#endif
+
 static struct pinctrl_desc amd_pinctrl_desc = {
.pins   = kerncz_pins,
.npins = ARRAY_SIZE(kerncz_pins),
@@ -764,6 +828,14 @@ static int amd_gpio_probe(struct platfor
return -EINVAL;
}
 
+#ifdef CONFIG_PM_SLEEP
+   gpio_dev->saved_regs = devm_kcalloc(>dev, amd_pinctrl_desc.npins,
+   sizeof(*gpio_dev->saved_regs),
+   GFP_KERNEL);
+   if (!gpio_dev->saved_regs)
+   return -ENOMEM;
+#endif
+
gpio_dev->pdev = pdev;
gpio_dev->gc.direction_input= amd_gpio_direction_input;
gpio_dev->gc.direction_output   = amd_gpio_direction_output;
@@ -853,6 +925,9 @@ static struct platform_driver amd_gpio_d
.driver = {
.name   = "amd_gpio",
.acpi_match_table = ACPI_PTR(amd_gpio_acpi_match),
+#ifdef CONFIG_PM_SLEEP
+   .pm = _gpio_pm_ops,
+#endif
},
.probe  = amd_gpio_probe,
.remove = amd_gpio_remove,
--- a/drivers/pinctrl/pinctrl-amd.h
+++ b/drivers/pinctrl/pinctrl-amd.h
@@ -97,6 +97,7 @@ struct amd_gpio {
unsigned inthwbank_num;
struct resource *res;
struct platform_device  *pdev;
+   u32 *saved_regs;
 };
 
 /*  KERNCZ configuration*/

[PATCH 4.13 023/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix NaN propagation

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit e840be6e7057757befc3581e1699e30fe7f0dd51 upstream.

Fix the cases of . when any of three inputs is any
NaN. Correct behavior of . fd, fs, ft is following:

  - if any of inputs is sNaN, return a sNaN using following rules: if
only one input is sNaN, return that one; if more than one input is
sNaN, order of precedence for return value is fd, fs, ft
  - if no input is sNaN, but at least one of inputs is qNaN, return a
qNaN using following rules: if only one input is qNaN, return that
one; if more than one input is qNaN, order of precedence for
return value is fd, fs, ft

The previous code contained correct handling of some above cases, but
not all. Also, such handling was scattered into various cases of
"switch (CLPAIR(xc, yc))" statement, and elsewhere. With this patch,
this logic is placed in one place, and "switch (CLPAIR(xc, yc))" is
significantly simplified.

A relevant example:

MADDF.S fd,fs,ft:
  If fs contains qNaN1, ft contains qNaN2, and fd contains qNaN3, fd
  is going to contain qNaN3 (without this patch, it used to contain
  qNaN1).

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16886/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |   66 --
 arch/mips/math-emu/sp_maddf.c |   66 +-
 2 files changed, 41 insertions(+), 91 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -48,52 +48,34 @@ static union ieee754dp _dp_maddf(union i
 
ieee754_clearcx();
 
-   switch (zc) {
-   case IEEE754_CLASS_SNAN:
-   ieee754_setcx(IEEE754_INVALID_OPERATION);
+   /*
+* Handle the cases when at least one of x, y or z is a NaN.
+* Order of precedence is sNaN, qNaN and z, x, y.
+*/
+   if (zc == IEEE754_CLASS_SNAN)
return ieee754dp_nanxcpt(z);
-   case IEEE754_CLASS_DNORM:
-   DPDNORMZ;
-   /* QNAN and ZERO cases are handled separately below */
-   }
-
-   switch (CLPAIR(xc, yc)) {
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_SNAN):
-   return ieee754dp_nanxcpt(y);
-
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_ZERO):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_NORM):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_DNORM):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
+   if (xc == IEEE754_CLASS_SNAN)
return ieee754dp_nanxcpt(x);
-
-   case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
+   if (yc == IEEE754_CLASS_SNAN)
+   return ieee754dp_nanxcpt(y);
+   if (zc == IEEE754_CLASS_QNAN)
+   return z;
+   if (xc == IEEE754_CLASS_QNAN)
+   return x;
+   if (yc == IEEE754_CLASS_QNAN)
return y;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_INF):
-   return x;
+   if (zc == IEEE754_CLASS_DNORM)
+   DPDNORMZ;
+   /* ZERO z cases are handled separately below */
 
+   switch (CLPAIR(xc, yc)) {
 
/*
 * Infinity handling
 */
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
 

[PATCH 4.13 002/109] : Fix copy_in_user() declaration

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit f58e76c1c551c7577b25a6fe493d82f5214331b7 upstream.

copy_in_user() copies data from user-space address @from to user-
space address @to. Hence declare both @from and @to as user-space
pointers.

Fixes: commit d597580d3737 ("generic ...copy_..._user primitives")
Signed-off-by: Bart Van Assche 
Signed-off-by: Al Viro 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/uaccess.h |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -156,7 +156,7 @@ copy_to_user(void __user *to, const void
 }
 #ifdef CONFIG_COMPAT
 static __always_inline unsigned long __must_check
-copy_in_user(void __user *to, const void *from, unsigned long n)
+copy_in_user(void __user *to, const void __user *from, unsigned long n)
 {
might_fault();
if (access_ok(VERIFY_WRITE, to, n) && access_ok(VERIFY_READ, from, n))

[PATCH 4.13 015/109] pinctrl/amd: save pin registers over suspend/resume

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniel Drake 

commit 79d2c8bede2c93f9432d7da0bc2f76a195c90fc0 upstream.

The touchpad in the Asus laptop models X505BA/BP and X542BA/BP is
unresponsive after suspend/resume. The following error appears during
resume:

  i2c_hid i2c-ELAN1300:00: failed to reset device.

The problem here is that i2c_hid does not notice the interrupt being
generated at this point, because the GPIO is no longer configured
for interrupts.

Fix this by saving pinctrl-amd pin registers during suspend and
restoring them at resume time.

Based on code from pinctrl-intel.

Signed-off-by: Daniel Drake 
Signed-off-by: Linus Walleij 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pinctrl/pinctrl-amd.c |   75 ++
 drivers/pinctrl/pinctrl-amd.h |1 
 2 files changed, 76 insertions(+)

--- a/drivers/pinctrl/pinctrl-amd.c
+++ b/drivers/pinctrl/pinctrl-amd.c
@@ -36,6 +36,7 @@
 #include 
 #include 
 
+#include "core.h"
 #include "pinctrl-utils.h"
 #include "pinctrl-amd.h"
 
@@ -725,6 +726,69 @@ static const struct pinconf_ops amd_pinc
.pin_config_group_set = amd_pinconf_group_set,
 };
 
+#ifdef CONFIG_PM_SLEEP
+static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin)
+{
+   const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin);
+
+   if (!pd)
+   return false;
+
+   /*
+* Only restore the pin if it is actually in use by the kernel (or
+* by userspace).
+*/
+   if (pd->mux_owner || pd->gpio_owner ||
+   gpiochip_line_is_irq(_dev->gc, pin))
+   return true;
+
+   return false;
+}
+
+int amd_gpio_suspend(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+int amd_gpio_resume(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   writel(gpio_dev->saved_regs[i], gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+static const struct dev_pm_ops amd_gpio_pm_ops = {
+   SET_LATE_SYSTEM_SLEEP_PM_OPS(amd_gpio_suspend,
+amd_gpio_resume)
+};
+#endif
+
 static struct pinctrl_desc amd_pinctrl_desc = {
.pins   = kerncz_pins,
.npins = ARRAY_SIZE(kerncz_pins),
@@ -764,6 +828,14 @@ static int amd_gpio_probe(struct platfor
return -EINVAL;
}
 
+#ifdef CONFIG_PM_SLEEP
+   gpio_dev->saved_regs = devm_kcalloc(>dev, amd_pinctrl_desc.npins,
+   sizeof(*gpio_dev->saved_regs),
+   GFP_KERNEL);
+   if (!gpio_dev->saved_regs)
+   return -ENOMEM;
+#endif
+
gpio_dev->pdev = pdev;
gpio_dev->gc.direction_input= amd_gpio_direction_input;
gpio_dev->gc.direction_output   = amd_gpio_direction_output;
@@ -853,6 +925,9 @@ static struct platform_driver amd_gpio_d
.driver = {
.name   = "amd_gpio",
.acpi_match_table = ACPI_PTR(amd_gpio_acpi_match),
+#ifdef CONFIG_PM_SLEEP
+   .pm = _gpio_pm_ops,
+#endif
},
.probe  = amd_gpio_probe,
.remove = amd_gpio_remove,
--- a/drivers/pinctrl/pinctrl-amd.h
+++ b/drivers/pinctrl/pinctrl-amd.h
@@ -97,6 +97,7 @@ struct amd_gpio {
unsigned inthwbank_num;
struct resource *res;
struct platform_device  *pdev;
+   u32 *saved_regs;
 };
 
 /*  KERNCZ configuration*/

[PATCH 4.13 023/109] MIPS: math-emu: .: Fix NaN propagation

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit e840be6e7057757befc3581e1699e30fe7f0dd51 upstream.

Fix the cases of . when any of three inputs is any
NaN. Correct behavior of . fd, fs, ft is following:

  - if any of inputs is sNaN, return a sNaN using following rules: if
only one input is sNaN, return that one; if more than one input is
sNaN, order of precedence for return value is fd, fs, ft
  - if no input is sNaN, but at least one of inputs is qNaN, return a
qNaN using following rules: if only one input is qNaN, return that
one; if more than one input is qNaN, order of precedence for
return value is fd, fs, ft

The previous code contained correct handling of some above cases, but
not all. Also, such handling was scattered into various cases of
"switch (CLPAIR(xc, yc))" statement, and elsewhere. With this patch,
this logic is placed in one place, and "switch (CLPAIR(xc, yc))" is
significantly simplified.

A relevant example:

MADDF.S fd,fs,ft:
  If fs contains qNaN1, ft contains qNaN2, and fd contains qNaN3, fd
  is going to contain qNaN3 (without this patch, it used to contain
  qNaN1).

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16886/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |   66 --
 arch/mips/math-emu/sp_maddf.c |   66 +-
 2 files changed, 41 insertions(+), 91 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -48,52 +48,34 @@ static union ieee754dp _dp_maddf(union i
 
ieee754_clearcx();
 
-   switch (zc) {
-   case IEEE754_CLASS_SNAN:
-   ieee754_setcx(IEEE754_INVALID_OPERATION);
+   /*
+* Handle the cases when at least one of x, y or z is a NaN.
+* Order of precedence is sNaN, qNaN and z, x, y.
+*/
+   if (zc == IEEE754_CLASS_SNAN)
return ieee754dp_nanxcpt(z);
-   case IEEE754_CLASS_DNORM:
-   DPDNORMZ;
-   /* QNAN and ZERO cases are handled separately below */
-   }
-
-   switch (CLPAIR(xc, yc)) {
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_SNAN):
-   return ieee754dp_nanxcpt(y);
-
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_SNAN):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_ZERO):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_NORM):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_DNORM):
-   case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
+   if (xc == IEEE754_CLASS_SNAN)
return ieee754dp_nanxcpt(x);
-
-   case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
+   if (yc == IEEE754_CLASS_SNAN)
+   return ieee754dp_nanxcpt(y);
+   if (zc == IEEE754_CLASS_QNAN)
+   return z;
+   if (xc == IEEE754_CLASS_QNAN)
+   return x;
+   if (yc == IEEE754_CLASS_QNAN)
return y;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_INF):
-   return x;
+   if (zc == IEEE754_CLASS_DNORM)
+   DPDNORMZ;
+   /* ZERO z cases are handled separately below */
 
+   switch (CLPAIR(xc, yc)) {
 
/*
 * Infinity handling
 */
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_INF):
-   if (zc == IEEE754_CLASS_QNAN)
-   return z;
ieee754_setcx(IEEE754_INVALID_OPERATION);
return ieee754dp_indef();
 
@@ -102,8 +84,6 @@ static union ieee754dp _dp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):

[PATCH 4.13 003/109] IB/hfi1: Revert egress pkey check enforcement

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Alex Estrin 

commit ecdb19f4b513033e6f2c4326cd5b81e04393e5e1 upstream.

Current code has some serious flaws. Disarm the flag
pending an appropriate patch.

Fixes: 53526500f301 ("IB/hfi1: Permanently enable P_Key checking in HFI")
Reviewed-by: Mike Marciniszyn 
Signed-off-by: Alex Estrin 
Signed-off-by: Dennis Dalessandro 
Signed-off-by: Doug Ledford 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/hw/hfi1/init.c |1 -
 1 file changed, 1 deletion(-)

--- a/drivers/infiniband/hw/hfi1/init.c
+++ b/drivers/infiniband/hw/hfi1/init.c
@@ -483,7 +483,6 @@ void hfi1_init_pportdata(struct pci_dev
 
ppd->pkeys[default_pkey_idx] = DEFAULT_P_KEY;
ppd->part_enforce |= HFI1_PART_ENFORCE_IN;
-   ppd->part_enforce |= HFI1_PART_ENFORCE_OUT;
 
if (loopback) {
hfi1_early_err(>dev,

[PATCH 4.13 003/109] IB/hfi1: Revert egress pkey check enforcement

[Greg Kroah-Hartman]

4.13-stable review patch.  If anyone has any objections, please let me know.

--

From: Alex Estrin 

commit ecdb19f4b513033e6f2c4326cd5b81e04393e5e1 upstream.

Current code has some serious flaws. Disarm the flag
pending an appropriate patch.

Fixes: 53526500f301 ("IB/hfi1: Permanently enable P_Key checking in HFI")
Reviewed-by: Mike Marciniszyn 
Signed-off-by: Alex Estrin 
Signed-off-by: Dennis Dalessandro 
Signed-off-by: Doug Ledford 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/infiniband/hw/hfi1/init.c |1 -
 1 file changed, 1 deletion(-)

--- a/drivers/infiniband/hw/hfi1/init.c
+++ b/drivers/infiniband/hw/hfi1/init.c
@@ -483,7 +483,6 @@ void hfi1_init_pportdata(struct pci_dev
 
ppd->pkeys[default_pkey_idx] = DEFAULT_P_KEY;
ppd->part_enforce |= HFI1_PART_ENFORCE_IN;
-   ppd->part_enforce |= HFI1_PART_ENFORCE_OUT;
 
if (loopback) {
hfi1_early_err(>dev,

[PATCH 4.9 77/77] genirq: Make sparse_irq_lock protect what it should protect

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Thomas Gleixner 

commit 12ac1d0f6c3e95732d144ffa65c8b20fbd9aa462 upstream.

for_each_active_irq() iterates the sparse irq allocation bitmap. The caller
must hold sparse_irq_lock. Several code pathes expect that an active bit in
the sparse bitmap also has a valid interrupt descriptor.

Unfortunately that's not true. The (de)allocation is a two step process,
which holds the sparse_irq_lock only across the queue/remove from the radix
tree and the set/clear in the allocation bitmap.

If a iteration locks sparse_irq_lock between the two steps, then it might
see an active bit but the corresponding irq descriptor is NULL. If that is
dereferenced unconditionally, then the kernel oopses. Of course, all
iterator sites could be audited and fixed, but

There is no reason why the sparse_irq_lock needs to be dropped between the
two steps, in fact the code becomes simpler when the mutex is held across
both and the semantics become more straight forward, so future problems of
missing NULL pointer checks in the iteration are avoided and all existing
sites are fixed in one go.

Expand the lock held sections so both operations are covered and the bitmap
and the radixtree are in sync.

Fixes: a05a900a51c7 ("genirq: Make sparse_lock a mutex")
Reported-and-tested-by: Huang Ying 
Signed-off-by: Thomas Gleixner 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/irq/irqdesc.c |   24 +++-
 1 file changed, 7 insertions(+), 17 deletions(-)

--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -405,10 +405,8 @@ static void free_desc(unsigned int irq)
 * The sysfs entry must be serialized against a concurrent
 * irq_sysfs_init() as well.
 */
-   mutex_lock(_irq_lock);
kobject_del(>kobj);
delete_irq_desc(irq);
-   mutex_unlock(_irq_lock);
 
/*
 * We free the descriptor, masks and stat fields via RCU. That
@@ -446,20 +444,15 @@ static int alloc_descs(unsigned int star
desc = alloc_desc(start + i, node, flags, mask, owner);
if (!desc)
goto err;
-   mutex_lock(_irq_lock);
irq_insert_desc(start + i, desc);
irq_sysfs_add(start + i, desc);
-   mutex_unlock(_irq_lock);
}
+   bitmap_set(allocated_irqs, start, cnt);
return start;
 
 err:
for (i--; i >= 0; i--)
free_desc(start + i);
-
-   mutex_lock(_irq_lock);
-   bitmap_clear(allocated_irqs, start, cnt);
-   mutex_unlock(_irq_lock);
return -ENOMEM;
 }
 
@@ -558,6 +551,7 @@ static inline int alloc_descs(unsigned i
 
desc->owner = owner;
}
+   bitmap_set(allocated_irqs, start, cnt);
return start;
 }
 
@@ -653,10 +647,10 @@ void irq_free_descs(unsigned int from, u
if (from >= nr_irqs || (from + cnt) > nr_irqs)
return;
 
+   mutex_lock(_irq_lock);
for (i = 0; i < cnt; i++)
free_desc(from + i);
 
-   mutex_lock(_irq_lock);
bitmap_clear(allocated_irqs, from, cnt);
mutex_unlock(_irq_lock);
 }
@@ -703,19 +697,15 @@ __irq_alloc_descs(int irq, unsigned int
   from, cnt, 0);
ret = -EEXIST;
if (irq >=0 && start != irq)
-   goto err;
+   goto unlock;
 
if (start + cnt > nr_irqs) {
ret = irq_expand_nr_irqs(start + cnt);
if (ret)
-   goto err;
+   goto unlock;
}
-
-   bitmap_set(allocated_irqs, start, cnt);
-   mutex_unlock(_irq_lock);
-   return alloc_descs(start, cnt, node, affinity, owner);
-
-err:
+   ret = alloc_descs(start, cnt, node, affinity, owner);
+unlock:
mutex_unlock(_irq_lock);
return ret;
 }

[PATCH 4.9 77/77] genirq: Make sparse_irq_lock protect what it should protect

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Thomas Gleixner 

commit 12ac1d0f6c3e95732d144ffa65c8b20fbd9aa462 upstream.

for_each_active_irq() iterates the sparse irq allocation bitmap. The caller
must hold sparse_irq_lock. Several code pathes expect that an active bit in
the sparse bitmap also has a valid interrupt descriptor.

Unfortunately that's not true. The (de)allocation is a two step process,
which holds the sparse_irq_lock only across the queue/remove from the radix
tree and the set/clear in the allocation bitmap.

If a iteration locks sparse_irq_lock between the two steps, then it might
see an active bit but the corresponding irq descriptor is NULL. If that is
dereferenced unconditionally, then the kernel oopses. Of course, all
iterator sites could be audited and fixed, but

There is no reason why the sparse_irq_lock needs to be dropped between the
two steps, in fact the code becomes simpler when the mutex is held across
both and the semantics become more straight forward, so future problems of
missing NULL pointer checks in the iteration are avoided and all existing
sites are fixed in one go.

Expand the lock held sections so both operations are covered and the bitmap
and the radixtree are in sync.

Fixes: a05a900a51c7 ("genirq: Make sparse_lock a mutex")
Reported-and-tested-by: Huang Ying 
Signed-off-by: Thomas Gleixner 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/irq/irqdesc.c |   24 +++-
 1 file changed, 7 insertions(+), 17 deletions(-)

--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -405,10 +405,8 @@ static void free_desc(unsigned int irq)
 * The sysfs entry must be serialized against a concurrent
 * irq_sysfs_init() as well.
 */
-   mutex_lock(_irq_lock);
kobject_del(>kobj);
delete_irq_desc(irq);
-   mutex_unlock(_irq_lock);
 
/*
 * We free the descriptor, masks and stat fields via RCU. That
@@ -446,20 +444,15 @@ static int alloc_descs(unsigned int star
desc = alloc_desc(start + i, node, flags, mask, owner);
if (!desc)
goto err;
-   mutex_lock(_irq_lock);
irq_insert_desc(start + i, desc);
irq_sysfs_add(start + i, desc);
-   mutex_unlock(_irq_lock);
}
+   bitmap_set(allocated_irqs, start, cnt);
return start;
 
 err:
for (i--; i >= 0; i--)
free_desc(start + i);
-
-   mutex_lock(_irq_lock);
-   bitmap_clear(allocated_irqs, start, cnt);
-   mutex_unlock(_irq_lock);
return -ENOMEM;
 }
 
@@ -558,6 +551,7 @@ static inline int alloc_descs(unsigned i
 
desc->owner = owner;
}
+   bitmap_set(allocated_irqs, start, cnt);
return start;
 }
 
@@ -653,10 +647,10 @@ void irq_free_descs(unsigned int from, u
if (from >= nr_irqs || (from + cnt) > nr_irqs)
return;
 
+   mutex_lock(_irq_lock);
for (i = 0; i < cnt; i++)
free_desc(from + i);
 
-   mutex_lock(_irq_lock);
bitmap_clear(allocated_irqs, from, cnt);
mutex_unlock(_irq_lock);
 }
@@ -703,19 +697,15 @@ __irq_alloc_descs(int irq, unsigned int
   from, cnt, 0);
ret = -EEXIST;
if (irq >=0 && start != irq)
-   goto err;
+   goto unlock;
 
if (start + cnt > nr_irqs) {
ret = irq_expand_nr_irqs(start + cnt);
if (ret)
-   goto err;
+   goto unlock;
}
-
-   bitmap_set(allocated_irqs, start, cnt);
-   mutex_unlock(_irq_lock);
-   return alloc_descs(start, cnt, node, affinity, owner);
-
-err:
+   ret = alloc_descs(start, cnt, node, affinity, owner);
+unlock:
mutex_unlock(_irq_lock);
return ret;
 }

[PATCH 4.9 65/77] media: uvcvideo: Prevent heap overflow when accessing mapped controls

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba upstream.

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Originally-from: Richard Simmons 

Signed-off-by: Guenter Roeck 
Reviewed-by: Laurent Pinchart 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/usb/uvc/uvc_ctrl.c |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_vide
goto done;
}
 
+   /* Validate the user-provided bit-size and offset */
+   if (mapping->size > 32 ||
+   mapping->offset + mapping->size > ctrl->info.size * 8) {
+   ret = -EINVAL;
+   goto done;
+   }
+
list_for_each_entry(map, >info.mappings, list) {
if (mapping->id == map->id) {
uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "

[PATCH 4.9 63/77] s390/mm: fix race on mm->context.flush_mm

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Martin Schwidefsky 

commit 60f07c8ec5fae06c23e9fd7bab67dabce92b3414 upstream.

The order in __tlb_flush_mm_lazy is to flush TLB first and then clear
the mm->context.flush_mm bit. This can lead to missed flushes as the
bit can be set anytime, the order needs to be the other way aronud.

But this leads to a different race, __tlb_flush_mm_lazy may be called
on two CPUs concurrently. If mm->context.flush_mm is cleared first then
another CPU can bypass __tlb_flush_mm_lazy although the first CPU has
not done the flush yet. In a virtualized environment the time until the
flush is finally completed can be arbitrarily long.

Add a spinlock to serialize __tlb_flush_mm_lazy and use the function
in finish_arch_post_lock_switch as well.

Reviewed-by: Heiko Carstens 
Signed-off-by: Martin Schwidefsky 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/s390/include/asm/mmu.h |2 ++
 arch/s390/include/asm/mmu_context.h |4 ++--
 arch/s390/include/asm/tlbflush.h|4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

--- a/arch/s390/include/asm/mmu.h
+++ b/arch/s390/include/asm/mmu.h
@@ -5,6 +5,7 @@
 #include 
 
 typedef struct {
+   spinlock_t lock;
cpumask_t cpu_attach_mask;
atomic_t flush_count;
unsigned int flush_mm;
@@ -25,6 +26,7 @@ typedef struct {
 } mm_context_t;
 
 #define INIT_MM_CONTEXT(name) \
+   .context.lock = __SPIN_LOCK_UNLOCKED(name.context.lock),   \
.context.pgtable_lock =\
__SPIN_LOCK_UNLOCKED(name.context.pgtable_lock),   \
.context.pgtable_list = LIST_HEAD_INIT(name.context.pgtable_list), \
--- a/arch/s390/include/asm/mmu_context.h
+++ b/arch/s390/include/asm/mmu_context.h
@@ -15,6 +15,7 @@
 static inline int init_new_context(struct task_struct *tsk,
   struct mm_struct *mm)
 {
+   spin_lock_init(>context.lock);
spin_lock_init(>context.pgtable_lock);
INIT_LIST_HEAD(>context.pgtable_list);
spin_lock_init(>context.gmap_lock);
@@ -111,8 +112,7 @@ static inline void finish_arch_post_lock
while (atomic_read(>context.flush_count))
cpu_relax();
cpumask_set_cpu(smp_processor_id(), mm_cpumask(mm));
-   if (mm->context.flush_mm)
-   __tlb_flush_mm(mm);
+   __tlb_flush_mm_lazy(mm);
preempt_enable();
}
set_fs(current->thread.mm_segment);
--- a/arch/s390/include/asm/tlbflush.h
+++ b/arch/s390/include/asm/tlbflush.h
@@ -96,10 +96,12 @@ static inline void __tlb_flush_kernel(vo
 
 static inline void __tlb_flush_mm_lazy(struct mm_struct * mm)
 {
+   spin_lock(>context.lock);
if (mm->context.flush_mm) {
-   __tlb_flush_mm(mm);
mm->context.flush_mm = 0;
+   __tlb_flush_mm(mm);
}
+   spin_unlock(>context.lock);
 }
 
 /*

[PATCH 4.9 65/77] media: uvcvideo: Prevent heap overflow when accessing mapped controls

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Guenter Roeck 

commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba upstream.

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Originally-from: Richard Simmons 

Signed-off-by: Guenter Roeck 
Reviewed-by: Laurent Pinchart 
Signed-off-by: Hans Verkuil 
Signed-off-by: Mauro Carvalho Chehab 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/media/usb/uvc/uvc_ctrl.c |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -2002,6 +2002,13 @@ int uvc_ctrl_add_mapping(struct uvc_vide
goto done;
}
 
+   /* Validate the user-provided bit-size and offset */
+   if (mapping->size > 32 ||
+   mapping->offset + mapping->size > ctrl->info.size * 8) {
+   ret = -EINVAL;
+   goto done;
+   }
+
list_for_each_entry(map, >info.mappings, list) {
if (mapping->id == map->id) {
uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', "

[PATCH 4.9 63/77] s390/mm: fix race on mm->context.flush_mm

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Martin Schwidefsky 

commit 60f07c8ec5fae06c23e9fd7bab67dabce92b3414 upstream.

The order in __tlb_flush_mm_lazy is to flush TLB first and then clear
the mm->context.flush_mm bit. This can lead to missed flushes as the
bit can be set anytime, the order needs to be the other way aronud.

But this leads to a different race, __tlb_flush_mm_lazy may be called
on two CPUs concurrently. If mm->context.flush_mm is cleared first then
another CPU can bypass __tlb_flush_mm_lazy although the first CPU has
not done the flush yet. In a virtualized environment the time until the
flush is finally completed can be arbitrarily long.

Add a spinlock to serialize __tlb_flush_mm_lazy and use the function
in finish_arch_post_lock_switch as well.

Reviewed-by: Heiko Carstens 
Signed-off-by: Martin Schwidefsky 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/s390/include/asm/mmu.h |2 ++
 arch/s390/include/asm/mmu_context.h |4 ++--
 arch/s390/include/asm/tlbflush.h|4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

--- a/arch/s390/include/asm/mmu.h
+++ b/arch/s390/include/asm/mmu.h
@@ -5,6 +5,7 @@
 #include 
 
 typedef struct {
+   spinlock_t lock;
cpumask_t cpu_attach_mask;
atomic_t flush_count;
unsigned int flush_mm;
@@ -25,6 +26,7 @@ typedef struct {
 } mm_context_t;
 
 #define INIT_MM_CONTEXT(name) \
+   .context.lock = __SPIN_LOCK_UNLOCKED(name.context.lock),   \
.context.pgtable_lock =\
__SPIN_LOCK_UNLOCKED(name.context.pgtable_lock),   \
.context.pgtable_list = LIST_HEAD_INIT(name.context.pgtable_list), \
--- a/arch/s390/include/asm/mmu_context.h
+++ b/arch/s390/include/asm/mmu_context.h
@@ -15,6 +15,7 @@
 static inline int init_new_context(struct task_struct *tsk,
   struct mm_struct *mm)
 {
+   spin_lock_init(>context.lock);
spin_lock_init(>context.pgtable_lock);
INIT_LIST_HEAD(>context.pgtable_list);
spin_lock_init(>context.gmap_lock);
@@ -111,8 +112,7 @@ static inline void finish_arch_post_lock
while (atomic_read(>context.flush_count))
cpu_relax();
cpumask_set_cpu(smp_processor_id(), mm_cpumask(mm));
-   if (mm->context.flush_mm)
-   __tlb_flush_mm(mm);
+   __tlb_flush_mm_lazy(mm);
preempt_enable();
}
set_fs(current->thread.mm_segment);
--- a/arch/s390/include/asm/tlbflush.h
+++ b/arch/s390/include/asm/tlbflush.h
@@ -96,10 +96,12 @@ static inline void __tlb_flush_kernel(vo
 
 static inline void __tlb_flush_mm_lazy(struct mm_struct * mm)
 {
+   spin_lock(>context.lock);
if (mm->context.flush_mm) {
-   __tlb_flush_mm(mm);
mm->context.flush_mm = 0;
+   __tlb_flush_mm(mm);
}
+   spin_unlock(>context.lock);
 }
 
 /*

[PATCH 4.9 72/77] bcache: fix for gc and write-back race

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream.

gc and write-back get raced (see the email "bcache get stucked" I sended
before):
gc thread   write-back thread
|   |bch_writeback_thread()
|bch_gc_thread()|
|   |==>read_dirty()
|==>bch_btree_gc()  |
|==>btree_root() //get btree root   |
|//node write locker|
|==>bch_btree_gc_root() |
|   |==>read_dirty_submit()
|   |==>write_dirty()
|   |==>continue_at(cl,
|   |   write_dirty_finish,
|   |   system_wq);
|   |==>write_dirty_finish()//excute
|   |   //in system_wq
|   |==>bch_btree_insert()
|   |==>bch_btree_map_leaf_nodes()
|   |==>__bch_btree_map_nodes()
|   |==>btree_root //try to get btree
|   |  //root node read
|   |  //lock
|   |-stuck here
|==>bch_btree_set_root()
|==>bch_journal_meta()
|==>bch_journal()
|==>journal_try_write()
|==>journal_write_unlocked() //journal_full(>journal)
|//condition satisfied
|==>continue_at(cl, journal_write, system_wq); //try to excute
|   //journal_write in system_wq
|   //but work queue is excuting
|   //write_dirty_finish()
|==>closure_sync(); //wait journal_write execute
|   //over and wake up gc,
|-stuck here
|==>release root node write locker

This patch alloc a separate work-queue for write-back thread to avoid such
race.

(Commit log re-organized by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/bcache.h|1 +
 drivers/md/bcache/super.c |2 ++
 drivers/md/bcache/writeback.c |9 +++--
 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -333,6 +333,7 @@ struct cached_dev {
/* Limit number of writeback bios in flight */
struct semaphorein_flight;
struct task_struct  *writeback_thread;
+   struct workqueue_struct *writeback_write_wq;
 
struct keybuf   writeback_keys;
 
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1058,6 +1058,8 @@ static void cached_dev_free(struct closu
cancel_delayed_work_sync(>writeback_rate_update);
if (!IS_ERR_OR_NULL(dc->writeback_thread))
kthread_stop(dc->writeback_thread);
+   if (dc->writeback_write_wq)
+   destroy_workqueue(dc->writeback_write_wq);
 
mutex_lock(_register_lock);
 
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -187,7 +187,7 @@ static void write_dirty(struct closure *
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty_finish, system_wq);
+   continue_at(cl, write_dirty_finish, io->dc->writeback_write_wq);
 }
 
 static void read_dirty_endio(struct bio *bio)
@@ -207,7 +207,7 @@ static void read_dirty_submit(struct clo
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty, system_wq);
+   continue_at(cl, write_dirty, io->dc->writeback_write_wq);
 }
 
 static void read_dirty(struct cached_dev *dc)
@@ -517,6 +517,11 @@ void bch_cached_dev_writeback_init(struc
 
 int bch_cached_dev_writeback_start(struct cached_dev *dc)
 {
+   dc->writeback_write_wq = alloc_workqueue("bcache_writeback_wq",
+   WQ_MEM_RECLAIM, 0);
+   if (!dc->writeback_write_wq)
+   return -ENOMEM;
+
dc->writeback_thread = kthread_create(bch_writeback_thread, dc,
  "bcache_writeback");
if (IS_ERR(dc->writeback_thread))

[PATCH 4.9 60/77] PCI: pciehp: Report power fault only once until we clear it

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Keith Busch 

commit 7612b3b28c0b900dcbcdf5e9b9747cc20a1e2455 upstream.

When a power fault occurs, the power controller sets Power Fault Detected
in the Slot Status register, and pciehp_isr() queues an INT_POWER_FAULT
event to handle it.

It also clears Power Fault Detected, but since nothing has yet changed to
correct the power fault, the power controller will likely set it again
immediately, which may cause an infinite loop when pcie_isr() rechecks
Slot Status.

Fix that by masking off Power Fault Detected from new events if the driver
hasn't seen the power fault clear from the previous handling attempt.

Fixes: fad214b0aa72 ("PCI: pciehp: Process all hotplug events before looking 
for new ones")
Signed-off-by: Keith Busch 
[bhelgaas: changelog, pull test out and add comment]
Signed-off-by: Bjorn Helgaas 
Cc: Mayurkumar Patel 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pci/hotplug/pciehp_hpc.c |8 
 1 file changed, 8 insertions(+)

--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -586,6 +586,14 @@ static irqreturn_t pciehp_isr(int irq, v
events = status & (PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD |
   PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC |
   PCI_EXP_SLTSTA_DLLSC);
+
+   /*
+* If we've already reported a power fault, don't report it again
+* until we've done something to handle it.
+*/
+   if (ctrl->power_fault_detected)
+   events &= ~PCI_EXP_SLTSTA_PFD;
+
if (!events)
return IRQ_NONE;
 

[PATCH 4.9 60/77] PCI: pciehp: Report power fault only once until we clear it

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Keith Busch 

commit 7612b3b28c0b900dcbcdf5e9b9747cc20a1e2455 upstream.

When a power fault occurs, the power controller sets Power Fault Detected
in the Slot Status register, and pciehp_isr() queues an INT_POWER_FAULT
event to handle it.

It also clears Power Fault Detected, but since nothing has yet changed to
correct the power fault, the power controller will likely set it again
immediately, which may cause an infinite loop when pcie_isr() rechecks
Slot Status.

Fix that by masking off Power Fault Detected from new events if the driver
hasn't seen the power fault clear from the previous handling attempt.

Fixes: fad214b0aa72 ("PCI: pciehp: Process all hotplug events before looking 
for new ones")
Signed-off-by: Keith Busch 
[bhelgaas: changelog, pull test out and add comment]
Signed-off-by: Bjorn Helgaas 
Cc: Mayurkumar Patel 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pci/hotplug/pciehp_hpc.c |8 
 1 file changed, 8 insertions(+)

--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -586,6 +586,14 @@ static irqreturn_t pciehp_isr(int irq, v
events = status & (PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD |
   PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC |
   PCI_EXP_SLTSTA_DLLSC);
+
+   /*
+* If we've already reported a power fault, don't report it again
+* until we've done something to handle it.
+*/
+   if (ctrl->power_fault_detected)
+   events &= ~PCI_EXP_SLTSTA_PFD;
+
if (!events)
return IRQ_NONE;
 

[PATCH 4.9 72/77] bcache: fix for gc and write-back race

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream.

gc and write-back get raced (see the email "bcache get stucked" I sended
before):
gc thread   write-back thread
|   |bch_writeback_thread()
|bch_gc_thread()|
|   |==>read_dirty()
|==>bch_btree_gc()  |
|==>btree_root() //get btree root   |
|//node write locker|
|==>bch_btree_gc_root() |
|   |==>read_dirty_submit()
|   |==>write_dirty()
|   |==>continue_at(cl,
|   |   write_dirty_finish,
|   |   system_wq);
|   |==>write_dirty_finish()//excute
|   |   //in system_wq
|   |==>bch_btree_insert()
|   |==>bch_btree_map_leaf_nodes()
|   |==>__bch_btree_map_nodes()
|   |==>btree_root //try to get btree
|   |  //root node read
|   |  //lock
|   |-stuck here
|==>bch_btree_set_root()
|==>bch_journal_meta()
|==>bch_journal()
|==>journal_try_write()
|==>journal_write_unlocked() //journal_full(>journal)
|//condition satisfied
|==>continue_at(cl, journal_write, system_wq); //try to excute
|   //journal_write in system_wq
|   //but work queue is excuting
|   //write_dirty_finish()
|==>closure_sync(); //wait journal_write execute
|   //over and wake up gc,
|-stuck here
|==>release root node write locker

This patch alloc a separate work-queue for write-back thread to avoid such
race.

(Commit log re-organized by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/bcache.h|1 +
 drivers/md/bcache/super.c |2 ++
 drivers/md/bcache/writeback.c |9 +++--
 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -333,6 +333,7 @@ struct cached_dev {
/* Limit number of writeback bios in flight */
struct semaphorein_flight;
struct task_struct  *writeback_thread;
+   struct workqueue_struct *writeback_write_wq;
 
struct keybuf   writeback_keys;
 
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1058,6 +1058,8 @@ static void cached_dev_free(struct closu
cancel_delayed_work_sync(>writeback_rate_update);
if (!IS_ERR_OR_NULL(dc->writeback_thread))
kthread_stop(dc->writeback_thread);
+   if (dc->writeback_write_wq)
+   destroy_workqueue(dc->writeback_write_wq);
 
mutex_lock(_register_lock);
 
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -187,7 +187,7 @@ static void write_dirty(struct closure *
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty_finish, system_wq);
+   continue_at(cl, write_dirty_finish, io->dc->writeback_write_wq);
 }
 
 static void read_dirty_endio(struct bio *bio)
@@ -207,7 +207,7 @@ static void read_dirty_submit(struct clo
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty, system_wq);
+   continue_at(cl, write_dirty, io->dc->writeback_write_wq);
 }
 
 static void read_dirty(struct cached_dev *dc)
@@ -517,6 +517,11 @@ void bch_cached_dev_writeback_init(struc
 
 int bch_cached_dev_writeback_start(struct cached_dev *dc)
 {
+   dc->writeback_write_wq = alloc_workqueue("bcache_writeback_wq",
+   WQ_MEM_RECLAIM, 0);
+   if (!dc->writeback_write_wq)
+   return -ENOMEM;
+
dc->writeback_thread = kthread_create(bch_writeback_thread, dc,
  "bcache_writeback");
if (IS_ERR(dc->writeback_thread))

[PATCH 4.9 75/77] mac80211_hwsim: Use proper TX power

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Beni Lev 

commit 9de981f507474f326e42117858dc9a9321331ae5 upstream.

In struct ieee80211_tx_info, control.vif pointer and rate_driver_data[0]
falls on the same place, depending on the union usage.
During the whole TX process, the union is referred to as a control struct,
which holds the vif that is later used in the tx flow, especially in order
to derive the used tx power.
Referring direcly to rate_driver_data[0] and assigning a value to it,
overwrites the vif pointer, hence making all later references irrelevant.
Moreover, rate_driver_data[0] isn't used later in the flow in order to
retrieve the channel that it is pointing to.

Signed-off-by: Beni Lev 
Signed-off-by: Luca Coelho 
Signed-off-by: Johannes Berg 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/wireless/mac80211_hwsim.c |2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1357,8 +1357,6 @@ static void mac80211_hwsim_tx(struct iee
   txi->control.rates,
   ARRAY_SIZE(txi->control.rates));
 
-   txi->rate_driver_data[0] = channel;
-
if (skb->len >= 24 + 8 &&
ieee80211_is_probe_resp(hdr->frame_control)) {
/* fake header transmission time */

[PATCH 4.9 70/77] bcache: correct cache_dirty_target in __update_writeback_rate()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream.

__update_write_rate() uses a Proportion-Differentiation Controller
algorithm to control writeback rate. A dirty target number is used in
this PD controller to control writeback rate. A larger target number
will make the writeback rate smaller, on the versus, a smaller target
number will make the writeback rate larger.

bcache uses the following steps to calculate the target number,
1) cache_sectors = all-buckets-of-cache-set * buckets-size
2) cache_dirty_target = cache_sectors * cached-device-writeback_percent
3) target = cache_dirty_target *
(sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set)

The calculation at step 1) for cache_sectors is incorrect, which does
not consider dirty blocks occupied by flash only volume.

A flash only volume can be took as a bcache device without cached
device. All data sectors allocated for it are persistent on cache device
and marked dirty, they are not touched by bcache writeback and garbage
collection code. So data blocks of flash only volume should be ignore
when calculating cache_sectors of cache set.

Current code does not subtract dirty sectors of flash only volume, which
results a larger target number from the above 3 steps. And in sequence
the cache device's writeback rate is smaller then a correct value,
writeback speed is slower on all cached devices.

This patch fixes the incorrect slower writeback rate by subtracting
dirty sectors of flash only volumes in __update_writeback_rate().

(Commit log composed by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/writeback.c |3 ++-
 drivers/md/bcache/writeback.h |   19 +++
 2 files changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -20,7 +20,8 @@
 static void __update_writeback_rate(struct cached_dev *dc)
 {
struct cache_set *c = dc->disk.c;
-   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size;
+   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size -
+   bcache_flash_devs_sectors_dirty(c);
uint64_t cache_dirty_target =
div_u64(cache_sectors * dc->writeback_percent, 100);
 
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -14,6 +14,25 @@ static inline uint64_t bcache_dev_sector
return ret;
 }
 
+static inline uint64_t  bcache_flash_devs_sectors_dirty(struct cache_set *c)
+{
+   uint64_t i, ret = 0;
+
+   mutex_lock(_register_lock);
+
+   for (i = 0; i < c->nr_uuids; i++) {
+   struct bcache_device *d = c->devices[i];
+
+   if (!d || !UUID_FLASH_ONLY(>uuids[i]))
+   continue;
+  ret += bcache_dev_sectors_dirty(d);
+   }
+
+   mutex_unlock(_register_lock);
+
+   return ret;
+}
+
 static inline unsigned offset_to_stripe(struct bcache_device *d,
uint64_t offset)
 {

[PATCH 4.9 71/77] bcache: Correct return value for sysfs attach errors

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Tony Asleson 

commit 77fa100f27475d08a569b9d51c17722130f089e7 upstream.

If you encounter any errors in bch_cached_dev_attach it will return
a negative error code.  The variable 'v' which stores the result is
unsigned, thus user space sees a very large value returned for bytes
written which can cause incorrect user space behavior.  Utilize 1
signed variable to use throughout the function to preserve error return
capability.

Signed-off-by: Tony Asleson 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/sysfs.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -191,7 +191,7 @@ STORE(__cached_dev)
 {
struct cached_dev *dc = container_of(kobj, struct cached_dev,
 disk.kobj);
-   unsigned v = size;
+   ssize_t v = size;
struct cache_set *c;
struct kobj_uevent_env *env;
 
@@ -226,7 +226,7 @@ STORE(__cached_dev)
bch_cached_dev_run(dc);
 
if (attr == _cache_mode) {
-   ssize_t v = bch_read_string_list(buf, bch_cache_modes + 1);
+   v = bch_read_string_list(buf, bch_cache_modes + 1);
 
if (v < 0)
return v;

[PATCH 4.9 75/77] mac80211_hwsim: Use proper TX power

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Beni Lev 

commit 9de981f507474f326e42117858dc9a9321331ae5 upstream.

In struct ieee80211_tx_info, control.vif pointer and rate_driver_data[0]
falls on the same place, depending on the union usage.
During the whole TX process, the union is referred to as a control struct,
which holds the vif that is later used in the tx flow, especially in order
to derive the used tx power.
Referring direcly to rate_driver_data[0] and assigning a value to it,
overwrites the vif pointer, hence making all later references irrelevant.
Moreover, rate_driver_data[0] isn't used later in the flow in order to
retrieve the channel that it is pointing to.

Signed-off-by: Beni Lev 
Signed-off-by: Luca Coelho 
Signed-off-by: Johannes Berg 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/net/wireless/mac80211_hwsim.c |2 --
 1 file changed, 2 deletions(-)

--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1357,8 +1357,6 @@ static void mac80211_hwsim_tx(struct iee
   txi->control.rates,
   ARRAY_SIZE(txi->control.rates));
 
-   txi->rate_driver_data[0] = channel;
-
if (skb->len >= 24 + 8 &&
ieee80211_is_probe_resp(hdr->frame_control)) {
/* fake header transmission time */

[PATCH 4.9 70/77] bcache: correct cache_dirty_target in __update_writeback_rate()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream.

__update_write_rate() uses a Proportion-Differentiation Controller
algorithm to control writeback rate. A dirty target number is used in
this PD controller to control writeback rate. A larger target number
will make the writeback rate smaller, on the versus, a smaller target
number will make the writeback rate larger.

bcache uses the following steps to calculate the target number,
1) cache_sectors = all-buckets-of-cache-set * buckets-size
2) cache_dirty_target = cache_sectors * cached-device-writeback_percent
3) target = cache_dirty_target *
(sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set)

The calculation at step 1) for cache_sectors is incorrect, which does
not consider dirty blocks occupied by flash only volume.

A flash only volume can be took as a bcache device without cached
device. All data sectors allocated for it are persistent on cache device
and marked dirty, they are not touched by bcache writeback and garbage
collection code. So data blocks of flash only volume should be ignore
when calculating cache_sectors of cache set.

Current code does not subtract dirty sectors of flash only volume, which
results a larger target number from the above 3 steps. And in sequence
the cache device's writeback rate is smaller then a correct value,
writeback speed is slower on all cached devices.

This patch fixes the incorrect slower writeback rate by subtracting
dirty sectors of flash only volumes in __update_writeback_rate().

(Commit log composed by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/writeback.c |3 ++-
 drivers/md/bcache/writeback.h |   19 +++
 2 files changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -20,7 +20,8 @@
 static void __update_writeback_rate(struct cached_dev *dc)
 {
struct cache_set *c = dc->disk.c;
-   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size;
+   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size -
+   bcache_flash_devs_sectors_dirty(c);
uint64_t cache_dirty_target =
div_u64(cache_sectors * dc->writeback_percent, 100);
 
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -14,6 +14,25 @@ static inline uint64_t bcache_dev_sector
return ret;
 }
 
+static inline uint64_t  bcache_flash_devs_sectors_dirty(struct cache_set *c)
+{
+   uint64_t i, ret = 0;
+
+   mutex_lock(_register_lock);
+
+   for (i = 0; i < c->nr_uuids; i++) {
+   struct bcache_device *d = c->devices[i];
+
+   if (!d || !UUID_FLASH_ONLY(>uuids[i]))
+   continue;
+  ret += bcache_dev_sectors_dirty(d);
+   }
+
+   mutex_unlock(_register_lock);
+
+   return ret;
+}
+
 static inline unsigned offset_to_stripe(struct bcache_device *d,
uint64_t offset)
 {

[PATCH 4.9 71/77] bcache: Correct return value for sysfs attach errors

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Tony Asleson 

commit 77fa100f27475d08a569b9d51c17722130f089e7 upstream.

If you encounter any errors in bch_cached_dev_attach it will return
a negative error code.  The variable 'v' which stores the result is
unsigned, thus user space sees a very large value returned for bytes
written which can cause incorrect user space behavior.  Utilize 1
signed variable to use throughout the function to preserve error return
capability.

Signed-off-by: Tony Asleson 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/sysfs.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/sysfs.c
+++ b/drivers/md/bcache/sysfs.c
@@ -191,7 +191,7 @@ STORE(__cached_dev)
 {
struct cached_dev *dc = container_of(kobj, struct cached_dev,
 disk.kobj);
-   unsigned v = size;
+   ssize_t v = size;
struct cache_set *c;
struct kobj_uevent_env *env;
 
@@ -226,7 +226,7 @@ STORE(__cached_dev)
bch_cached_dev_run(dc);
 
if (attr == _cache_mode) {
-   ssize_t v = bch_read_string_list(buf, bch_cache_modes + 1);
+   v = bch_read_string_list(buf, bch_cache_modes + 1);
 
if (v < 0)
return v;

[PATCH 4.9 25/77] MIPS: math-emu: <MADDF|MSUBF>.D: Fix accuracy (64-bit case)

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Douglas Leung 

commit 2cfa58259f4b65b33ebe8f167019a1f89c6c3289 upstream.

Implement fused multiply-add with correct accuracy.

Fused multiply-add operation has better accuracy than respective
sequential execution of multiply and add operations applied on the
same inputs. This is because accuracy errors accumulate in latter
case.

This patch implements fused multiply-add with the same accuracy
as it is implemented in hardware, using 128-bit intermediate
calculations.

One test case example (raw bits) that this patch fixes:

MADDF.D fd,fs,ft:
  fd = 0x0ca0
  fs = ft = 0x3f40624dd2f1a9fc

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Douglas Leung 
Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Cc: Douglas Leung 
Cc: Bo Hu 
Cc: James Hogan 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16891/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |  133 +-
 1 file changed, 94 insertions(+), 39 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -15,18 +15,44 @@
 #include "ieee754dp.h"
 
 
+/* 128 bits shift right logical with rounding. */
+void srl128(u64 *hptr, u64 *lptr, int count)
+{
+   u64 low;
+
+   if (count >= 128) {
+   *lptr = *hptr != 0 || *lptr != 0;
+   *hptr = 0;
+   } else if (count >= 64) {
+   if (count == 64) {
+   *lptr = *hptr | (*lptr != 0);
+   } else {
+   low = *lptr;
+   *lptr = *hptr >> (count - 64);
+   *lptr |= (*hptr << (128 - count)) != 0 || low != 0;
+   }
+   *hptr = 0;
+   } else {
+   low = *lptr;
+   *lptr = low >> count | *hptr << (64 - count);
+   *lptr |= (low << (64 - count)) != 0;
+   *hptr = *hptr >> count;
+   }
+}
+
 static union ieee754dp _dp_maddf(union ieee754dp z, union ieee754dp x,
 union ieee754dp y, enum maddf_flags flags)
 {
int re;
int rs;
-   u64 rm;
unsigned lxm;
unsigned hxm;
unsigned lym;
unsigned hym;
u64 lrm;
u64 hrm;
+   u64 lzm;
+   u64 hzm;
u64 t;
u64 at;
int s;
@@ -172,7 +198,7 @@ static union ieee754dp _dp_maddf(union i
ym <<= 64 - (DP_FBITS + 1);
 
/*
-* Multiply 64 bits xm, ym to give high 64 bits rm with stickness.
+* Multiply 64 bits xm and ym to give 128 bits result in hrm:lrm.
 */
 
/* 32 * 32 => 64 */
@@ -202,81 +228,110 @@ static union ieee754dp _dp_maddf(union i
 
hrm = hrm + (t >> 32);
 
-   rm = hrm | (lrm != 0);
-
-   /*
-* Sticky shift down to normal rounding precision.
-*/
-   if ((s64) rm < 0) {
-   rm = (rm >> (64 - (DP_FBITS + 1 + 3))) |
-((rm << (DP_FBITS + 1 + 3)) != 0);
+   /* Put explicit bit at bit 126 if necessary */
+   if ((int64_t)hrm < 0) {
+   lrm = (hrm << 63) | (lrm >> 1);
+   hrm = hrm >> 1;
re++;
-   } else {
-   rm = (rm >> (64 - (DP_FBITS + 1 + 3 + 1))) |
-((rm << (DP_FBITS + 1 + 3 + 1)) != 0);
}
-   assert(rm & (DP_HIDDEN_BIT << 3));
 
-   if (zc == IEEE754_CLASS_ZERO)
-   return ieee754dp_format(rs, re, rm);
+   assert(hrm & (1 << 62));
 
-   /* And now the addition */
-   assert(zm & DP_HIDDEN_BIT);
+   if (zc == IEEE754_CLASS_ZERO) {
+   /*
+* Move explicit bit from bit 126 to bit 55 since the
+* ieee754dp_format code expects the mantissa to be
+* 56 bits wide (53 + 3 rounding bits).
+*/
+   srl128(, , (126 - 55));
+   return ieee754dp_format(rs, re, lrm);
+   }
 
-   /*
-* Provide guard,round and stick bit space.
-*/
-   zm <<= 3;
+   /* Move explicit bit from bit 52 to bit 126 */
+   lzm = 0;
+   hzm = zm << 10;
+   assert(hzm & (1 << 62));
 
+   /* Make the exponents 

[PATCH 4.9 27/77] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Stephan Mueller 

Fixed differently upstream as commit 2d97591ef43d ("crypto: af_alg - 
consolidation of duplicate code")

The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the
chaining and is properly updated with the sg_chain invocation. During
the filling-in of the initial SG entries, sg_mark_end is called for each
SG entry. This is appropriate as long as no additional SGL is chained
with the current SGL. However, when a new SGL is chained and the last
SG entry is updated with sg_chain, the last but one entry still contains
the end marker from the sg_mark_end. This end marker must be removed as
otherwise a walk of the chained SGLs will cause a NULL pointer
dereference at the last but one SG entry, because sg_next will return
NULL.

The patch only applies to all kernels up to and including 4.13. The
patch 2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1
introduced a complete new code base which addresses this bug in
a different way. Yet, that patch is too invasive for stable kernels
and was therefore not marked for stable.

Fixes: 8ff590903d5fc ("crypto: algif_skcipher - User-space interface for 
skcipher operations")
Signed-off-by: Stephan Mueller 
Acked-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 
---
 crypto/algif_skcipher.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -143,8 +143,10 @@ static int skcipher_alloc_sgl(struct soc
sg_init_table(sgl->sg, MAX_SGL_ENTS + 1);
sgl->cur = 0;
 
-   if (sg)
+   if (sg) {
sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg);
+   sg_unmark_end(sg + (MAX_SGL_ENTS - 1));
+   }
 
list_add_tail(>list, >tsgl);
}

[PATCH 4.9 25/77] MIPS: math-emu: .D: Fix accuracy (64-bit case)

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Douglas Leung 

commit 2cfa58259f4b65b33ebe8f167019a1f89c6c3289 upstream.

Implement fused multiply-add with correct accuracy.

Fused multiply-add operation has better accuracy than respective
sequential execution of multiply and add operations applied on the
same inputs. This is because accuracy errors accumulate in latter
case.

This patch implements fused multiply-add with the same accuracy
as it is implemented in hardware, using 128-bit intermediate
calculations.

One test case example (raw bits) that this patch fixes:

MADDF.D fd,fs,ft:
  fd = 0x0ca0
  fs = ft = 0x3f40624dd2f1a9fc

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Douglas Leung 
Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Cc: Douglas Leung 
Cc: Bo Hu 
Cc: James Hogan 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16891/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |  133 +-
 1 file changed, 94 insertions(+), 39 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -15,18 +15,44 @@
 #include "ieee754dp.h"
 
 
+/* 128 bits shift right logical with rounding. */
+void srl128(u64 *hptr, u64 *lptr, int count)
+{
+   u64 low;
+
+   if (count >= 128) {
+   *lptr = *hptr != 0 || *lptr != 0;
+   *hptr = 0;
+   } else if (count >= 64) {
+   if (count == 64) {
+   *lptr = *hptr | (*lptr != 0);
+   } else {
+   low = *lptr;
+   *lptr = *hptr >> (count - 64);
+   *lptr |= (*hptr << (128 - count)) != 0 || low != 0;
+   }
+   *hptr = 0;
+   } else {
+   low = *lptr;
+   *lptr = low >> count | *hptr << (64 - count);
+   *lptr |= (low << (64 - count)) != 0;
+   *hptr = *hptr >> count;
+   }
+}
+
 static union ieee754dp _dp_maddf(union ieee754dp z, union ieee754dp x,
 union ieee754dp y, enum maddf_flags flags)
 {
int re;
int rs;
-   u64 rm;
unsigned lxm;
unsigned hxm;
unsigned lym;
unsigned hym;
u64 lrm;
u64 hrm;
+   u64 lzm;
+   u64 hzm;
u64 t;
u64 at;
int s;
@@ -172,7 +198,7 @@ static union ieee754dp _dp_maddf(union i
ym <<= 64 - (DP_FBITS + 1);
 
/*
-* Multiply 64 bits xm, ym to give high 64 bits rm with stickness.
+* Multiply 64 bits xm and ym to give 128 bits result in hrm:lrm.
 */
 
/* 32 * 32 => 64 */
@@ -202,81 +228,110 @@ static union ieee754dp _dp_maddf(union i
 
hrm = hrm + (t >> 32);
 
-   rm = hrm | (lrm != 0);
-
-   /*
-* Sticky shift down to normal rounding precision.
-*/
-   if ((s64) rm < 0) {
-   rm = (rm >> (64 - (DP_FBITS + 1 + 3))) |
-((rm << (DP_FBITS + 1 + 3)) != 0);
+   /* Put explicit bit at bit 126 if necessary */
+   if ((int64_t)hrm < 0) {
+   lrm = (hrm << 63) | (lrm >> 1);
+   hrm = hrm >> 1;
re++;
-   } else {
-   rm = (rm >> (64 - (DP_FBITS + 1 + 3 + 1))) |
-((rm << (DP_FBITS + 1 + 3 + 1)) != 0);
}
-   assert(rm & (DP_HIDDEN_BIT << 3));
 
-   if (zc == IEEE754_CLASS_ZERO)
-   return ieee754dp_format(rs, re, rm);
+   assert(hrm & (1 << 62));
 
-   /* And now the addition */
-   assert(zm & DP_HIDDEN_BIT);
+   if (zc == IEEE754_CLASS_ZERO) {
+   /*
+* Move explicit bit from bit 126 to bit 55 since the
+* ieee754dp_format code expects the mantissa to be
+* 56 bits wide (53 + 3 rounding bits).
+*/
+   srl128(, , (126 - 55));
+   return ieee754dp_format(rs, re, lrm);
+   }
 
-   /*
-* Provide guard,round and stick bit space.
-*/
-   zm <<= 3;
+   /* Move explicit bit from bit 52 to bit 126 */
+   lzm = 0;
+   hzm = zm << 10;
+   assert(hzm & (1 << 62));
 
+   /* Make the exponents the same */
if (ze > re) {
/*
 * Have to shift y fraction right to align.
 */
s = ze - re;
-   rm = XDPSRS(rm, s);
+   srl128(, , s);
re += s;
} else if (re > ze) {
/*
 * Have to shift x fraction 

[PATCH 4.9 27/77] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Stephan Mueller 

Fixed differently upstream as commit 2d97591ef43d ("crypto: af_alg - 
consolidation of duplicate code")

The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the
chaining and is properly updated with the sg_chain invocation. During
the filling-in of the initial SG entries, sg_mark_end is called for each
SG entry. This is appropriate as long as no additional SGL is chained
with the current SGL. However, when a new SGL is chained and the last
SG entry is updated with sg_chain, the last but one entry still contains
the end marker from the sg_mark_end. This end marker must be removed as
otherwise a walk of the chained SGLs will cause a NULL pointer
dereference at the last but one SG entry, because sg_next will return
NULL.

The patch only applies to all kernels up to and including 4.13. The
patch 2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1
introduced a complete new code base which addresses this bug in
a different way. Yet, that patch is too invasive for stable kernels
and was therefore not marked for stable.

Fixes: 8ff590903d5fc ("crypto: algif_skcipher - User-space interface for 
skcipher operations")
Signed-off-by: Stephan Mueller 
Acked-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 
---
 crypto/algif_skcipher.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -143,8 +143,10 @@ static int skcipher_alloc_sgl(struct soc
sg_init_table(sgl->sg, MAX_SGL_ENTS + 1);
sgl->cur = 0;
 
-   if (sg)
+   if (sg) {
sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg);
+   sg_unmark_end(sg + (MAX_SGL_ENTS - 1));
+   }
 
list_add_tail(>list, >tsgl);
}

[PATCH 4.9 22/77] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of zero inputs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 7cf64ce4d37f1b4f44365fcf77f565d523819dcd upstream.

Fix the cases of . when any of two multiplicands is
+0 or -0, and the third input is also +0 or -0. Depending on the signs
of inputs, certain special cases must be handled.

A relevant example:

MADDF.S fd,fs,ft:
  If fs contains +0.0, ft contains -0.0, and fd contains 0.0, fd is
  going to contain +0.0 (without this patch, it used to contain -0.0).

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16888/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |   18 +-
 arch/mips/math-emu/sp_maddf.c |   18 +-
 2 files changed, 34 insertions(+), 2 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -113,7 +113,23 @@ static union ieee754dp _dp_maddf(union i
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
if (zc == IEEE754_CLASS_INF)
return ieee754dp_inf(zs);
-   /* Multiplication is 0 so just return z */
+   if (zc == IEEE754_CLASS_ZERO) {
+   /* Handle cases +0 + (-0) and similar ones. */
+   if ((!(flags & maddf_negate_product)
+   && (zs == (xs ^ ys))) ||
+   ((flags & maddf_negate_product)
+   && (zs != (xs ^ ys
+   /*
+* Cases of addition of zeros of equal signs
+* or subtraction of zeroes of opposite signs.
+* The sign of the resulting zero is in any
+* such case determined only by the sign of z.
+*/
+   return z;
+
+   return ieee754dp_zero(ieee754_csr.rm == FPU_CSR_RD);
+   }
+   /* x*y is here 0, and z is not 0, so just return z */
return z;
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
--- a/arch/mips/math-emu/sp_maddf.c
+++ b/arch/mips/math-emu/sp_maddf.c
@@ -114,7 +114,23 @@ static union ieee754sp _sp_maddf(union i
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
if (zc == IEEE754_CLASS_INF)
return ieee754sp_inf(zs);
-   /* Multiplication is 0 so just return z */
+   if (zc == IEEE754_CLASS_ZERO) {
+   /* Handle cases +0 + (-0) and similar ones. */
+   if ((!(flags & maddf_negate_product)
+   && (zs == (xs ^ ys))) ||
+   ((flags & maddf_negate_product)
+   && (zs != (xs ^ ys
+   /*
+* Cases of addition of zeros of equal signs
+* or subtraction of zeroes of opposite signs.
+* The sign of the resulting zero is in any
+* such case determined only by the sign of z.
+*/
+   return z;
+
+   return ieee754sp_zero(ieee754_csr.rm == FPU_CSR_RD);
+   }
+   /* x*y is here 0, and z is not 0, so just return z */
return z;
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):

[PATCH 4.9 23/77] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Clean up "maddf_flags" enumeration

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit ae11c0619973ffd73a496308d8a1cb5e1a353737 upstream.

Fix definition and usage of "maddf_flags" enumeration. Avoid duplicate
definition and apply more common capitalization.

This patch does not change any scenario. It just makes MADDF and
MSUBF emulation code more readable and easier to maintain, and
hopefully prevents future bugs as well.

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16889/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c   |   19 ---
 arch/mips/math-emu/ieee754int.h |4 
 arch/mips/math-emu/sp_maddf.c   |   19 ---
 3 files changed, 20 insertions(+), 22 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -14,9 +14,6 @@
 
 #include "ieee754dp.h"
 
-enum maddf_flags {
-   maddf_negate_product= 1 << 0,
-};
 
 static union ieee754dp _dp_maddf(union ieee754dp z, union ieee754dp x,
 union ieee754dp y, enum maddf_flags flags)
@@ -85,8 +82,8 @@ static union ieee754dp _dp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
if ((zc == IEEE754_CLASS_INF) &&
-   ((!(flags & maddf_negate_product) && (zs != (xs ^ ys))) ||
-((flags & maddf_negate_product) && (zs == (xs ^ ys) {
+   ((!(flags & MADDF_NEGATE_PRODUCT) && (zs != (xs ^ ys))) ||
+((flags & MADDF_NEGATE_PRODUCT) && (zs == (xs ^ ys) {
/*
 * Cases of addition of infinities with opposite signs
 * or subtraction of infinities with same signs.
@@ -99,9 +96,9 @@ static union ieee754dp _dp_maddf(union i
 * same sign as product (x*y) (in case of MADDF.D instruction)
 * or product -(x*y) (in MSUBF.D case). The result must be an
 * infinity, and its sign is determined only by the value of
-* (flags & maddf_negate_product) and the signs of x and y.
+* (flags & MADDF_NEGATE_PRODUCT) and the signs of x and y.
 */
-   if (flags & maddf_negate_product)
+   if (flags & MADDF_NEGATE_PRODUCT)
return ieee754dp_inf(1 ^ (xs ^ ys));
else
return ieee754dp_inf(xs ^ ys);
@@ -115,9 +112,9 @@ static union ieee754dp _dp_maddf(union i
return ieee754dp_inf(zs);
if (zc == IEEE754_CLASS_ZERO) {
/* Handle cases +0 + (-0) and similar ones. */
-   if ((!(flags & maddf_negate_product)
+   if ((!(flags & MADDF_NEGATE_PRODUCT)
&& (zs == (xs ^ ys))) ||
-   ((flags & maddf_negate_product)
+   ((flags & MADDF_NEGATE_PRODUCT)
&& (zs != (xs ^ ys
/*
 * Cases of addition of zeros of equal signs
@@ -167,7 +164,7 @@ static union ieee754dp _dp_maddf(union i
 
re = xe + ye;
rs = xs ^ ys;
-   if (flags & maddf_negate_product)
+   if (flags & MADDF_NEGATE_PRODUCT)
rs ^= 1;
 
/* shunt to top of word */
@@ -291,5 +288,5 @@ union ieee754dp ieee754dp_maddf(union ie
 union ieee754dp ieee754dp_msubf(union ieee754dp z, union ieee754dp x,
union ieee754dp y)
 {
-   return _dp_maddf(z, x, y, maddf_negate_product);
+   return _dp_maddf(z, x, y, MADDF_NEGATE_PRODUCT);
 }
--- a/arch/mips/math-emu/ieee754int.h
+++ b/arch/mips/math-emu/ieee754int.h
@@ -26,6 +26,10 @@
 
 #define CLPAIR(x, y)   ((x)*6+(y))
 
+enum maddf_flags {
+   MADDF_NEGATE_PRODUCT= 1 << 0,
+};
+
 static inline void ieee754_clearcx(void)
 {
ieee754_csr.cx = 0;
--- a/arch/mips/math-emu/sp_maddf.c
+++ b/arch/mips/math-emu/sp_maddf.c
@@ -14,9 +14,6 @@
 
 #include "ieee754sp.h"
 
-enum maddf_flags {
-   maddf_negate_product= 1 << 0,
-};
 
 static union ieee754sp _sp_maddf(union ieee754sp z, union ieee754sp x,
  

[PATCH 4.9 22/77] MIPS: math-emu: .: Fix some cases of zero inputs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 7cf64ce4d37f1b4f44365fcf77f565d523819dcd upstream.

Fix the cases of . when any of two multiplicands is
+0 or -0, and the third input is also +0 or -0. Depending on the signs
of inputs, certain special cases must be handled.

A relevant example:

MADDF.S fd,fs,ft:
  If fs contains +0.0, ft contains -0.0, and fd contains 0.0, fd is
  going to contain +0.0 (without this patch, it used to contain -0.0).

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16888/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |   18 +-
 arch/mips/math-emu/sp_maddf.c |   18 +-
 2 files changed, 34 insertions(+), 2 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -113,7 +113,23 @@ static union ieee754dp _dp_maddf(union i
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
if (zc == IEEE754_CLASS_INF)
return ieee754dp_inf(zs);
-   /* Multiplication is 0 so just return z */
+   if (zc == IEEE754_CLASS_ZERO) {
+   /* Handle cases +0 + (-0) and similar ones. */
+   if ((!(flags & maddf_negate_product)
+   && (zs == (xs ^ ys))) ||
+   ((flags & maddf_negate_product)
+   && (zs != (xs ^ ys
+   /*
+* Cases of addition of zeros of equal signs
+* or subtraction of zeroes of opposite signs.
+* The sign of the resulting zero is in any
+* such case determined only by the sign of z.
+*/
+   return z;
+
+   return ieee754dp_zero(ieee754_csr.rm == FPU_CSR_RD);
+   }
+   /* x*y is here 0, and z is not 0, so just return z */
return z;
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
--- a/arch/mips/math-emu/sp_maddf.c
+++ b/arch/mips/math-emu/sp_maddf.c
@@ -114,7 +114,23 @@ static union ieee754sp _sp_maddf(union i
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_ZERO):
if (zc == IEEE754_CLASS_INF)
return ieee754sp_inf(zs);
-   /* Multiplication is 0 so just return z */
+   if (zc == IEEE754_CLASS_ZERO) {
+   /* Handle cases +0 + (-0) and similar ones. */
+   if ((!(flags & maddf_negate_product)
+   && (zs == (xs ^ ys))) ||
+   ((flags & maddf_negate_product)
+   && (zs != (xs ^ ys
+   /*
+* Cases of addition of zeros of equal signs
+* or subtraction of zeroes of opposite signs.
+* The sign of the resulting zero is in any
+* such case determined only by the sign of z.
+*/
+   return z;
+
+   return ieee754sp_zero(ieee754_csr.rm == FPU_CSR_RD);
+   }
+   /* x*y is here 0, and z is not 0, so just return z */
return z;
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):

[PATCH 4.9 23/77] MIPS: math-emu: .: Clean up "maddf_flags" enumeration

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit ae11c0619973ffd73a496308d8a1cb5e1a353737 upstream.

Fix definition and usage of "maddf_flags" enumeration. Avoid duplicate
definition and apply more common capitalization.

This patch does not change any scenario. It just makes MADDF and
MSUBF emulation code more readable and easier to maintain, and
hopefully prevents future bugs as well.

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16889/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c   |   19 ---
 arch/mips/math-emu/ieee754int.h |4 
 arch/mips/math-emu/sp_maddf.c   |   19 ---
 3 files changed, 20 insertions(+), 22 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -14,9 +14,6 @@
 
 #include "ieee754dp.h"
 
-enum maddf_flags {
-   maddf_negate_product= 1 << 0,
-};
 
 static union ieee754dp _dp_maddf(union ieee754dp z, union ieee754dp x,
 union ieee754dp y, enum maddf_flags flags)
@@ -85,8 +82,8 @@ static union ieee754dp _dp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
if ((zc == IEEE754_CLASS_INF) &&
-   ((!(flags & maddf_negate_product) && (zs != (xs ^ ys))) ||
-((flags & maddf_negate_product) && (zs == (xs ^ ys) {
+   ((!(flags & MADDF_NEGATE_PRODUCT) && (zs != (xs ^ ys))) ||
+((flags & MADDF_NEGATE_PRODUCT) && (zs == (xs ^ ys) {
/*
 * Cases of addition of infinities with opposite signs
 * or subtraction of infinities with same signs.
@@ -99,9 +96,9 @@ static union ieee754dp _dp_maddf(union i
 * same sign as product (x*y) (in case of MADDF.D instruction)
 * or product -(x*y) (in MSUBF.D case). The result must be an
 * infinity, and its sign is determined only by the value of
-* (flags & maddf_negate_product) and the signs of x and y.
+* (flags & MADDF_NEGATE_PRODUCT) and the signs of x and y.
 */
-   if (flags & maddf_negate_product)
+   if (flags & MADDF_NEGATE_PRODUCT)
return ieee754dp_inf(1 ^ (xs ^ ys));
else
return ieee754dp_inf(xs ^ ys);
@@ -115,9 +112,9 @@ static union ieee754dp _dp_maddf(union i
return ieee754dp_inf(zs);
if (zc == IEEE754_CLASS_ZERO) {
/* Handle cases +0 + (-0) and similar ones. */
-   if ((!(flags & maddf_negate_product)
+   if ((!(flags & MADDF_NEGATE_PRODUCT)
&& (zs == (xs ^ ys))) ||
-   ((flags & maddf_negate_product)
+   ((flags & MADDF_NEGATE_PRODUCT)
&& (zs != (xs ^ ys
/*
 * Cases of addition of zeros of equal signs
@@ -167,7 +164,7 @@ static union ieee754dp _dp_maddf(union i
 
re = xe + ye;
rs = xs ^ ys;
-   if (flags & maddf_negate_product)
+   if (flags & MADDF_NEGATE_PRODUCT)
rs ^= 1;
 
/* shunt to top of word */
@@ -291,5 +288,5 @@ union ieee754dp ieee754dp_maddf(union ie
 union ieee754dp ieee754dp_msubf(union ieee754dp z, union ieee754dp x,
union ieee754dp y)
 {
-   return _dp_maddf(z, x, y, maddf_negate_product);
+   return _dp_maddf(z, x, y, MADDF_NEGATE_PRODUCT);
 }
--- a/arch/mips/math-emu/ieee754int.h
+++ b/arch/mips/math-emu/ieee754int.h
@@ -26,6 +26,10 @@
 
 #define CLPAIR(x, y)   ((x)*6+(y))
 
+enum maddf_flags {
+   MADDF_NEGATE_PRODUCT= 1 << 0,
+};
+
 static inline void ieee754_clearcx(void)
 {
ieee754_csr.cx = 0;
--- a/arch/mips/math-emu/sp_maddf.c
+++ b/arch/mips/math-emu/sp_maddf.c
@@ -14,9 +14,6 @@
 
 #include "ieee754sp.h"
 
-enum maddf_flags {
-   maddf_negate_product= 1 << 0,
-};
 
 static union ieee754sp _sp_maddf(union ieee754sp z, union ieee754sp x,
 union ieee754sp y, enum maddf_flags flags)
@@ -86,8 +83,8 @@ static union ieee754sp _sp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
if ((zc == IEEE754_CLASS_INF) &&
-   ((!(flags 

[PATCH 4.9 52/77] scsi: qla2xxx: Correction to vha->vref_count timeout

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Joe Carnuccio 

commit 6e98095f8fb6d98da34c4e6c34e69e7c638d79c0 upstream.

Fix incorrect second argument for wait_event_timeout()

Fixes: c4a9b538ab2a ("qla2xxx: Allow vref count to timeout on vport delete.")
Signed-off-by: Joe Carnuccio 
Signed-off-by: Himanshu Madhani 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/qla2xxx/qla_mid.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_mid.c
+++ b/drivers/scsi/qla2xxx/qla_mid.c
@@ -74,7 +74,7 @@ qla24xx_deallocate_vp_id(scsi_qla_host_t
 * ensures no active vp_list traversal while the vport is removed
 * from the queue)
 */
-   wait_event_timeout(vha->vref_waitq, atomic_read(>vref_count),
+   wait_event_timeout(vha->vref_waitq, !atomic_read(>vref_count),
10*HZ);
 
spin_lock_irqsave(>vport_slock, flags);

[PATCH 4.9 54/77] ftrace: Fix selftest goto location on error

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steven Rostedt (VMware) 

commit 46320a6acc4fb58f04bcf78c4c942cc43b20f986 upstream.

In the second iteration of trace_selftest_ops(), the error goto label is
wrong in the case where trace_selftest_test_global_cnt is off. In the
case of error, it leaks the dynamic ops that was allocated.

Fixes: 95950c2e ("ftrace: Add self-tests for multiple function trace users")
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/trace_selftest.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace_selftest.c
+++ b/kernel/trace/trace_selftest.c
@@ -272,7 +272,7 @@ static int trace_selftest_ops(struct tra
goto out_free;
if (cnt > 1) {
if (trace_selftest_test_global_cnt == 0)
-   goto out;
+   goto out_free;
}
if (trace_selftest_test_dyn_cnt == 0)
goto out_free;

[PATCH 4.9 52/77] scsi: qla2xxx: Correction to vha->vref_count timeout

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Joe Carnuccio 

commit 6e98095f8fb6d98da34c4e6c34e69e7c638d79c0 upstream.

Fix incorrect second argument for wait_event_timeout()

Fixes: c4a9b538ab2a ("qla2xxx: Allow vref count to timeout on vport delete.")
Signed-off-by: Joe Carnuccio 
Signed-off-by: Himanshu Madhani 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/qla2xxx/qla_mid.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/qla2xxx/qla_mid.c
+++ b/drivers/scsi/qla2xxx/qla_mid.c
@@ -74,7 +74,7 @@ qla24xx_deallocate_vp_id(scsi_qla_host_t
 * ensures no active vp_list traversal while the vport is removed
 * from the queue)
 */
-   wait_event_timeout(vha->vref_waitq, atomic_read(>vref_count),
+   wait_event_timeout(vha->vref_waitq, !atomic_read(>vref_count),
10*HZ);
 
spin_lock_irqsave(>vport_slock, flags);

[PATCH 4.9 54/77] ftrace: Fix selftest goto location on error

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steven Rostedt (VMware) 

commit 46320a6acc4fb58f04bcf78c4c942cc43b20f986 upstream.

In the second iteration of trace_selftest_ops(), the error goto label is
wrong in the case where trace_selftest_test_global_cnt is off. In the
case of error, it leaks the dynamic ops that was allocated.

Fixes: 95950c2e ("ftrace: Add self-tests for multiple function trace users")
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/trace_selftest.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace_selftest.c
+++ b/kernel/trace/trace_selftest.c
@@ -272,7 +272,7 @@ static int trace_selftest_ops(struct tra
goto out_free;
if (cnt > 1) {
if (trace_selftest_test_global_cnt == 0)
-   goto out;
+   goto out_free;
}
if (trace_selftest_test_dyn_cnt == 0)
goto out_free;

[PATCH 4.9 49/77] scsi: sg: off by one in sg_ioctl()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 

commit bd46fc406b30d1db1aff8dabaff8d18bb423fdcf upstream.

If "val" is SG_MAX_QUEUE then we are one element beyond the end of the
"rinfo" array so the > should be >=.

Fixes: 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
Signed-off-by: Dan Carpenter 
Acked-by: Douglas Gilbert 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1031,7 +1031,7 @@ sg_ioctl(struct file *filp, unsigned int
read_lock_irqsave(>rq_list_lock, iflags);
val = 0;
list_for_each_entry(srp, >rq_list, entry) {
-   if (val > SG_MAX_QUEUE)
+   if (val >= SG_MAX_QUEUE)
break;
memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;

[PATCH 4.9 21/77] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of infinite inputs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 0c64fe6348687f0e1cea9a608eae9d351124a73a upstream.

Fix the cases of . when any of two multiplicands is
infinity. The correct behavior in such cases is affected by the nature
of third input. Cases of addition of infinities with opposite signs
and subtraction of infinities with same signs may arise and must be
handles separately. Also, the value od flags argument (that determines
whether the instruction is MADDF or MSUBF) affects the outcome.

Relevant examples:

MADDF.S fd,fs,ft:
  If fs contains +inf, ft contains +inf, and fd contains -inf, fd is
  going to contain indef (without this patch, it used to contain
  -inf).

MSUBF.S fd,fs,ft:
  If fs contains +inf, ft contains 1.0, and fd contains +0.0, fd is
  going to contain -inf (without this patch, it used to contain +inf).

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Douglas Leung 
Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Douglas Leung 
Cc: Bo Hu 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16887/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |   22 +-
 arch/mips/math-emu/sp_maddf.c |   22 +-
 2 files changed, 42 insertions(+), 2 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -84,7 +84,27 @@ static union ieee754dp _dp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
-   return ieee754dp_inf(xs ^ ys);
+   if ((zc == IEEE754_CLASS_INF) &&
+   ((!(flags & maddf_negate_product) && (zs != (xs ^ ys))) ||
+((flags & maddf_negate_product) && (zs == (xs ^ ys) {
+   /*
+* Cases of addition of infinities with opposite signs
+* or subtraction of infinities with same signs.
+*/
+   ieee754_setcx(IEEE754_INVALID_OPERATION);
+   return ieee754dp_indef();
+   }
+   /*
+* z is here either not an infinity, or an infinity having the
+* same sign as product (x*y) (in case of MADDF.D instruction)
+* or product -(x*y) (in MSUBF.D case). The result must be an
+* infinity, and its sign is determined only by the value of
+* (flags & maddf_negate_product) and the signs of x and y.
+*/
+   if (flags & maddf_negate_product)
+   return ieee754dp_inf(1 ^ (xs ^ ys));
+   else
+   return ieee754dp_inf(xs ^ ys);
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_NORM):
--- a/arch/mips/math-emu/sp_maddf.c
+++ b/arch/mips/math-emu/sp_maddf.c
@@ -85,7 +85,27 @@ static union ieee754sp _sp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
-   return ieee754sp_inf(xs ^ ys);
+   if ((zc == IEEE754_CLASS_INF) &&
+   ((!(flags & maddf_negate_product) && (zs != (xs ^ ys))) ||
+((flags & maddf_negate_product) && (zs == (xs ^ ys) {
+   /*
+* Cases of addition of infinities with opposite signs
+* or subtraction of infinities with same signs.
+*/
+   ieee754_setcx(IEEE754_INVALID_OPERATION);
+   return ieee754sp_indef();
+   }
+   /*
+* z is here either not an infinity, or an infinity having the
+* same sign as product (x*y) (in case of MADDF.D instruction)
+* or product -(x*y) (in MSUBF.D case). The result must be an
+* infinity, and its sign is determined only by the value of
+* 

[PATCH 4.9 46/77] scsi: storvsc: fix memory leak on ring buffer busy

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Long Li 

commit 0208eeaa650c5c866a3242201678a19e6dc4a14e upstream.

When storvsc is sending I/O to Hyper-v, it may allocate a bigger buffer
descriptor for large data payload that can't fit into a pre-allocated
buffer descriptor. This bigger buffer is freed on return path.

If I/O request to Hyper-v fails due to ring buffer busy, the storvsc
allocated buffer descriptor should also be freed.

[mkp: applied by hand]

Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information 
given by the host")
Signed-off-by: Long Li 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/storvsc_drv.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1559,6 +1559,8 @@ static int storvsc_queuecommand(struct S
ret = storvsc_do_io(dev, cmd_request);
 
if (ret == -EAGAIN) {
+   if (payload_sz > sizeof(cmd_request->mpb))
+   kfree(payload);
/* no more space */
return SCSI_MLQUEUE_DEVICE_BUSY;
}

[PATCH 4.9 49/77] scsi: sg: off by one in sg_ioctl()

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 

commit bd46fc406b30d1db1aff8dabaff8d18bb423fdcf upstream.

If "val" is SG_MAX_QUEUE then we are one element beyond the end of the
"rinfo" array so the > should be >=.

Fixes: 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
Signed-off-by: Dan Carpenter 
Acked-by: Douglas Gilbert 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1031,7 +1031,7 @@ sg_ioctl(struct file *filp, unsigned int
read_lock_irqsave(>rq_list_lock, iflags);
val = 0;
list_for_each_entry(srp, >rq_list, entry) {
-   if (val > SG_MAX_QUEUE)
+   if (val >= SG_MAX_QUEUE)
break;
memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;

[PATCH 4.9 21/77] MIPS: math-emu: .: Fix some cases of infinite inputs

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 0c64fe6348687f0e1cea9a608eae9d351124a73a upstream.

Fix the cases of . when any of two multiplicands is
infinity. The correct behavior in such cases is affected by the nature
of third input. Cases of addition of infinities with opposite signs
and subtraction of infinities with same signs may arise and must be
handles separately. Also, the value od flags argument (that determines
whether the instruction is MADDF or MSUBF) affects the outcome.

Relevant examples:

MADDF.S fd,fs,ft:
  If fs contains +inf, ft contains +inf, and fd contains -inf, fd is
  going to contain indef (without this patch, it used to contain
  -inf).

MSUBF.S fd,fs,ft:
  If fs contains +inf, ft contains 1.0, and fd contains +0.0, fd is
  going to contain -inf (without this patch, it used to contain +inf).

Fixes: e24c3bec3e8e ("MIPS: math-emu: Add support for the MIPS R6 MADDF FPU 
instruction")
Fixes: 83d43305a1df ("MIPS: math-emu: Add support for the MIPS R6 MSUBF FPU 
instruction")

Signed-off-by: Douglas Leung 
Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Douglas Leung 
Cc: Bo Hu 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16887/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_maddf.c |   22 +-
 arch/mips/math-emu/sp_maddf.c |   22 +-
 2 files changed, 42 insertions(+), 2 deletions(-)

--- a/arch/mips/math-emu/dp_maddf.c
+++ b/arch/mips/math-emu/dp_maddf.c
@@ -84,7 +84,27 @@ static union ieee754dp _dp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
-   return ieee754dp_inf(xs ^ ys);
+   if ((zc == IEEE754_CLASS_INF) &&
+   ((!(flags & maddf_negate_product) && (zs != (xs ^ ys))) ||
+((flags & maddf_negate_product) && (zs == (xs ^ ys) {
+   /*
+* Cases of addition of infinities with opposite signs
+* or subtraction of infinities with same signs.
+*/
+   ieee754_setcx(IEEE754_INVALID_OPERATION);
+   return ieee754dp_indef();
+   }
+   /*
+* z is here either not an infinity, or an infinity having the
+* same sign as product (x*y) (in case of MADDF.D instruction)
+* or product -(x*y) (in MSUBF.D case). The result must be an
+* infinity, and its sign is determined only by the value of
+* (flags & maddf_negate_product) and the signs of x and y.
+*/
+   if (flags & maddf_negate_product)
+   return ieee754dp_inf(1 ^ (xs ^ ys));
+   else
+   return ieee754dp_inf(xs ^ ys);
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_NORM):
--- a/arch/mips/math-emu/sp_maddf.c
+++ b/arch/mips/math-emu/sp_maddf.c
@@ -85,7 +85,27 @@ static union ieee754sp _sp_maddf(union i
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_DNORM):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_INF):
-   return ieee754sp_inf(xs ^ ys);
+   if ((zc == IEEE754_CLASS_INF) &&
+   ((!(flags & maddf_negate_product) && (zs != (xs ^ ys))) ||
+((flags & maddf_negate_product) && (zs == (xs ^ ys) {
+   /*
+* Cases of addition of infinities with opposite signs
+* or subtraction of infinities with same signs.
+*/
+   ieee754_setcx(IEEE754_INVALID_OPERATION);
+   return ieee754sp_indef();
+   }
+   /*
+* z is here either not an infinity, or an infinity having the
+* same sign as product (x*y) (in case of MADDF.D instruction)
+* or product -(x*y) (in MSUBF.D case). The result must be an
+* infinity, and its sign is determined only by the value of
+* (flags & maddf_negate_product) and the signs of x and y.
+*/
+   if (flags & maddf_negate_product)
+   return ieee754sp_inf(1 ^ (xs ^ ys));
+   else
+   return ieee754sp_inf(xs ^ ys);
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_ZERO, 

[PATCH 4.9 46/77] scsi: storvsc: fix memory leak on ring buffer busy

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Long Li 

commit 0208eeaa650c5c866a3242201678a19e6dc4a14e upstream.

When storvsc is sending I/O to Hyper-v, it may allocate a bigger buffer
descriptor for large data payload that can't fit into a pre-allocated
buffer descriptor. This bigger buffer is freed on return path.

If I/O request to Hyper-v fails due to ring buffer busy, the storvsc
allocated buffer descriptor should also be freed.

[mkp: applied by hand]

Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information 
given by the host")
Signed-off-by: Long Li 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/storvsc_drv.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1559,6 +1559,8 @@ static int storvsc_queuecommand(struct S
ret = storvsc_do_io(dev, cmd_request);
 
if (ret == -EAGAIN) {
+   if (payload_sz > sizeof(cmd_request->mpb))
+   kfree(payload);
/* no more space */
return SCSI_MLQUEUE_DEVICE_BUSY;
}

[PATCH 4.9 38/77] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 9fe5d2b2fd30aa8c7827ec62cbbe6d30df4fe3e3 upstream.

Without this fix we get SCSI trace records on task management functions
which cannot be correlated to HBA trace records because all fields
related to the FSF request are empty (zero).
Also, the FCP_RSP_IU is missing as well as any sense data if available.

This was caused by v2.6.14 commit 8a36e4532ea1 ("[SCSI] zfcp: enhancement
of zfcp debug features") introducing trace records for TMFs but
hard coding NULL for a possibly existing TMF FSF request.
The scsi_cmnd scribble is also zero or unrelated for the TMF request
so it also could not lookup a suitable FSF request from there.

A broken example trace record formatted with zfcpdbf from the s390-tools
package:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: lr_fail
Request ID : 0x
    no correlation to HBA record
SCSI ID: 0x
SCSI LUN   : 0x
SCSI result: 0x000e
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode: 2a17 3bb8 0800 
FCP rsp inf cod: 0x00
   ^^ no TMF response
FCP rsp IU :    
 ^^^
  
 ^ no interesting FCP_RSP_IU
Sense len  : ...
 no sense data length
Sense info : ...
 no sense data content, even if present

There are some true cases where we really do not have an FSF request:
"rsl_fai" from zfcp_dbf_scsi_fail_send() called for early
returns / completions in zfcp_scsi_queuecommand(),
"abrt_or", "abrt_bl", "abrt_ru", "abrt_ar" from
zfcp_scsi_eh_abort_handler() where we did not get as far,
"lr_nres", "tr_nres" from zfcp_task_mgmt_function() where we're
successful and do not need to do anything because adapter stopped.
For these cases it's correct to pass NULL for fsf_req to _zfcp_dbf_scsi().

Signed-off-by: Steffen Maier 
Fixes: 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.h  |7 ---
 drivers/s390/scsi/zfcp_scsi.c |8 
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
  * zfcp device driver
  * debug feature declarations
  *
- * Copyright IBM Corp. 2008, 2016
+ * Copyright IBM Corp. 2008, 2017
  */
 
 #ifndef ZFCP_DBF_H
@@ -401,7 +401,8 @@ void zfcp_dbf_scsi_abort(char *tag, stru
  * @flag: indicates type of reset (Target Reset, Logical Unit Reset)
  */
 static inline
-void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag)
+void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag,
+   struct zfcp_fsf_req *fsf_req)
 {
char tmp_tag[ZFCP_DBF_TAG_LEN];
 
@@ -411,7 +412,7 @@ void zfcp_dbf_scsi_devreset(char *tag, s
memcpy(tmp_tag, "lr_", 3);
 
memcpy(_tag[3], tag, 4);
-   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
+   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, fsf_req);
 }
 
 /**
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
  *
  * Interface to Linux SCSI midlayer.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -278,7 +278,7 @@ static int zfcp_task_mgmt_function(struc
 
if (!(atomic_read(>status) &
  ZFCP_STATUS_COMMON_RUNNING)) {
-   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags, NULL);
return SUCCESS;
}
}
@@ -288,10 +288,10 @@ static int zfcp_task_mgmt_function(struc
wait_for_completion(_req->completion);
 
if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
-   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags, fsf_req);
retval = FAILED;
} else {
-   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags, fsf_req);
zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
}
 

[PATCH 4.9 37/77] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 975171b4461be296a35e83ebd748946b81cf0635 upstream.

v4.9 commit aceeffbb59bb ("zfcp: trace full payload of all SAN records
(req,resp,iels)") fixed trace data loss of 2.6.38 commit 2c55b750a884
("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
necessary for problem determination, e.g. to see the
currently active zone set during automatic port scan.

While it already saves space by not dumping any empty residual entries
of the large successful GPN_FT response (4 pages), there are seldom cases
where the GPN_FT response is unsuccessful and likely does not have
FC_NS_FID_LAST set in fp_flags so we did not cap the trace record.
We typically see such case for an initiator WWPN, which is not in any zone.

Cap unsuccessful responses to at least the actual basic CT_IU response
plus whatever fits the SAN trace record built-in "payload" buffer
just in case there's trailing information
of which we would at least see the existence and its beginning.

In order not to erroneously cap successful responses, we need to swap
calling the trace function and setting the CT / ELS status to success (0).

Example trace record pair formatted with zfcpdbf:

Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fssct_1
Request ID : 0x
Destination ID : 0x00fc
SAN req short  : 0100 fc02 01720ffc 
 0008
SAN req length : 20
|
Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 2
Tag: fsscth2
Request ID : 0x
Destination ID : 0x00fc
SAN resp short : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
SAN resp length: 16384
San resp info  : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]

The fix saves all but one of the previously associated 64 PAYload trace
record chunks of size 256 bytes each.

Signed-off-by: Steffen Maier 
Fixes: aceeffbb59bb ("zfcp: trace full payload of all SAN records 
(req,resp,iels)")
Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN 
records.")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |   10 +-
 drivers/s390/scsi/zfcp_fsf.c |4 ++--
 2 files changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -3,7 +3,7 @@
  *
  * Debug traces for zfcp.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -447,6 +447,7 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
struct fc_ct_hdr *reqh = sg_virt(ct_els->req);
struct fc_ns_gid_ft *reqn = (struct fc_ns_gid_ft *)(reqh + 1);
struct scatterlist *resp_entry = ct_els->resp;
+   struct fc_ct_hdr *resph;
struct fc_gpn_ft_resp *acc;
int max_entries, x, last = 0;
 
@@ -473,6 +474,13 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
return len; /* not GPN_FT response so do not cap */
 
acc = sg_virt(resp_entry);
+
+   /* cap all but accept CT responses to at least the CT header */
+   resph = (struct fc_ct_hdr *)acc;
+   if ((ct_els->status) ||
+   (resph->ct_cmd != cpu_to_be16(FC_FS_ACC)))
+   return max(FC_CT_HDR_LEN, ZFCP_DBF_SAN_MAX_PAYLOAD);
+
max_entries = (reqh->ct_mr_size * 4 / sizeof(struct 

[PATCH 4.9 38/77] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 9fe5d2b2fd30aa8c7827ec62cbbe6d30df4fe3e3 upstream.

Without this fix we get SCSI trace records on task management functions
which cannot be correlated to HBA trace records because all fields
related to the FSF request are empty (zero).
Also, the FCP_RSP_IU is missing as well as any sense data if available.

This was caused by v2.6.14 commit 8a36e4532ea1 ("[SCSI] zfcp: enhancement
of zfcp debug features") introducing trace records for TMFs but
hard coding NULL for a possibly existing TMF FSF request.
The scsi_cmnd scribble is also zero or unrelated for the TMF request
so it also could not lookup a suitable FSF request from there.

A broken example trace record formatted with zfcpdbf from the s390-tools
package:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: lr_fail
Request ID : 0x
    no correlation to HBA record
SCSI ID: 0x
SCSI LUN   : 0x
SCSI result: 0x000e
SCSI retries   : 0x00
SCSI allowed   : 0x05
SCSI scribble  : 0x
SCSI opcode: 2a17 3bb8 0800 
FCP rsp inf cod: 0x00
   ^^ no TMF response
FCP rsp IU :    
 ^^^
  
 ^ no interesting FCP_RSP_IU
Sense len  : ...
 no sense data length
Sense info : ...
 no sense data content, even if present

There are some true cases where we really do not have an FSF request:
"rsl_fai" from zfcp_dbf_scsi_fail_send() called for early
returns / completions in zfcp_scsi_queuecommand(),
"abrt_or", "abrt_bl", "abrt_ru", "abrt_ar" from
zfcp_scsi_eh_abort_handler() where we did not get as far,
"lr_nres", "tr_nres" from zfcp_task_mgmt_function() where we're
successful and do not need to do anything because adapter stopped.
For these cases it's correct to pass NULL for fsf_req to _zfcp_dbf_scsi().

Signed-off-by: Steffen Maier 
Fixes: 8a36e4532ea1 ("[SCSI] zfcp: enhancement of zfcp debug features")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.h  |7 ---
 drivers/s390/scsi/zfcp_scsi.c |8 
 2 files changed, 8 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
  * zfcp device driver
  * debug feature declarations
  *
- * Copyright IBM Corp. 2008, 2016
+ * Copyright IBM Corp. 2008, 2017
  */
 
 #ifndef ZFCP_DBF_H
@@ -401,7 +401,8 @@ void zfcp_dbf_scsi_abort(char *tag, stru
  * @flag: indicates type of reset (Target Reset, Logical Unit Reset)
  */
 static inline
-void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag)
+void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag,
+   struct zfcp_fsf_req *fsf_req)
 {
char tmp_tag[ZFCP_DBF_TAG_LEN];
 
@@ -411,7 +412,7 @@ void zfcp_dbf_scsi_devreset(char *tag, s
memcpy(tmp_tag, "lr_", 3);
 
memcpy(_tag[3], tag, 4);
-   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
+   _zfcp_dbf_scsi(tmp_tag, 1, scmnd, fsf_req);
 }
 
 /**
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
  *
  * Interface to Linux SCSI midlayer.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -278,7 +278,7 @@ static int zfcp_task_mgmt_function(struc
 
if (!(atomic_read(>status) &
  ZFCP_STATUS_COMMON_RUNNING)) {
-   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("nres", scpnt, tm_flags, NULL);
return SUCCESS;
}
}
@@ -288,10 +288,10 @@ static int zfcp_task_mgmt_function(struc
wait_for_completion(_req->completion);
 
if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
-   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags, fsf_req);
retval = FAILED;
} else {
-   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+   zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags, fsf_req);
zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
}
 

[PATCH 4.9 37/77] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 975171b4461be296a35e83ebd748946b81cf0635 upstream.

v4.9 commit aceeffbb59bb ("zfcp: trace full payload of all SAN records
(req,resp,iels)") fixed trace data loss of 2.6.38 commit 2c55b750a884
("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
necessary for problem determination, e.g. to see the
currently active zone set during automatic port scan.

While it already saves space by not dumping any empty residual entries
of the large successful GPN_FT response (4 pages), there are seldom cases
where the GPN_FT response is unsuccessful and likely does not have
FC_NS_FID_LAST set in fp_flags so we did not cap the trace record.
We typically see such case for an initiator WWPN, which is not in any zone.

Cap unsuccessful responses to at least the actual basic CT_IU response
plus whatever fits the SAN trace record built-in "payload" buffer
just in case there's trailing information
of which we would at least see the existence and its beginning.

In order not to erroneously cap successful responses, we need to swap
calling the trace function and setting the CT / ELS status to success (0).

Example trace record pair formatted with zfcpdbf:

Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fssct_1
Request ID : 0x
Destination ID : 0x00fc
SAN req short  : 0100 fc02 01720ffc 
 0008
SAN req length : 20
|
Timestamp  : ...
Area   : SAN
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 2
Tag: fsscth2
Request ID : 0x
Destination ID : 0x00fc
SAN resp short : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
SAN resp length: 16384
San resp info  : 0100 fc02 8001 00090700
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]
     [trailing info]

The fix saves all but one of the previously associated 64 PAYload trace
record chunks of size 256 bytes each.

Signed-off-by: Steffen Maier 
Fixes: aceeffbb59bb ("zfcp: trace full payload of all SAN records 
(req,resp,iels)")
Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN 
records.")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |   10 +-
 drivers/s390/scsi/zfcp_fsf.c |4 ++--
 2 files changed, 11 insertions(+), 3 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -3,7 +3,7 @@
  *
  * Debug traces for zfcp.
  *
- * Copyright IBM Corp. 2002, 2016
+ * Copyright IBM Corp. 2002, 2017
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -447,6 +447,7 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
struct fc_ct_hdr *reqh = sg_virt(ct_els->req);
struct fc_ns_gid_ft *reqn = (struct fc_ns_gid_ft *)(reqh + 1);
struct scatterlist *resp_entry = ct_els->resp;
+   struct fc_ct_hdr *resph;
struct fc_gpn_ft_resp *acc;
int max_entries, x, last = 0;
 
@@ -473,6 +474,13 @@ static u16 zfcp_dbf_san_res_cap_len_if_g
return len; /* not GPN_FT response so do not cap */
 
acc = sg_virt(resp_entry);
+
+   /* cap all but accept CT responses to at least the CT header */
+   resph = (struct fc_ct_hdr *)acc;
+   if ((ct_els->status) ||
+   (resph->ct_cmd != cpu_to_be16(FC_FS_ACC)))
+   return max(FC_CT_HDR_LEN, ZFCP_DBF_SAN_MAX_PAYLOAD);
+
max_entries = (reqh->ct_mr_size * 4 / sizeof(struct fc_gpn_ft_resp))
+ 1 /* zfcp_fc_scan_ports: bytes correct, entries off-by-one
 * to account for header as 1st pseudo "entry" */;
--- 

[PATCH 4.9 42/77] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 5d4a3d0a2ff23799b956e5962b886287614e7fad upstream.

Complements debugging aspects of the otherwise functionally complete
v3.17 commit 9cb78c16f5da ("scsi: use 64-bit LUNs").

While I don't have access to a target exporting 3 or 4 level LUNs,
I did test it by explicitly attaching a non-existent fake 4 level LUN
by means of zfcp sysfs attribute "unit_add".
In order to see corresponding trace records of otherwise successful
events, we had to increase the trace level of area SCSI and HBA to 6.

$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_scsi/level
$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_hba/level

$ echo 0x4011402240334044 > \
  /sys/bus/ccw/drivers/zfcp/0.0.1880/0x50050763031bd327/unit_add

Example output formatted by an updated zfcpdbf from the s390-tools
package interspersed with kernel messages at scsi_logging_level=4605:

Timestamp  : ...
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: scsla_1
LUN: 0x4011402240334044
WWPN   : 0x50050763031bd327
D_ID   : 0x00..
Adapter status : 0x5400050b
Port status: 0x5401
LUN status : 0x4100
Ready count: 0x0001
Running count  : 0x
ERP want   : 0x01
ERP need   : 0x01

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 1 length 36
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0

Timestamp  : ...
Area   : HBA
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fs_norm
Request ID : 0x
Request status : 0x0010
FSF cmnd   : 0x0001
FSF sequence no: 0x...
FSF issued : ...
FSF stat   : 0x
FSF stat qual  :    
Prot stat  : 0x0001
Prot stat qual :    
Port handle: 0x...
LUN handle : 0x...
|
Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_nor
Request ID : 0x
SCSI ID: 0x
SCSI LUN   : 0x40224011
SCSI LUN high  : 0x40444033 <===
SCSI result: 0x
SCSI retries   : 0x00
SCSI allowed   : 0x03
SCSI scribble  : 0x
SCSI opcode: 1200 a400  
FCP rsp inf cod: 0x00
FCP rsp IU :    
  

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 2 length 164
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0
scsi 2:0:0:4630896905707208721: scsi scan: peripheral device type of 31, \
no device added

Signed-off-by: Steffen Maier 
Fixes: 9cb78c16f5da ("scsi: use 64-bit LUNs")
Reviewed-by: Benjamin Block 
Reviewed-by: Jens Remus 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |2 +-
 drivers/s390/scsi/zfcp_dbf.h |4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -563,8 +563,8 @@ void zfcp_dbf_scsi(char *tag, int level,
rec->scsi_retries = sc->retries;
rec->scsi_allowed = sc->allowed;
rec->scsi_id = sc->device->id;
-   /* struct zfcp_dbf_scsi needs to be updated to handle 64bit LUNs */
rec->scsi_lun = (u32)sc->device->lun;
+   rec->scsi_lun_64_hi = (u32)(sc->device->lun >> 32);
rec->host_scribble = (unsigned long)sc->host_scribble;
 
memcpy(rec->scsi_opcode, sc->cmnd,
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -204,7 +204,7 @@ enum zfcp_dbf_scsi_id {
  * @id: unique number of recovery record type
  * @tag: identifier string specifying the location of initiation
  * @scsi_id: scsi device id
- * @scsi_lun: scsi device logical unit number
+ * @scsi_lun: scsi device logical unit number, low part of 64 bit, old 32 bit
  * @scsi_result: scsi result
  * @scsi_retries: current retry number of scsi request
  * @scsi_allowed: allowed retries
@@ -214,6 +214,7 @@ enum zfcp_dbf_scsi_id {
  * @host_scribble: LLD specific data attached to SCSI request
  * @pl_len: length of paload stored as zfcp_dbf_pay
  * @fsf_rsp: response for fsf request
+ * @scsi_lun_64_hi: scsi device logical unit number, high part of 64 bit
  */
 struct zfcp_dbf_scsi {
u8 id;
@@ -230,6 +231,7 @@ struct zfcp_dbf_scsi {
u64 host_scribble;
u16 pl_len;
struct fcp_resp_with_ext fcp_rsp;
+   u32 

[PATCH 4.9 42/77] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 5d4a3d0a2ff23799b956e5962b886287614e7fad upstream.

Complements debugging aspects of the otherwise functionally complete
v3.17 commit 9cb78c16f5da ("scsi: use 64-bit LUNs").

While I don't have access to a target exporting 3 or 4 level LUNs,
I did test it by explicitly attaching a non-existent fake 4 level LUN
by means of zfcp sysfs attribute "unit_add".
In order to see corresponding trace records of otherwise successful
events, we had to increase the trace level of area SCSI and HBA to 6.

$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_scsi/level
$ echo 6 > /sys/kernel/debug/s390dbf/zfcp_0.0.1880_hba/level

$ echo 0x4011402240334044 > \
  /sys/bus/ccw/drivers/zfcp/0.0.1880/0x50050763031bd327/unit_add

Example output formatted by an updated zfcpdbf from the s390-tools
package interspersed with kernel messages at scsi_logging_level=4605:

Timestamp  : ...
Area   : REC
Subarea: 00
Level  : 1
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: scsla_1
LUN: 0x4011402240334044
WWPN   : 0x50050763031bd327
D_ID   : 0x00..
Adapter status : 0x5400050b
Port status: 0x5401
LUN status : 0x4100
Ready count: 0x0001
Running count  : 0x
ERP want   : 0x01
ERP need   : 0x01

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 1 length 36
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0

Timestamp  : ...
Area   : HBA
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: fs_norm
Request ID : 0x
Request status : 0x0010
FSF cmnd   : 0x0001
FSF sequence no: 0x...
FSF issued : ...
FSF stat   : 0x
FSF stat qual  :    
Prot stat  : 0x0001
Prot stat qual :    
Port handle: 0x...
LUN handle : 0x...
|
Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 6
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_nor
Request ID : 0x
SCSI ID: 0x
SCSI LUN   : 0x40224011
SCSI LUN high  : 0x40444033 <===
SCSI result: 0x
SCSI retries   : 0x00
SCSI allowed   : 0x03
SCSI scribble  : 0x
SCSI opcode: 1200 a400  
FCP rsp inf cod: 0x00
FCP rsp IU :    
  

scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY pass 2 length 164
scsi 2:0:0:4630896905707208721: scsi scan: INQUIRY successful with code 0x0
scsi 2:0:0:4630896905707208721: scsi scan: peripheral device type of 31, \
no device added

Signed-off-by: Steffen Maier 
Fixes: 9cb78c16f5da ("scsi: use 64-bit LUNs")
Reviewed-by: Benjamin Block 
Reviewed-by: Jens Remus 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_dbf.c |2 +-
 drivers/s390/scsi/zfcp_dbf.h |4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -563,8 +563,8 @@ void zfcp_dbf_scsi(char *tag, int level,
rec->scsi_retries = sc->retries;
rec->scsi_allowed = sc->allowed;
rec->scsi_id = sc->device->id;
-   /* struct zfcp_dbf_scsi needs to be updated to handle 64bit LUNs */
rec->scsi_lun = (u32)sc->device->lun;
+   rec->scsi_lun_64_hi = (u32)(sc->device->lun >> 32);
rec->host_scribble = (unsigned long)sc->host_scribble;
 
memcpy(rec->scsi_opcode, sc->cmnd,
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -204,7 +204,7 @@ enum zfcp_dbf_scsi_id {
  * @id: unique number of recovery record type
  * @tag: identifier string specifying the location of initiation
  * @scsi_id: scsi device id
- * @scsi_lun: scsi device logical unit number
+ * @scsi_lun: scsi device logical unit number, low part of 64 bit, old 32 bit
  * @scsi_result: scsi result
  * @scsi_retries: current retry number of scsi request
  * @scsi_allowed: allowed retries
@@ -214,6 +214,7 @@ enum zfcp_dbf_scsi_id {
  * @host_scribble: LLD specific data attached to SCSI request
  * @pl_len: length of paload stored as zfcp_dbf_pay
  * @fsf_rsp: response for fsf request
+ * @scsi_lun_64_hi: scsi device logical unit number, high part of 64 bit
  */
 struct zfcp_dbf_scsi {
u8 id;
@@ -230,6 +231,7 @@ struct zfcp_dbf_scsi {
u64 host_scribble;
u16 pl_len;
struct fcp_resp_with_ext fcp_rsp;
+   u32 scsi_lun_64_hi;
 } __packed;
 
 /**

[PATCH 4.9 32/77] md/bitmap: disable bitmap_resize for file-backed bitmaps.

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: NeilBrown 

commit e8a27f836f165c26f867ece7f31eb5c811692319 upstream.

bitmap_resize() does not work for file-backed bitmaps.
The buffer_heads are allocated and initialized when
the bitmap is read from the file, but resize doesn't
read from the file, it loads from the internal bitmap.
When it comes time to write the new bitmap, the bh is
non-existent and we crash.

The common case when growing an array involves making the array larger,
and that normally means making the bitmap larger.  Doing
that inside the kernel is possible, but would need more code.
It is probably easier to require people who use file-backed
bitmaps to remove them and re-add after a reshape.

So this patch disables the resizing of arrays which have
file-backed bitmaps.  This is better than crashing.

Reported-by: Zhilong Liu 
Fixes: d60b479d177a ("md/bitmap: add bitmap_resize function to allow bitmap 
resizing.")
Signed-off-by: NeilBrown 
Signed-off-by: Shaohua Li 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bitmap.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
@@ -1992,6 +1992,11 @@ int bitmap_resize(struct bitmap *bitmap,
long pages;
struct bitmap_page *new_bp;
 
+   if (bitmap->storage.file && !init) {
+   pr_info("md: cannot resize file-based bitmap\n");
+   return -EINVAL;
+   }
+
if (chunksize == 0) {
/* If there is enough space, leave the chunk size unchanged,
 * else increase by factor of two until there is enough space.

[PATCH 4.9 32/77] md/bitmap: disable bitmap_resize for file-backed bitmaps.

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: NeilBrown 

commit e8a27f836f165c26f867ece7f31eb5c811692319 upstream.

bitmap_resize() does not work for file-backed bitmaps.
The buffer_heads are allocated and initialized when
the bitmap is read from the file, but resize doesn't
read from the file, it loads from the internal bitmap.
When it comes time to write the new bitmap, the bh is
non-existent and we crash.

The common case when growing an array involves making the array larger,
and that normally means making the bitmap larger.  Doing
that inside the kernel is possible, but would need more code.
It is probably easier to require people who use file-backed
bitmaps to remove them and re-add after a reshape.

So this patch disables the resizing of arrays which have
file-backed bitmaps.  This is better than crashing.

Reported-by: Zhilong Liu 
Fixes: d60b479d177a ("md/bitmap: add bitmap_resize function to allow bitmap 
resizing.")
Signed-off-by: NeilBrown 
Signed-off-by: Shaohua Li 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bitmap.c |5 +
 1 file changed, 5 insertions(+)

--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
@@ -1992,6 +1992,11 @@ int bitmap_resize(struct bitmap *bitmap,
long pages;
struct bitmap_page *new_bp;
 
+   if (bitmap->storage.file && !init) {
+   pr_info("md: cannot resize file-based bitmap\n");
+   return -EINVAL;
+   }
+
if (chunksize == 0) {
/* If there is enough space, leave the chunk size unchanged,
 * else increase by factor of two until there is enough space.

[PATCH 4.9 06/77] drm/sun4i: Implement drm_driver lastclose to restore fbdev console

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Jonathan Liu 

commit 2a596fc9d974bb040eda9ab70bf8756fcaaa6afe upstream.

The drm_driver lastclose callback is called when the last userspace
DRM client has closed. Call drm_fbdev_cma_restore_mode to restore
the fbdev console otherwise the fbdev console will stop working.

Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support")
Tested-by: Olliver Schinagl 
Reviewed-by: Chen-Yu Tsai 
Signed-off-by: Jonathan Liu 
Signed-off-by: Maxime Ripard 
[net...@gmail.com: Backport to 4.9, minor context change]
Signed-off-by: Jonathan Liu 
Signed-off-by: Greg Kroah-Hartman 


---
 drivers/gpu/drm/sun4i/sun4i_drv.c |8 
 1 file changed, 8 insertions(+)

--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
+++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
@@ -47,6 +47,13 @@ static void sun4i_drv_disable_vblank(str
sun4i_tcon_enable_vblank(tcon, false);
 }
 
+static void sun4i_drv_lastclose(struct drm_device *dev)
+{
+   struct sun4i_drv *drv = dev->dev_private;
+
+   drm_fbdev_cma_restore_mode(drv->fbdev);
+}
+
 static const struct file_operations sun4i_drv_fops = {
.owner  = THIS_MODULE,
.open   = drm_open,
@@ -65,6 +72,7 @@ static struct drm_driver sun4i_drv_drive
.driver_features= DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | 
DRIVER_ATOMIC,
 
/* Generic Operations */
+   .lastclose  = sun4i_drv_lastclose,
.fops   = _drv_fops,
.name   = "sun4i-drm",
.desc   = "Allwinner sun4i Display Engine",

[PATCH 4.9 00/77] 4.9.52-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.9.52 release.
There are 77 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Sep 26 20:32:25 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.52-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.9.52-rc1

Thomas Gleixner 
genirq: Make sparse_irq_lock protect what it should protect

Avraham Stern 
mac80211: flush hw_roc_start work before cancelling the ROC

Beni Lev 
mac80211_hwsim: Use proper TX power

Johannes Berg 
mac80211: fix VLAN handling with TXQs

Michael Lyle 
bcache: fix bch_hprint crash and improve output

Tang Junhui 
bcache: fix for gc and write-back race

Tony Asleson 
bcache: Correct return value for sysfs attach errors

Tang Junhui 
bcache: correct cache_dirty_target in __update_writeback_rate()

Tang Junhui 
bcache: do not subtract sectors_to_gc for bypassed IO

Jan Kara 
bcache: Fix leak of bdev reference

Tang Junhui 
bcache: initialize dirty stripes in flash_dev_run()

Chanwoo Choi 
PM / devfreq: Fix memory leak when fail to register device

Guenter Roeck 
media: uvcvideo: Prevent heap overflow when accessing mapped controls

Daniel Mentz 
media: v4l2-compat-ioctl32: Fix timespec conversion

Martin Schwidefsky 
s390/mm: fix race on mm->context.flush_mm

Martin Schwidefsky 
s390/mm: fix local TLB flushing vs. detach of an mm address space

Manfred Spraul 
net/netfilter/nf_conntrack_core: Fix net_conntrack_lock()

Keith Busch 
PCI: pciehp: Report power fault only once until we clear it

Aleksandr Bezzubikov 
PCI: shpchp: Enable bridge bus mastering if MSI is enabled

Jose Abreu 
ARC: Re-enable MMU upon Machine Check exception

Baohong Liu 
tracing: Apply trace_clock changes to instance max buffer

Steven Rostedt (VMware) 
tracing: Add barrier to trace_printk() buffer nesting modification

Steven Rostedt (VMware) 
ftrace: Fix memleak when unregistering dynamic ops when tracing disabled

Steven Rostedt (VMware) 
ftrace: Fix selftest goto location on error

Dan Carpenter 
scsi: qla2xxx: Fix an integer overflow in sysfs code

Joe Carnuccio 
scsi: qla2xxx: Correction to vha->vref_count timeout

Hannes Reinecke 
scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

Hannes Reinecke 
scsi: sg: factor out sg_fill_request_table()

Dan Carpenter 
scsi: sg: off by one in sg_ioctl()

Hannes Reinecke 
scsi: sg: use standard lists for sg_requests

Hannes Reinecke 
scsi: sg: remove 'save_scat_len'

Long Li 
scsi: storvsc: fix memory leak on ring buffer busy

Shivasharan S 
scsi: megaraid_sas: Return pended IOCTLs with cmd_status 
MFI_STAT_WRONG_STATE in case adapter is dead

Shivasharan S 
scsi: megaraid_sas: Check valid aen class range to avoid kernel panic

Shivasharan S 
scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs

Steffen Maier 
scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

Steffen Maier 
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late 
response

Steffen Maier 
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records

Steffen Maier 
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers

Steffen Maier 
scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

Steffen Maier 
scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

Benjamin Block 
scsi: zfcp: add handling for FCP_RESID_OVER to 

[PATCH 4.9 08/77] tty: improve tty_insert_flip_char() fast path

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 979990c6284814617d8f2179d197f72ff62b5d85 upstream.

kernelci.org reports a crazy stack usage for the VT code when CONFIG_KASAN
is enabled:

drivers/tty/vt/keyboard.c: In function 'kbd_keycode':
drivers/tty/vt/keyboard.c:1452:1: error: the frame size of 2240 bytes is larger 
than 2048 bytes [-Werror=frame-larger-than=]

The problem is that tty_insert_flip_char() gets inlined many times into
kbd_keycode(), and also into other functions, and each copy requires 128
bytes for stack redzone to check for a possible out-of-bounds access on
the 'ch' and 'flags' arguments that are passed into
tty_insert_flip_string_flags as a variable-length string.

This introduces a new __tty_insert_flip_char() function for the slow
path, which receives the two arguments by value. This completely avoids
the problem and the stack usage goes back down to around 100 bytes.

Without KASAN, this is also slightly better, as we don't have to
spill the arguments to the stack but can simply pass 'ch' and 'flag'
in registers, saving a few bytes in .text for each call site.

This should be backported to linux-4.0 or later, which first introduced
the stack sanitizer in the kernel.

Fixes: c420f167db8c ("kasan: enable stack instrumentation")
Signed-off-by: Arnd Bergmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/tty_buffer.c |   24 
 include/linux/tty_flip.h |3 ++-
 2 files changed, 26 insertions(+), 1 deletion(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -362,6 +362,30 @@ int tty_insert_flip_string_flags(struct
 EXPORT_SYMBOL(tty_insert_flip_string_flags);
 
 /**
+ * __tty_insert_flip_char   -  Add one character to the tty buffer
+ * @port: tty port
+ * @ch: character
+ * @flag: flag byte
+ *
+ * Queue a single byte to the tty buffering, with an optional flag.
+ * This is the slow path of tty_insert_flip_char.
+ */
+int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag)
+{
+   struct tty_buffer *tb = port->buf.tail;
+   int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
+
+   if (!tty_buffer_request_room(port, 1))
+   return 0;
+
+   *flag_buf_ptr(tb, tb->used) = flag;
+   *char_buf_ptr(tb, tb->used++) = ch;
+
+   return 1;
+}
+EXPORT_SYMBOL(__tty_insert_flip_char);
+
+/**
  * tty_schedule_flip   -   push characters to ldisc
  * @port: tty port to push from
  *
--- a/include/linux/tty_flip.h
+++ b/include/linux/tty_flip.h
@@ -12,6 +12,7 @@ extern int tty_prepare_flip_string(struc
unsigned char **chars, size_t size);
 extern void tty_flip_buffer_push(struct tty_port *port);
 void tty_schedule_flip(struct tty_port *port);
+int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag);
 
 static inline int tty_insert_flip_char(struct tty_port *port,
unsigned char ch, char flag)
@@ -26,7 +27,7 @@ static inline int tty_insert_flip_char(s
*char_buf_ptr(tb, tb->used++) = ch;
return 1;
}
-   return tty_insert_flip_string_flags(port, , , 1);
+   return __tty_insert_flip_char(port, ch, flag);
 }
 
 static inline int tty_insert_flip_string(struct tty_port *port,

[PATCH 4.9 06/77] drm/sun4i: Implement drm_driver lastclose to restore fbdev console

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Jonathan Liu 

commit 2a596fc9d974bb040eda9ab70bf8756fcaaa6afe upstream.

The drm_driver lastclose callback is called when the last userspace
DRM client has closed. Call drm_fbdev_cma_restore_mode to restore
the fbdev console otherwise the fbdev console will stop working.

Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support")
Tested-by: Olliver Schinagl 
Reviewed-by: Chen-Yu Tsai 
Signed-off-by: Jonathan Liu 
Signed-off-by: Maxime Ripard 
[net...@gmail.com: Backport to 4.9, minor context change]
Signed-off-by: Jonathan Liu 
Signed-off-by: Greg Kroah-Hartman 


---
 drivers/gpu/drm/sun4i/sun4i_drv.c |8 
 1 file changed, 8 insertions(+)

--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
+++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
@@ -47,6 +47,13 @@ static void sun4i_drv_disable_vblank(str
sun4i_tcon_enable_vblank(tcon, false);
 }
 
+static void sun4i_drv_lastclose(struct drm_device *dev)
+{
+   struct sun4i_drv *drv = dev->dev_private;
+
+   drm_fbdev_cma_restore_mode(drv->fbdev);
+}
+
 static const struct file_operations sun4i_drv_fops = {
.owner  = THIS_MODULE,
.open   = drm_open,
@@ -65,6 +72,7 @@ static struct drm_driver sun4i_drv_drive
.driver_features= DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | 
DRIVER_ATOMIC,
 
/* Generic Operations */
+   .lastclose  = sun4i_drv_lastclose,
.fops   = _drv_fops,
.name   = "sun4i-drm",
.desc   = "Allwinner sun4i Display Engine",

[PATCH 4.9 00/77] 4.9.52-stable review

[Greg Kroah-Hartman]

This is the start of the stable review cycle for the 4.9.52 release.
There are 77 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Sep 26 20:32:25 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.52-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git 
linux-4.9.y
and the diffstat can be found below.

thanks,

greg k-h

-
Pseudo-Shortlog of commits:

Greg Kroah-Hartman 
Linux 4.9.52-rc1

Thomas Gleixner 
genirq: Make sparse_irq_lock protect what it should protect

Avraham Stern 
mac80211: flush hw_roc_start work before cancelling the ROC

Beni Lev 
mac80211_hwsim: Use proper TX power

Johannes Berg 
mac80211: fix VLAN handling with TXQs

Michael Lyle 
bcache: fix bch_hprint crash and improve output

Tang Junhui 
bcache: fix for gc and write-back race

Tony Asleson 
bcache: Correct return value for sysfs attach errors

Tang Junhui 
bcache: correct cache_dirty_target in __update_writeback_rate()

Tang Junhui 
bcache: do not subtract sectors_to_gc for bypassed IO

Jan Kara 
bcache: Fix leak of bdev reference

Tang Junhui 
bcache: initialize dirty stripes in flash_dev_run()

Chanwoo Choi 
PM / devfreq: Fix memory leak when fail to register device

Guenter Roeck 
media: uvcvideo: Prevent heap overflow when accessing mapped controls

Daniel Mentz 
media: v4l2-compat-ioctl32: Fix timespec conversion

Martin Schwidefsky 
s390/mm: fix race on mm->context.flush_mm

Martin Schwidefsky 
s390/mm: fix local TLB flushing vs. detach of an mm address space

Manfred Spraul 
net/netfilter/nf_conntrack_core: Fix net_conntrack_lock()

Keith Busch 
PCI: pciehp: Report power fault only once until we clear it

Aleksandr Bezzubikov 
PCI: shpchp: Enable bridge bus mastering if MSI is enabled

Jose Abreu 
ARC: Re-enable MMU upon Machine Check exception

Baohong Liu 
tracing: Apply trace_clock changes to instance max buffer

Steven Rostedt (VMware) 
tracing: Add barrier to trace_printk() buffer nesting modification

Steven Rostedt (VMware) 
ftrace: Fix memleak when unregistering dynamic ops when tracing disabled

Steven Rostedt (VMware) 
ftrace: Fix selftest goto location on error

Dan Carpenter 
scsi: qla2xxx: Fix an integer overflow in sysfs code

Joe Carnuccio 
scsi: qla2xxx: Correction to vha->vref_count timeout

Hannes Reinecke 
scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

Hannes Reinecke 
scsi: sg: factor out sg_fill_request_table()

Dan Carpenter 
scsi: sg: off by one in sg_ioctl()

Hannes Reinecke 
scsi: sg: use standard lists for sg_requests

Hannes Reinecke 
scsi: sg: remove 'save_scat_len'

Long Li 
scsi: storvsc: fix memory leak on ring buffer busy

Shivasharan S 
scsi: megaraid_sas: Return pended IOCTLs with cmd_status 
MFI_STAT_WRONG_STATE in case adapter is dead

Shivasharan S 
scsi: megaraid_sas: Check valid aen class range to avoid kernel panic

Shivasharan S 
scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs

Steffen Maier 
scsi: zfcp: trace high part of "new" 64 bit SCSI LUN

Steffen Maier 
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late 
response

Steffen Maier 
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records

Steffen Maier 
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers

Steffen Maier 
scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA

Steffen Maier 
scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records

Benjamin Block 
scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path

Steffen Maier 
scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled

Bart Van Assche 
skd: Submit requests to firmware before triggering the doorbell

Bart Van Assche 
skd: Avoid that module unloading triggers a use-after-free

NeilBrown 
md/bitmap: disable bitmap_resize for file-backed bitmaps.

Bart Van Assche 
block: Relax a check in blk_start_queue()

Michael Ellerman 
powerpc: Fix DAR reporting when alignment handler faults

zhangyi (F) 
ext4: fix quota inconsistency during orphan cleanup for read-only mounts

zhangyi (F) 
ext4: fix incorrect quotaoff if the quota feature is enabled

Stephan Mueller 
crypto: AF_ALG - remove SGL terminator indicator when chaining

Gary R Hook 
crypto: ccp - Fix XTS-AES-128 support on v5 CCPs

Douglas Leung 
MIPS: math-emu: .D: Fix accuracy (64-bit case)

Douglas Leung 
MIPS: math-emu: .S: Fix accuracy (32-bit case)

Aleksandar Markovic 
MIPS: math-emu: .: Clean up "maddf_flags" 

[PATCH 4.9 08/77] tty: improve tty_insert_flip_char() fast path

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 979990c6284814617d8f2179d197f72ff62b5d85 upstream.

kernelci.org reports a crazy stack usage for the VT code when CONFIG_KASAN
is enabled:

drivers/tty/vt/keyboard.c: In function 'kbd_keycode':
drivers/tty/vt/keyboard.c:1452:1: error: the frame size of 2240 bytes is larger 
than 2048 bytes [-Werror=frame-larger-than=]

The problem is that tty_insert_flip_char() gets inlined many times into
kbd_keycode(), and also into other functions, and each copy requires 128
bytes for stack redzone to check for a possible out-of-bounds access on
the 'ch' and 'flags' arguments that are passed into
tty_insert_flip_string_flags as a variable-length string.

This introduces a new __tty_insert_flip_char() function for the slow
path, which receives the two arguments by value. This completely avoids
the problem and the stack usage goes back down to around 100 bytes.

Without KASAN, this is also slightly better, as we don't have to
spill the arguments to the stack but can simply pass 'ch' and 'flag'
in registers, saving a few bytes in .text for each call site.

This should be backported to linux-4.0 or later, which first introduced
the stack sanitizer in the kernel.

Fixes: c420f167db8c ("kasan: enable stack instrumentation")
Signed-off-by: Arnd Bergmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/tty_buffer.c |   24 
 include/linux/tty_flip.h |3 ++-
 2 files changed, 26 insertions(+), 1 deletion(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -362,6 +362,30 @@ int tty_insert_flip_string_flags(struct
 EXPORT_SYMBOL(tty_insert_flip_string_flags);
 
 /**
+ * __tty_insert_flip_char   -  Add one character to the tty buffer
+ * @port: tty port
+ * @ch: character
+ * @flag: flag byte
+ *
+ * Queue a single byte to the tty buffering, with an optional flag.
+ * This is the slow path of tty_insert_flip_char.
+ */
+int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag)
+{
+   struct tty_buffer *tb = port->buf.tail;
+   int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
+
+   if (!tty_buffer_request_room(port, 1))
+   return 0;
+
+   *flag_buf_ptr(tb, tb->used) = flag;
+   *char_buf_ptr(tb, tb->used++) = ch;
+
+   return 1;
+}
+EXPORT_SYMBOL(__tty_insert_flip_char);
+
+/**
  * tty_schedule_flip   -   push characters to ldisc
  * @port: tty port to push from
  *
--- a/include/linux/tty_flip.h
+++ b/include/linux/tty_flip.h
@@ -12,6 +12,7 @@ extern int tty_prepare_flip_string(struc
unsigned char **chars, size_t size);
 extern void tty_flip_buffer_push(struct tty_port *port);
 void tty_schedule_flip(struct tty_port *port);
+int __tty_insert_flip_char(struct tty_port *port, unsigned char ch, char flag);
 
 static inline int tty_insert_flip_char(struct tty_port *port,
unsigned char ch, char flag)
@@ -26,7 +27,7 @@ static inline int tty_insert_flip_char(s
*char_buf_ptr(tb, tb->used++) = ch;
return 1;
}
-   return tty_insert_flip_string_flags(port, , , 1);
+   return __tty_insert_flip_char(port, ch, flag);
 }
 
 static inline int tty_insert_flip_string(struct tty_port *port,

[PATCH 4.9 14/77] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 15560a58bfd4ff82cdd16b2270d4ef9b06d2cc4d upstream.

Fix the value returned by ., if both inputs
are zeros. The right behavior in such cases is stated in instruction
reference manual and is as follows:

   fs  ft   MAX MIN   MAXAMINA
  -
0   00   0 0   0
0  -00  -0 0  -0
   -0   00  -0 0  -0
   -0  -0   -0  -0-0  -0

Prior to this patch, some of the above cases were yielding correct
results. However, for the sake of code consistency, all such cases
are rewritten in this patch.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains +0.0, and ft contains -0.0, fd is going to contain
  +0.0 (without this patch, it used to contain -0.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16881/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |8 ++--
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |8 ++--
 4 files changed, 8 insertions(+), 24 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmina(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
@@ -204,9 +202,7 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
- 

[PATCH 4.9 02/77] NFSv4: Fix callback server shutdown

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit ed6473ddc704a2005b9900ca08e236ebb2d8540a upstream.

We want to use kthread_stop() in order to ensure the threads are
shut down before we tear down the nfs_callback_info in nfs_callback_down.

Tested-and-reviewed-by: Kinglong Mee 
Reported-by: Kinglong Mee 
Fixes: bb6aeba736ba9 ("NFSv4.x: Switch to using svc_set_num_threads()...")
Signed-off-by: Trond Myklebust 
Signed-off-by: J. Bruce Fields 
Cc: Jan Hudoba 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfs/callback.c  |   24 
 include/linux/sunrpc/svc.h |1 +
 net/sunrpc/svc.c   |   38 ++
 3 files changed, 55 insertions(+), 8 deletions(-)

--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -75,7 +75,10 @@ nfs4_callback_svc(void *vrqstp)
 
set_freezable();
 
-   while (!kthread_should_stop()) {
+   while (!kthread_freezable_should_stop(NULL)) {
+
+   if (signal_pending(current))
+   flush_signals(current);
/*
 * Listen for a request on the socket
 */
@@ -84,6 +87,8 @@ nfs4_callback_svc(void *vrqstp)
continue;
svc_process(rqstp);
}
+   svc_exit_thread(rqstp);
+   module_put_and_exit(0);
return 0;
 }
 
@@ -102,9 +107,10 @@ nfs41_callback_svc(void *vrqstp)
 
set_freezable();
 
-   while (!kthread_should_stop()) {
-   if (try_to_freeze())
-   continue;
+   while (!kthread_freezable_should_stop(NULL)) {
+
+   if (signal_pending(current))
+   flush_signals(current);
 
prepare_to_wait(>sv_cb_waitq, , TASK_INTERRUPTIBLE);
spin_lock_bh(>sv_cb_lock);
@@ -120,11 +126,13 @@ nfs41_callback_svc(void *vrqstp)
error);
} else {
spin_unlock_bh(>sv_cb_lock);
-   schedule();
+   if (!kthread_should_stop())
+   schedule();
finish_wait(>sv_cb_waitq, );
}
-   flush_signals(current);
}
+   svc_exit_thread(rqstp);
+   module_put_and_exit(0);
return 0;
 }
 
@@ -220,14 +228,14 @@ err_bind:
 static struct svc_serv_ops nfs40_cb_sv_ops = {
.svo_function   = nfs4_callback_svc,
.svo_enqueue_xprt   = svc_xprt_do_enqueue,
-   .svo_setup  = svc_set_num_threads,
+   .svo_setup  = svc_set_num_threads_sync,
.svo_module = THIS_MODULE,
 };
 #if defined(CONFIG_NFS_V4_1)
 static struct svc_serv_ops nfs41_cb_sv_ops = {
.svo_function   = nfs41_callback_svc,
.svo_enqueue_xprt   = svc_xprt_do_enqueue,
-   .svo_setup  = svc_set_num_threads,
+   .svo_setup  = svc_set_num_threads_sync,
.svo_module = THIS_MODULE,
 };
 
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -470,6 +470,7 @@ void   svc_pool_map_put(void);
 struct svc_serv *  svc_create_pooled(struct svc_program *, unsigned int,
struct svc_serv_ops *);
 int   svc_set_num_threads(struct svc_serv *, struct svc_pool *, 
int);
+int   svc_set_num_threads_sync(struct svc_serv *, struct svc_pool 
*, int);
 int   svc_pool_stats_open(struct svc_serv *serv, struct file 
*file);
 void  svc_destroy(struct svc_serv *);
 void  svc_shutdown_net(struct svc_serv *, struct net *);
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -795,6 +795,44 @@ svc_set_num_threads(struct svc_serv *ser
 }
 EXPORT_SYMBOL_GPL(svc_set_num_threads);
 
+/* destroy old threads */
+static int
+svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+   struct task_struct *task;
+   unsigned int state = serv->sv_nrthreads-1;
+
+   /* destroy old threads */
+   do {
+   task = choose_victim(serv, pool, );
+   if (task == NULL)
+   break;
+   kthread_stop(task);
+   nrservs++;
+   } while (nrservs < 0);
+   return 0;
+}
+
+int
+svc_set_num_threads_sync(struct svc_serv *serv, struct svc_pool *pool, int 
nrservs)
+{
+   if (pool == NULL) {
+   /* The -1 assumes caller has done a svc_get() */
+   nrservs -= (serv->sv_nrthreads-1);
+   } else {
+   spin_lock_bh(>sp_lock);
+   nrservs -= pool->sp_nrthreads;
+   spin_unlock_bh(>sp_lock);
+   }
+
+   if (nrservs > 0)
+  

[PATCH 4.9 14/77] MIPS: math-emu: .: Fix cases of both inputs zero

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 15560a58bfd4ff82cdd16b2270d4ef9b06d2cc4d upstream.

Fix the value returned by ., if both inputs
are zeros. The right behavior in such cases is stated in instruction
reference manual and is as follows:

   fs  ft   MAX MIN   MAXAMINA
  -
0   00   0 0   0
0  -00  -0 0  -0
   -0   00  -0 0  -0
   -0  -0   -0  -0-0  -0

Prior to this patch, some of the above cases were yielding correct
results. However, for the sake of code consistency, all such cases
are rewritten in this patch.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains +0.0, and ft contains -0.0, fd is going to contain
  +0.0 (without this patch, it used to contain -0.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16881/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |8 ++--
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |8 ++--
 4 files changed, 8 insertions(+), 24 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -92,9 +92,7 @@ union ieee754dp ieee754dp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
@@ -204,9 +202,7 @@ union ieee754dp ieee754dp_fmina(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754dp_zero(1);
+   return ieee754dp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
DPDNORMX;
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmax(union iee
return ys ? x : y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
@@ -204,9 +202,7 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs & ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -92,9 +92,7 @@ union ieee754sp ieee754sp_fmin(union iee
return ys ? y : x;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
-   if (xs == ys)
-   return x;
-   return ieee754sp_zero(1);
+   return ieee754sp_zero(xs | ys);
 
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_DNORM):
SPDNORMX;
@@ -204,9 +202,7 @@ union ieee754sp ieee754sp_fmina(union ie
return y;
 
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_ZERO):
- 

[PATCH 4.9 02/77] NFSv4: Fix callback server shutdown

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Trond Myklebust 

commit ed6473ddc704a2005b9900ca08e236ebb2d8540a upstream.

We want to use kthread_stop() in order to ensure the threads are
shut down before we tear down the nfs_callback_info in nfs_callback_down.

Tested-and-reviewed-by: Kinglong Mee 
Reported-by: Kinglong Mee 
Fixes: bb6aeba736ba9 ("NFSv4.x: Switch to using svc_set_num_threads()...")
Signed-off-by: Trond Myklebust 
Signed-off-by: J. Bruce Fields 
Cc: Jan Hudoba 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfs/callback.c  |   24 
 include/linux/sunrpc/svc.h |1 +
 net/sunrpc/svc.c   |   38 ++
 3 files changed, 55 insertions(+), 8 deletions(-)

--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -75,7 +75,10 @@ nfs4_callback_svc(void *vrqstp)
 
set_freezable();
 
-   while (!kthread_should_stop()) {
+   while (!kthread_freezable_should_stop(NULL)) {
+
+   if (signal_pending(current))
+   flush_signals(current);
/*
 * Listen for a request on the socket
 */
@@ -84,6 +87,8 @@ nfs4_callback_svc(void *vrqstp)
continue;
svc_process(rqstp);
}
+   svc_exit_thread(rqstp);
+   module_put_and_exit(0);
return 0;
 }
 
@@ -102,9 +107,10 @@ nfs41_callback_svc(void *vrqstp)
 
set_freezable();
 
-   while (!kthread_should_stop()) {
-   if (try_to_freeze())
-   continue;
+   while (!kthread_freezable_should_stop(NULL)) {
+
+   if (signal_pending(current))
+   flush_signals(current);
 
prepare_to_wait(>sv_cb_waitq, , TASK_INTERRUPTIBLE);
spin_lock_bh(>sv_cb_lock);
@@ -120,11 +126,13 @@ nfs41_callback_svc(void *vrqstp)
error);
} else {
spin_unlock_bh(>sv_cb_lock);
-   schedule();
+   if (!kthread_should_stop())
+   schedule();
finish_wait(>sv_cb_waitq, );
}
-   flush_signals(current);
}
+   svc_exit_thread(rqstp);
+   module_put_and_exit(0);
return 0;
 }
 
@@ -220,14 +228,14 @@ err_bind:
 static struct svc_serv_ops nfs40_cb_sv_ops = {
.svo_function   = nfs4_callback_svc,
.svo_enqueue_xprt   = svc_xprt_do_enqueue,
-   .svo_setup  = svc_set_num_threads,
+   .svo_setup  = svc_set_num_threads_sync,
.svo_module = THIS_MODULE,
 };
 #if defined(CONFIG_NFS_V4_1)
 static struct svc_serv_ops nfs41_cb_sv_ops = {
.svo_function   = nfs41_callback_svc,
.svo_enqueue_xprt   = svc_xprt_do_enqueue,
-   .svo_setup  = svc_set_num_threads,
+   .svo_setup  = svc_set_num_threads_sync,
.svo_module = THIS_MODULE,
 };
 
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -470,6 +470,7 @@ void   svc_pool_map_put(void);
 struct svc_serv *  svc_create_pooled(struct svc_program *, unsigned int,
struct svc_serv_ops *);
 int   svc_set_num_threads(struct svc_serv *, struct svc_pool *, 
int);
+int   svc_set_num_threads_sync(struct svc_serv *, struct svc_pool 
*, int);
 int   svc_pool_stats_open(struct svc_serv *serv, struct file 
*file);
 void  svc_destroy(struct svc_serv *);
 void  svc_shutdown_net(struct svc_serv *, struct net *);
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -795,6 +795,44 @@ svc_set_num_threads(struct svc_serv *ser
 }
 EXPORT_SYMBOL_GPL(svc_set_num_threads);
 
+/* destroy old threads */
+static int
+svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+   struct task_struct *task;
+   unsigned int state = serv->sv_nrthreads-1;
+
+   /* destroy old threads */
+   do {
+   task = choose_victim(serv, pool, );
+   if (task == NULL)
+   break;
+   kthread_stop(task);
+   nrservs++;
+   } while (nrservs < 0);
+   return 0;
+}
+
+int
+svc_set_num_threads_sync(struct svc_serv *serv, struct svc_pool *pool, int 
nrservs)
+{
+   if (pool == NULL) {
+   /* The -1 assumes caller has done a svc_get() */
+   nrservs -= (serv->sv_nrthreads-1);
+   } else {
+   spin_lock_bh(>sp_lock);
+   nrservs -= pool->sp_nrthreads;
+   spin_unlock_bh(>sp_lock);
+   }
+
+   if (nrservs > 0)
+   return svc_start_kthreads(serv, pool, nrservs);
+   if (nrservs < 0)
+   return svc_stop_kthreads(serv, pool, nrservs);
+   return 0;
+}

[PATCH 4.9 11/77] pinctrl/amd: save pin registers over suspend/resume

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniel Drake 

commit 79d2c8bede2c93f9432d7da0bc2f76a195c90fc0 upstream.

The touchpad in the Asus laptop models X505BA/BP and X542BA/BP is
unresponsive after suspend/resume. The following error appears during
resume:

  i2c_hid i2c-ELAN1300:00: failed to reset device.

The problem here is that i2c_hid does not notice the interrupt being
generated at this point, because the GPIO is no longer configured
for interrupts.

Fix this by saving pinctrl-amd pin registers during suspend and
restoring them at resume time.

Based on code from pinctrl-intel.

Signed-off-by: Daniel Drake 
Signed-off-by: Linus Walleij 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pinctrl/pinctrl-amd.c |   75 ++
 drivers/pinctrl/pinctrl-amd.h |1 
 2 files changed, 76 insertions(+)

--- a/drivers/pinctrl/pinctrl-amd.c
+++ b/drivers/pinctrl/pinctrl-amd.c
@@ -32,6 +32,7 @@
 #include 
 #include 
 
+#include "core.h"
 #include "pinctrl-utils.h"
 #include "pinctrl-amd.h"
 
@@ -712,6 +713,69 @@ static const struct pinconf_ops amd_pinc
.pin_config_group_set = amd_pinconf_group_set,
 };
 
+#ifdef CONFIG_PM_SLEEP
+static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin)
+{
+   const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin);
+
+   if (!pd)
+   return false;
+
+   /*
+* Only restore the pin if it is actually in use by the kernel (or
+* by userspace).
+*/
+   if (pd->mux_owner || pd->gpio_owner ||
+   gpiochip_line_is_irq(_dev->gc, pin))
+   return true;
+
+   return false;
+}
+
+int amd_gpio_suspend(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+int amd_gpio_resume(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   writel(gpio_dev->saved_regs[i], gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+static const struct dev_pm_ops amd_gpio_pm_ops = {
+   SET_LATE_SYSTEM_SLEEP_PM_OPS(amd_gpio_suspend,
+amd_gpio_resume)
+};
+#endif
+
 static struct pinctrl_desc amd_pinctrl_desc = {
.pins   = kerncz_pins,
.npins = ARRAY_SIZE(kerncz_pins),
@@ -751,6 +815,14 @@ static int amd_gpio_probe(struct platfor
return -EINVAL;
}
 
+#ifdef CONFIG_PM_SLEEP
+   gpio_dev->saved_regs = devm_kcalloc(>dev, amd_pinctrl_desc.npins,
+   sizeof(*gpio_dev->saved_regs),
+   GFP_KERNEL);
+   if (!gpio_dev->saved_regs)
+   return -ENOMEM;
+#endif
+
gpio_dev->pdev = pdev;
gpio_dev->gc.direction_input= amd_gpio_direction_input;
gpio_dev->gc.direction_output   = amd_gpio_direction_output;
@@ -839,6 +911,9 @@ static struct platform_driver amd_gpio_d
.driver = {
.name   = "amd_gpio",
.acpi_match_table = ACPI_PTR(amd_gpio_acpi_match),
+#ifdef CONFIG_PM_SLEEP
+   .pm = _gpio_pm_ops,
+#endif
},
.probe  = amd_gpio_probe,
.remove = amd_gpio_remove,
--- a/drivers/pinctrl/pinctrl-amd.h
+++ b/drivers/pinctrl/pinctrl-amd.h
@@ -95,6 +95,7 @@ struct amd_gpio {
struct gpio_chipgc;
struct resource *res;
struct platform_device  *pdev;
+   u32 *saved_regs;
 };
 
 /*  KERNCZ configuration*/

[PATCH 4.9 13/77] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit e78bf0dc4789bdea1453595ae89e8db65918e22e upstream.

Fix the value returned by . fd,fs,ft, if both
inputs are quiet NaNs. The . specifications
state that the returned value in such cases should be the quiet NaN
contained in register fs.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains qNaN1, and ft contains qNaN2, fd is going to contain
  qNaN1 (without this patch, it used to contain qNaN2).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16880/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 112 insertions(+), 16 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmax(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
@@ -147,14 +159,26 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmin(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
   

[PATCH 4.9 11/77] pinctrl/amd: save pin registers over suspend/resume

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Daniel Drake 

commit 79d2c8bede2c93f9432d7da0bc2f76a195c90fc0 upstream.

The touchpad in the Asus laptop models X505BA/BP and X542BA/BP is
unresponsive after suspend/resume. The following error appears during
resume:

  i2c_hid i2c-ELAN1300:00: failed to reset device.

The problem here is that i2c_hid does not notice the interrupt being
generated at this point, because the GPIO is no longer configured
for interrupts.

Fix this by saving pinctrl-amd pin registers during suspend and
restoring them at resume time.

Based on code from pinctrl-intel.

Signed-off-by: Daniel Drake 
Signed-off-by: Linus Walleij 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pinctrl/pinctrl-amd.c |   75 ++
 drivers/pinctrl/pinctrl-amd.h |1 
 2 files changed, 76 insertions(+)

--- a/drivers/pinctrl/pinctrl-amd.c
+++ b/drivers/pinctrl/pinctrl-amd.c
@@ -32,6 +32,7 @@
 #include 
 #include 
 
+#include "core.h"
 #include "pinctrl-utils.h"
 #include "pinctrl-amd.h"
 
@@ -712,6 +713,69 @@ static const struct pinconf_ops amd_pinc
.pin_config_group_set = amd_pinconf_group_set,
 };
 
+#ifdef CONFIG_PM_SLEEP
+static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin)
+{
+   const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin);
+
+   if (!pd)
+   return false;
+
+   /*
+* Only restore the pin if it is actually in use by the kernel (or
+* by userspace).
+*/
+   if (pd->mux_owner || pd->gpio_owner ||
+   gpiochip_line_is_irq(_dev->gc, pin))
+   return true;
+
+   return false;
+}
+
+int amd_gpio_suspend(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+int amd_gpio_resume(struct device *dev)
+{
+   struct platform_device *pdev = to_platform_device(dev);
+   struct amd_gpio *gpio_dev = platform_get_drvdata(pdev);
+   struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+   int i;
+
+   for (i = 0; i < desc->npins; i++) {
+   int pin = desc->pins[i].number;
+
+   if (!amd_gpio_should_save(gpio_dev, pin))
+   continue;
+
+   writel(gpio_dev->saved_regs[i], gpio_dev->base + pin*4);
+   }
+
+   return 0;
+}
+
+static const struct dev_pm_ops amd_gpio_pm_ops = {
+   SET_LATE_SYSTEM_SLEEP_PM_OPS(amd_gpio_suspend,
+amd_gpio_resume)
+};
+#endif
+
 static struct pinctrl_desc amd_pinctrl_desc = {
.pins   = kerncz_pins,
.npins = ARRAY_SIZE(kerncz_pins),
@@ -751,6 +815,14 @@ static int amd_gpio_probe(struct platfor
return -EINVAL;
}
 
+#ifdef CONFIG_PM_SLEEP
+   gpio_dev->saved_regs = devm_kcalloc(>dev, amd_pinctrl_desc.npins,
+   sizeof(*gpio_dev->saved_regs),
+   GFP_KERNEL);
+   if (!gpio_dev->saved_regs)
+   return -ENOMEM;
+#endif
+
gpio_dev->pdev = pdev;
gpio_dev->gc.direction_input= amd_gpio_direction_input;
gpio_dev->gc.direction_output   = amd_gpio_direction_output;
@@ -839,6 +911,9 @@ static struct platform_driver amd_gpio_d
.driver = {
.name   = "amd_gpio",
.acpi_match_table = ACPI_PTR(amd_gpio_acpi_match),
+#ifdef CONFIG_PM_SLEEP
+   .pm = _gpio_pm_ops,
+#endif
},
.probe  = amd_gpio_probe,
.remove = amd_gpio_remove,
--- a/drivers/pinctrl/pinctrl-amd.h
+++ b/drivers/pinctrl/pinctrl-amd.h
@@ -95,6 +95,7 @@ struct amd_gpio {
struct gpio_chipgc;
struct resource *res;
struct platform_device  *pdev;
+   u32 *saved_regs;
 };
 
 /*  KERNCZ configuration*/

[PATCH 4.9 13/77] MIPS: math-emu: .: Fix quiet NaN propagation

[Greg Kroah-Hartman]

4.9-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit e78bf0dc4789bdea1453595ae89e8db65918e22e upstream.

Fix the value returned by . fd,fs,ft, if both
inputs are quiet NaNs. The . specifications
state that the returned value in such cases should be the quiet NaN
contained in register fs.

A relevant example:

MAX.S fd,fs,ft:
  If fs contains qNaN1, and ft contains qNaN2, fd is going to contain
  qNaN1 (without this patch, it used to contain qNaN2).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16880/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |   32 
 arch/mips/math-emu/dp_fmin.c |   32 
 arch/mips/math-emu/sp_fmax.c |   32 
 arch/mips/math-emu/sp_fmin.c |   32 
 4 files changed, 112 insertions(+), 16 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmax(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
@@ -147,14 +159,26 @@ union ieee754dp ieee754dp_fmaxa(union ie
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -47,14 +47,26 @@ union ieee754dp ieee754dp_fmin(union iee
case CLPAIR(IEEE754_CLASS_SNAN, IEEE754_CLASS_INF):
return ieee754dp_nanxcpt(x);
 
-   /* numbers are preferred to NaNs */
+   /*
+* Quiet NaN handling
+*/
+
+   /*
+*The case of both inputs quiet NaNs
+*/
+   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
+   return x;
+
+   /*
+*The cases of exactly one input quiet NaN (numbers
+*are here preferred as returned values to NaNs)
+*/
case CLPAIR(IEEE754_CLASS_ZERO, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_NORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_DNORM, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_INF, IEEE754_CLASS_QNAN):
return x;
 
-   case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_QNAN):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_ZERO):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_NORM):
case CLPAIR(IEEE754_CLASS_QNAN, IEEE754_CLASS_DNORM):
@@ -147,14 +159,26 @@ union ieee754dp ieee754dp_fmina(union ie
case CLPAIR(IEEE754_CLASS_SNAN, 

[PATCH 4.4 34/66] skd: Submit requests to firmware before triggering the doorbell

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 5fbd545cd3fd311ea1d6e8be4ce0ee5684c7 upstream.

Ensure that the members of struct skd_msg_buf have been transferred
to the PCIe adapter before the doorbell is triggered. This patch
avoids that I/O fails sporadically and that the following error
message is reported:

(skd0:STM000196603:[:00:09.0]): Completion mismatch comp_id=0x 
skreq=0x0400 new=0x

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/block/skd_main.c |6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/block/skd_main.c
+++ b/drivers/block/skd_main.c
@@ -2214,6 +2214,9 @@ static void skd_send_fitmsg(struct skd_d
 */
qcmd |= FIT_QCMD_MSGSIZE_64;
 
+   /* Make sure skd_msg_buf is written before the doorbell is triggered. */
+   smp_wmb();
+
SKD_WRITEQ(skdev, qcmd, FIT_Q_COMMAND);
 
 }
@@ -2260,6 +2263,9 @@ static void skd_send_special_fitmsg(stru
qcmd = skspcl->mb_dma_address;
qcmd |= FIT_QCMD_QID_NORMAL + FIT_QCMD_MSGSIZE_128;
 
+   /* Make sure skd_msg_buf is written before the doorbell is triggered. */
+   smp_wmb();
+
SKD_WRITEQ(skdev, qcmd, FIT_Q_COMMAND);
 }
 

[PATCH 4.4 34/66] skd: Submit requests to firmware before triggering the doorbell

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Bart Van Assche 

commit 5fbd545cd3fd311ea1d6e8be4ce0ee5684c7 upstream.

Ensure that the members of struct skd_msg_buf have been transferred
to the PCIe adapter before the doorbell is triggered. This patch
avoids that I/O fails sporadically and that the following error
message is reported:

(skd0:STM000196603:[:00:09.0]): Completion mismatch comp_id=0x 
skreq=0x0400 new=0x

Signed-off-by: Bart Van Assche 
Cc: Christoph Hellwig 
Cc: Hannes Reinecke 
Cc: Johannes Thumshirn 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/block/skd_main.c |6 ++
 1 file changed, 6 insertions(+)

--- a/drivers/block/skd_main.c
+++ b/drivers/block/skd_main.c
@@ -2214,6 +2214,9 @@ static void skd_send_fitmsg(struct skd_d
 */
qcmd |= FIT_QCMD_MSGSIZE_64;
 
+   /* Make sure skd_msg_buf is written before the doorbell is triggered. */
+   smp_wmb();
+
SKD_WRITEQ(skdev, qcmd, FIT_Q_COMMAND);
 
 }
@@ -2260,6 +2263,9 @@ static void skd_send_special_fitmsg(stru
qcmd = skspcl->mb_dma_address;
qcmd |= FIT_QCMD_QID_NORMAL + FIT_QCMD_MSGSIZE_128;
 
+   /* Make sure skd_msg_buf is written before the doorbell is triggered. */
+   smp_wmb();
+
SKD_WRITEQ(skdev, qcmd, FIT_Q_COMMAND);
 }
 

[PATCH 4.4 53/66] tracing: Apply trace_clock changes to instance max buffer

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Baohong Liu 

commit 170b3b1050e28d1ba0700e262f0899ffa4fccc52 upstream.

Currently trace_clock timestamps are applied to both regular and max
buffers only for global trace. For instance trace, trace_clock
timestamps are applied only to regular buffer. But, regular and max
buffers can be swapped, for example, following a snapshot. So, for
instance trace, bad timestamps can be seen following a snapshot.
Let's apply trace_clock timestamps to instance max buffer as well.

Link: 
http://lkml.kernel.org/r/ebdb168d0be042dcdf51f81e696b17fabe3609c1.1504642143.git.tom.zanu...@linux.intel.com

Fixes: 277ba0446 ("tracing: Add interface to allow multiple trace buffers")
Signed-off-by: Baohong Liu 
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/trace.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -5237,7 +5237,7 @@ static int tracing_set_clock(struct trac
tracing_reset_online_cpus(>trace_buffer);
 
 #ifdef CONFIG_TRACER_MAX_TRACE
-   if (tr->flags & TRACE_ARRAY_FL_GLOBAL && tr->max_buffer.buffer)
+   if (tr->max_buffer.buffer)
ring_buffer_set_clock(tr->max_buffer.buffer, 
trace_clocks[i].func);
tracing_reset_online_cpus(>max_buffer);
 #endif

[PATCH 4.4 53/66] tracing: Apply trace_clock changes to instance max buffer

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Baohong Liu 

commit 170b3b1050e28d1ba0700e262f0899ffa4fccc52 upstream.

Currently trace_clock timestamps are applied to both regular and max
buffers only for global trace. For instance trace, trace_clock
timestamps are applied only to regular buffer. But, regular and max
buffers can be swapped, for example, following a snapshot. So, for
instance trace, bad timestamps can be seen following a snapshot.
Let's apply trace_clock timestamps to instance max buffer as well.

Link: 
http://lkml.kernel.org/r/ebdb168d0be042dcdf51f81e696b17fabe3609c1.1504642143.git.tom.zanu...@linux.intel.com

Fixes: 277ba0446 ("tracing: Add interface to allow multiple trace buffers")
Signed-off-by: Baohong Liu 
Signed-off-by: Steven Rostedt (VMware) 
Signed-off-by: Greg Kroah-Hartman 

---
 kernel/trace/trace.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -5237,7 +5237,7 @@ static int tracing_set_clock(struct trac
tracing_reset_online_cpus(>trace_buffer);
 
 #ifdef CONFIG_TRACER_MAX_TRACE
-   if (tr->flags & TRACE_ARRAY_FL_GLOBAL && tr->max_buffer.buffer)
+   if (tr->max_buffer.buffer)
ring_buffer_set_clock(tr->max_buffer.buffer, 
trace_clocks[i].func);
tracing_reset_online_cpus(>max_buffer);
 #endif

[PATCH 4.4 55/66] PCI: shpchp: Enable bridge bus mastering if MSI is enabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandr Bezzubikov 

commit 48b79a14505349a29b3e20f03619ada9b33c4b17 upstream.

An SHPC may generate MSIs to notify software about slot or controller
events (SHPC spec r1.0, sec 4.7).  A PCI device can only generate an MSI if
it has bus mastering enabled.

Enable bus mastering if the bridge contains an SHPC that uses MSI for event
notifications.

Signed-off-by: Aleksandr Bezzubikov 
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas 
Reviewed-by: Marcel Apfelbaum 
Acked-by: Michael S. Tsirkin 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pci/hotplug/shpchp_hpc.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/pci/hotplug/shpchp_hpc.c
+++ b/drivers/pci/hotplug/shpchp_hpc.c
@@ -1062,6 +1062,8 @@ int shpc_init(struct controller *ctrl, s
if (rc) {
ctrl_info(ctrl, "Can't get msi for the hotplug 
controller\n");
ctrl_info(ctrl, "Use INTx for the hotplug 
controller\n");
+   } else {
+   pci_set_master(pdev);
}
 
rc = request_irq(ctrl->pci_dev->irq, shpc_isr, IRQF_SHARED,

[PATCH 4.4 63/66] bcache: fix for gc and write-back race

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream.

gc and write-back get raced (see the email "bcache get stucked" I sended
before):
gc thread   write-back thread
|   |bch_writeback_thread()
|bch_gc_thread()|
|   |==>read_dirty()
|==>bch_btree_gc()  |
|==>btree_root() //get btree root   |
|//node write locker|
|==>bch_btree_gc_root() |
|   |==>read_dirty_submit()
|   |==>write_dirty()
|   |==>continue_at(cl,
|   |   write_dirty_finish,
|   |   system_wq);
|   |==>write_dirty_finish()//excute
|   |   //in system_wq
|   |==>bch_btree_insert()
|   |==>bch_btree_map_leaf_nodes()
|   |==>__bch_btree_map_nodes()
|   |==>btree_root //try to get btree
|   |  //root node read
|   |  //lock
|   |-stuck here
|==>bch_btree_set_root()
|==>bch_journal_meta()
|==>bch_journal()
|==>journal_try_write()
|==>journal_write_unlocked() //journal_full(>journal)
|//condition satisfied
|==>continue_at(cl, journal_write, system_wq); //try to excute
|   //journal_write in system_wq
|   //but work queue is excuting
|   //write_dirty_finish()
|==>closure_sync(); //wait journal_write execute
|   //over and wake up gc,
|-stuck here
|==>release root node write locker

This patch alloc a separate work-queue for write-back thread to avoid such
race.

(Commit log re-organized by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/bcache.h|1 +
 drivers/md/bcache/super.c |2 ++
 drivers/md/bcache/writeback.c |9 +++--
 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -333,6 +333,7 @@ struct cached_dev {
/* Limit number of writeback bios in flight */
struct semaphorein_flight;
struct task_struct  *writeback_thread;
+   struct workqueue_struct *writeback_write_wq;
 
struct keybuf   writeback_keys;
 
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1056,6 +1056,8 @@ static void cached_dev_free(struct closu
cancel_delayed_work_sync(>writeback_rate_update);
if (!IS_ERR_OR_NULL(dc->writeback_thread))
kthread_stop(dc->writeback_thread);
+   if (dc->writeback_write_wq)
+   destroy_workqueue(dc->writeback_write_wq);
 
mutex_lock(_register_lock);
 
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -191,7 +191,7 @@ static void write_dirty(struct closure *
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty_finish, system_wq);
+   continue_at(cl, write_dirty_finish, io->dc->writeback_write_wq);
 }
 
 static void read_dirty_endio(struct bio *bio)
@@ -211,7 +211,7 @@ static void read_dirty_submit(struct clo
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty, system_wq);
+   continue_at(cl, write_dirty, io->dc->writeback_write_wq);
 }
 
 static void read_dirty(struct cached_dev *dc)
@@ -523,6 +523,11 @@ void bch_cached_dev_writeback_init(struc
 
 int bch_cached_dev_writeback_start(struct cached_dev *dc)
 {
+   dc->writeback_write_wq = alloc_workqueue("bcache_writeback_wq",
+   WQ_MEM_RECLAIM, 0);
+   if (!dc->writeback_write_wq)
+   return -ENOMEM;
+
dc->writeback_thread = kthread_create(bch_writeback_thread, dc,
  "bcache_writeback");
if (IS_ERR(dc->writeback_thread))

[PATCH 4.4 61/66] bcache: correct cache_dirty_target in __update_writeback_rate()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream.

__update_write_rate() uses a Proportion-Differentiation Controller
algorithm to control writeback rate. A dirty target number is used in
this PD controller to control writeback rate. A larger target number
will make the writeback rate smaller, on the versus, a smaller target
number will make the writeback rate larger.

bcache uses the following steps to calculate the target number,
1) cache_sectors = all-buckets-of-cache-set * buckets-size
2) cache_dirty_target = cache_sectors * cached-device-writeback_percent
3) target = cache_dirty_target *
(sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set)

The calculation at step 1) for cache_sectors is incorrect, which does
not consider dirty blocks occupied by flash only volume.

A flash only volume can be took as a bcache device without cached
device. All data sectors allocated for it are persistent on cache device
and marked dirty, they are not touched by bcache writeback and garbage
collection code. So data blocks of flash only volume should be ignore
when calculating cache_sectors of cache set.

Current code does not subtract dirty sectors of flash only volume, which
results a larger target number from the above 3 steps. And in sequence
the cache device's writeback rate is smaller then a correct value,
writeback speed is slower on all cached devices.

This patch fixes the incorrect slower writeback rate by subtracting
dirty sectors of flash only volumes in __update_writeback_rate().

(Commit log composed by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/writeback.c |3 ++-
 drivers/md/bcache/writeback.h |   19 +++
 2 files changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -21,7 +21,8 @@
 static void __update_writeback_rate(struct cached_dev *dc)
 {
struct cache_set *c = dc->disk.c;
-   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size;
+   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size -
+   bcache_flash_devs_sectors_dirty(c);
uint64_t cache_dirty_target =
div_u64(cache_sectors * dc->writeback_percent, 100);
 
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -14,6 +14,25 @@ static inline uint64_t bcache_dev_sector
return ret;
 }
 
+static inline uint64_t  bcache_flash_devs_sectors_dirty(struct cache_set *c)
+{
+   uint64_t i, ret = 0;
+
+   mutex_lock(_register_lock);
+
+   for (i = 0; i < c->nr_uuids; i++) {
+   struct bcache_device *d = c->devices[i];
+
+   if (!d || !UUID_FLASH_ONLY(>uuids[i]))
+   continue;
+  ret += bcache_dev_sectors_dirty(d);
+   }
+
+   mutex_unlock(_register_lock);
+
+   return ret;
+}
+
 static inline unsigned offset_to_stripe(struct bcache_device *d,
uint64_t offset)
 {

[PATCH 4.4 55/66] PCI: shpchp: Enable bridge bus mastering if MSI is enabled

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandr Bezzubikov 

commit 48b79a14505349a29b3e20f03619ada9b33c4b17 upstream.

An SHPC may generate MSIs to notify software about slot or controller
events (SHPC spec r1.0, sec 4.7).  A PCI device can only generate an MSI if
it has bus mastering enabled.

Enable bus mastering if the bridge contains an SHPC that uses MSI for event
notifications.

Signed-off-by: Aleksandr Bezzubikov 
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas 
Reviewed-by: Marcel Apfelbaum 
Acked-by: Michael S. Tsirkin 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/pci/hotplug/shpchp_hpc.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/pci/hotplug/shpchp_hpc.c
+++ b/drivers/pci/hotplug/shpchp_hpc.c
@@ -1062,6 +1062,8 @@ int shpc_init(struct controller *ctrl, s
if (rc) {
ctrl_info(ctrl, "Can't get msi for the hotplug 
controller\n");
ctrl_info(ctrl, "Use INTx for the hotplug 
controller\n");
+   } else {
+   pci_set_master(pdev);
}
 
rc = request_irq(ctrl->pci_dev->irq, shpc_isr, IRQF_SHARED,

[PATCH 4.4 63/66] bcache: fix for gc and write-back race

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream.

gc and write-back get raced (see the email "bcache get stucked" I sended
before):
gc thread   write-back thread
|   |bch_writeback_thread()
|bch_gc_thread()|
|   |==>read_dirty()
|==>bch_btree_gc()  |
|==>btree_root() //get btree root   |
|//node write locker|
|==>bch_btree_gc_root() |
|   |==>read_dirty_submit()
|   |==>write_dirty()
|   |==>continue_at(cl,
|   |   write_dirty_finish,
|   |   system_wq);
|   |==>write_dirty_finish()//excute
|   |   //in system_wq
|   |==>bch_btree_insert()
|   |==>bch_btree_map_leaf_nodes()
|   |==>__bch_btree_map_nodes()
|   |==>btree_root //try to get btree
|   |  //root node read
|   |  //lock
|   |-stuck here
|==>bch_btree_set_root()
|==>bch_journal_meta()
|==>bch_journal()
|==>journal_try_write()
|==>journal_write_unlocked() //journal_full(>journal)
|//condition satisfied
|==>continue_at(cl, journal_write, system_wq); //try to excute
|   //journal_write in system_wq
|   //but work queue is excuting
|   //write_dirty_finish()
|==>closure_sync(); //wait journal_write execute
|   //over and wake up gc,
|-stuck here
|==>release root node write locker

This patch alloc a separate work-queue for write-back thread to avoid such
race.

(Commit log re-organized by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Acked-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/bcache.h|1 +
 drivers/md/bcache/super.c |2 ++
 drivers/md/bcache/writeback.c |9 +++--
 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -333,6 +333,7 @@ struct cached_dev {
/* Limit number of writeback bios in flight */
struct semaphorein_flight;
struct task_struct  *writeback_thread;
+   struct workqueue_struct *writeback_write_wq;
 
struct keybuf   writeback_keys;
 
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1056,6 +1056,8 @@ static void cached_dev_free(struct closu
cancel_delayed_work_sync(>writeback_rate_update);
if (!IS_ERR_OR_NULL(dc->writeback_thread))
kthread_stop(dc->writeback_thread);
+   if (dc->writeback_write_wq)
+   destroy_workqueue(dc->writeback_write_wq);
 
mutex_lock(_register_lock);
 
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -191,7 +191,7 @@ static void write_dirty(struct closure *
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty_finish, system_wq);
+   continue_at(cl, write_dirty_finish, io->dc->writeback_write_wq);
 }
 
 static void read_dirty_endio(struct bio *bio)
@@ -211,7 +211,7 @@ static void read_dirty_submit(struct clo
 
closure_bio_submit(>bio, cl);
 
-   continue_at(cl, write_dirty, system_wq);
+   continue_at(cl, write_dirty, io->dc->writeback_write_wq);
 }
 
 static void read_dirty(struct cached_dev *dc)
@@ -523,6 +523,11 @@ void bch_cached_dev_writeback_init(struc
 
 int bch_cached_dev_writeback_start(struct cached_dev *dc)
 {
+   dc->writeback_write_wq = alloc_workqueue("bcache_writeback_wq",
+   WQ_MEM_RECLAIM, 0);
+   if (!dc->writeback_write_wq)
+   return -ENOMEM;
+
dc->writeback_thread = kthread_create(bch_writeback_thread, dc,
  "bcache_writeback");
if (IS_ERR(dc->writeback_thread))

[PATCH 4.4 61/66] bcache: correct cache_dirty_target in __update_writeback_rate()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Tang Junhui 

commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream.

__update_write_rate() uses a Proportion-Differentiation Controller
algorithm to control writeback rate. A dirty target number is used in
this PD controller to control writeback rate. A larger target number
will make the writeback rate smaller, on the versus, a smaller target
number will make the writeback rate larger.

bcache uses the following steps to calculate the target number,
1) cache_sectors = all-buckets-of-cache-set * buckets-size
2) cache_dirty_target = cache_sectors * cached-device-writeback_percent
3) target = cache_dirty_target *
(sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set)

The calculation at step 1) for cache_sectors is incorrect, which does
not consider dirty blocks occupied by flash only volume.

A flash only volume can be took as a bcache device without cached
device. All data sectors allocated for it are persistent on cache device
and marked dirty, they are not touched by bcache writeback and garbage
collection code. So data blocks of flash only volume should be ignore
when calculating cache_sectors of cache set.

Current code does not subtract dirty sectors of flash only volume, which
results a larger target number from the above 3 steps. And in sequence
the cache device's writeback rate is smaller then a correct value,
writeback speed is slower on all cached devices.

This patch fixes the incorrect slower writeback rate by subtracting
dirty sectors of flash only volumes in __update_writeback_rate().

(Commit log composed by Coly Li to pass checkpatch.pl checking)

Signed-off-by: Tang Junhui 
Reviewed-by: Coly Li 
Signed-off-by: Jens Axboe 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/md/bcache/writeback.c |3 ++-
 drivers/md/bcache/writeback.h |   19 +++
 2 files changed, 21 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -21,7 +21,8 @@
 static void __update_writeback_rate(struct cached_dev *dc)
 {
struct cache_set *c = dc->disk.c;
-   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size;
+   uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size -
+   bcache_flash_devs_sectors_dirty(c);
uint64_t cache_dirty_target =
div_u64(cache_sectors * dc->writeback_percent, 100);
 
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -14,6 +14,25 @@ static inline uint64_t bcache_dev_sector
return ret;
 }
 
+static inline uint64_t  bcache_flash_devs_sectors_dirty(struct cache_set *c)
+{
+   uint64_t i, ret = 0;
+
+   mutex_lock(_register_lock);
+
+   for (i = 0; i < c->nr_uuids; i++) {
+   struct bcache_device *d = c->devices[i];
+
+   if (!d || !UUID_FLASH_ONLY(>uuids[i]))
+   continue;
+  ret += bcache_dev_sectors_dirty(d);
+   }
+
+   mutex_unlock(_register_lock);
+
+   return ret;
+}
+
 static inline unsigned offset_to_stripe(struct bcache_device *d,
uint64_t offset)
 {

[PATCH 4.4 09/66] gianfar: Fix Tx flow control deactivation

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Claudiu Manoil 


[ Upstream commit 5d621672bc1a1e5090c1ac5432a18c79e0e13e03 ]

The wrong register is checked for the Tx flow control bit,
it should have been maccfg1 not maccfg2.
This went unnoticed for so long probably because the impact is
hardly visible, not to mention the tangled code from adjust_link().
First, link flow control (i.e. handling of Rx/Tx link level pause frames)
is disabled by default (needs to be enabled via 'ethtool -A').
Secondly, maccfg2 always returns 0 for tx_flow_oldval (except for a few
old boards), which results in Tx flow control remaining always on
once activated.

Fixes: 45b679c9a3ccd9e34f28e6ec677b812a860eb8eb ("gianfar: Implement PAUSE 
frame generation support")
Signed-off-by: Claudiu Manoil 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/freescale/gianfar.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/freescale/gianfar.c
+++ b/drivers/net/ethernet/freescale/gianfar.c
@@ -3676,7 +3676,7 @@ static noinline void gfar_update_link_st
u32 tempval1 = gfar_read(>maccfg1);
u32 tempval = gfar_read(>maccfg2);
u32 ecntrl = gfar_read(>ecntrl);
-   u32 tx_flow_oldval = (tempval & MACCFG1_TX_FLOW);
+   u32 tx_flow_oldval = (tempval1 & MACCFG1_TX_FLOW);
 
if (phydev->duplex != priv->oldduplex) {
if (!(phydev->duplex))

[PATCH 4.4 18/66] tty: improve tty_insert_flip_char() slow path

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 065ea0a7afd64d6cf3464bdd1d8cd227527e2045 upstream.

While working on improving the fast path of tty_insert_flip_char(),
I noticed that by calling tty_buffer_request_room(), we needlessly
move to the separate flag buffer mode for the tty, even when all
characters use TTY_NORMAL as the flag.

This changes the code to call __tty_buffer_request_room() with the
correct flag, which will then allocate a regular buffer when it rounds
out of space but no special flags have been used. I'm guessing that
this is the behavior that Peter Hurley intended when he introduced
the compacted flip buffers.

Fixes: acc0f67f307f ("tty: Halve flip buffer GFP_ATOMIC memory consumption")
Cc: Peter Hurley 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/tty_buffer.c |5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -375,10 +375,11 @@ int __tty_insert_flip_char(struct tty_po
struct tty_buffer *tb = port->buf.tail;
int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
 
-   if (!tty_buffer_request_room(port, 1))
+   if (!__tty_buffer_request_room(port, 1, flags))
return 0;
 
-   *flag_buf_ptr(tb, tb->used) = flag;
+   if (~tb->flags & TTYB_NORMAL)
+   *flag_buf_ptr(tb, tb->used) = flag;
*char_buf_ptr(tb, tb->used++) = ch;
 
return 1;

[PATCH 4.4 13/66] x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Andy Lutomirski 

commit 9584d98bed7a7a904d0702ad06bbcc94703cb5b4 upstream.

In ELF_COPY_CORE_REGS, we're copying from the current task, so
accessing thread.fsbase and thread.gsbase makes no sense.  Just read
the values from the CPU registers.

In practice, the old code would have been correct most of the time
simply because thread.fsbase and thread.gsbase usually matched the
CPU registers.

Signed-off-by: Andy Lutomirski 
Cc: Borislav Petkov 
Cc: Borislav Petkov 
Cc: Brian Gerst 
Cc: Chang Seok 
Cc: Denys Vlasenko 
Cc: H. Peter Anvin 
Cc: Josh Poimboeuf 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/include/asm/elf.h |5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -204,6 +204,7 @@ void set_personality_ia32(bool);
 
 #define ELF_CORE_COPY_REGS(pr_reg, regs)   \
 do {   \
+   unsigned long base; \
unsigned v; \
(pr_reg)[0] = (regs)->r15;  \
(pr_reg)[1] = (regs)->r14;  \
@@ -226,8 +227,8 @@ do {
\
(pr_reg)[18] = (regs)->flags;   \
(pr_reg)[19] = (regs)->sp;  \
(pr_reg)[20] = (regs)->ss;  \
-   (pr_reg)[21] = current->thread.fs;  \
-   (pr_reg)[22] = current->thread.gs;  \
+   rdmsrl(MSR_FS_BASE, base); (pr_reg)[21] = base; \
+   rdmsrl(MSR_KERNEL_GS_BASE, base); (pr_reg)[22] = base;  \
asm("movl %%ds,%0" : "=r" (v)); (pr_reg)[23] = v;   \
asm("movl %%es,%0" : "=r" (v)); (pr_reg)[24] = v;   \
asm("movl %%fs,%0" : "=r" (v)); (pr_reg)[25] = v;   \

[PATCH 4.4 36/66] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Benjamin Block 

commit a099b7b1fc1f0418ab8d79ecf98153e1e134656e upstream.

Up until now zfcp would just ignore the FCP_RESID_OVER flag in the FCP
response IU. When this flag is set, it is possible, in regards to the
FCP standard, that the storage-server processes the command normally, up
to the point where data is missing and simply ignores those.

In this case no CHECK CONDITION would be set, and because we ignored the
FCP_RESID_OVER flag we resulted in at least a data loss or even
-corruption as a follow-up error, depending on how the
applications/layers on top behave. To prevent this, we now set the
host-byte of the corresponding scsi_cmnd to DID_ERROR.

Other storage-behaviors, where the same condition results in a CHECK
CONDITION set in the answer, don't need to be changed as they are
handled in the mid-layer already.

Following is an example trace record decoded with zfcpdbf from the
s390-tools package. We forcefully injected a fc_dl which is one byte too
small:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 3
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_err
Request ID : 0x...
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x0007
 ^^DID_ERROR
SCSI retries   : 0x..
SCSI allowed   : 0x..
SCSI scribble  : 0x...
SCSI opcode: 2a00  0800 
FCP rsp inf cod: 0x00
FCP rsp IU :   0400 0001
   ^^fr_flags==FCP_RESID_OVER
 ^^fr_status==SAM_STAT_GOOD
fr_resid
  

As of now, we don't actively handle to possibility that a response IU
has both flags - FCP_RESID_OVER and FCP_RESID_UNDER - set at once.

Reported-by: Luke M. Hopkins 
Reviewed-by: Steffen Maier 
Fixes: 553448f6c483 ("[SCSI] zfcp: Message cleanup")
Fixes: ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter.") 
(tglx/history.git)
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_fc.h |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/s390/scsi/zfcp_fc.h
+++ b/drivers/s390/scsi/zfcp_fc.h
@@ -4,7 +4,7 @@
  * Fibre Channel related definitions and inline functions for the zfcp
  * device driver
  *
- * Copyright IBM Corp. 2009
+ * Copyright IBM Corp. 2009, 2017
  */
 
 #ifndef ZFCP_FC_H
@@ -279,6 +279,10 @@ void zfcp_fc_eval_fcp_rsp(struct fcp_res
 !(rsp_flags & FCP_SNS_LEN_VAL) &&
 fcp_rsp->resp.fr_status == SAM_STAT_GOOD)
set_host_byte(scsi, DID_ERROR);
+   } else if (unlikely(rsp_flags & FCP_RESID_OVER)) {
+   /* FCP_DL was not sufficient for SCSI data length */
+   if (fcp_rsp->resp.fr_status == SAM_STAT_GOOD)
+   set_host_byte(scsi, DID_ERROR);
}
 }
 

[PATCH 4.4 05/66] Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Fainelli 


[ Upstream commit ebc8254aeae34226d0bc8fda309fd9790d4dccfe ]

This reverts commit 7ad813f208533cebfcc32d3d7474dc1677d1b09a ("net: phy:
Correctly process PHY_HALTED in phy_stop_machine()") because it is
creating the possibility for a NULL pointer dereference.

David Daney provide the following call trace and diagram of events:

When ndo_stop() is called we call:

 phy_disconnect()
+---> phy_stop_interrupts() implies: phydev->irq = PHY_POLL;
+---> phy_stop_machine()
|  +---> phy_state_machine()
|  +> queue_delayed_work(): Work queued.
+--->phy_detach() implies: phydev->attached_dev = NULL;

Now at a later time the queued work does:

 phy_state_machine()
+>netif_carrier_off(phydev->attached_dev): Oh no! It is NULL:

 CPU 12 Unable to handle kernel paging request at virtual address
0048, epc == 80de37ec, ra == 80c7c
Oops[#1]:
CPU: 12 PID: 1502 Comm: kworker/12:1 Not tainted 4.9.43-Cavium-Octeon+ #1
Workqueue: events_power_efficient phy_state_machine
task: 8004021ed100 task.stack: 800409d7
$ 0   :  84720060 0048 0004
$ 4   :  0001 0004 
$ 8   :   98f3 
$12   : 800409d73fe0 9c00 846547c8 af3b
$16   : 8004096bab68 8004096babd0  8004096ba800
$20   :   8109 0008
$24   : 0061 808637b0
$28   : 800409d7 800409d73cf0 8000271bd300 80c7804c
Hi: 002a
Lo: 003f
epc   : 80de37ec netif_carrier_off+0xc/0x58
ra: 80c7804c phy_state_machine+0x48c/0x4f8
Status: 14009ce3KX SX UX KERNEL EXL IE
Cause : 0088 (ExcCode 02)
BadVA : 0048
PrId  : 000d9501 (Cavium Octeon III)
Modules linked in:
Process kworker/12:1 (pid: 1502, threadinfo=800409d7,
task=8004021ed100, tls=)
Stack : 800409a54000 8004096bab68 8000271bd300 8000271c1e00
 808a1708 800409a54000 8000271bd300
8000271bd320 800409a54030 80ff0f00 0001
8109 808a1ac0 800402182080 8465
800402182080 8465 80ff 800409a54000
808a1970  8004099e8000 800402099240
 808a8598  800408eeeb00
800409a54000 810a1d00  800409d73de8
800409d73de8 0088 0c009c00 800409d73e08
800409d73e08 800402182080 808a84d0 800402182080
...
Call Trace:
[] netif_carrier_off+0xc/0x58
[] phy_state_machine+0x48c/0x4f8
[] process_one_work+0x158/0x368
[] worker_thread+0x150/0x4c0
[] kthread+0xc8/0xe0
[] ret_from_kernel_thread+0x14/0x1c

The original motivation for this change originated from Marc Gonzales
indicating that his network driver did not have its adjust_link callback
executing with phydev->link = 0 while he was expecting it.

PHYLIB has never made any such guarantees ever because phy_stop() merely just
tells the workqueue to move into PHY_HALTED state which will happen
asynchronously.

Reported-by: Geert Uytterhoeven 
Reported-by: David Daney 
Fixes: 7ad813f20853 ("net: phy: Correctly process PHY_HALTED in 
phy_stop_machine()")
Signed-off-by: Florian Fainelli 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/phy/phy.c |3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -541,9 +541,6 @@ void phy_stop_machine(struct phy_device
if (phydev->state > PHY_UP && phydev->state != PHY_HALTED)
phydev->state = PHY_UP;
mutex_unlock(>lock);
-
-   /* Now we can run the state machine synchronously */
-   phy_state_machine(>state_queue.work);
 }
 
 /**

[PATCH 4.4 27/66] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Stephan Mueller 

Fixed differently upstream as commit 2d97591ef43d ("crypto: af_alg - 
consolidation of duplicate code")

The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the
chaining and is properly updated with the sg_chain invocation. During
the filling-in of the initial SG entries, sg_mark_end is called for each
SG entry. This is appropriate as long as no additional SGL is chained
with the current SGL. However, when a new SGL is chained and the last
SG entry is updated with sg_chain, the last but one entry still contains
the end marker from the sg_mark_end. This end marker must be removed as
otherwise a walk of the chained SGLs will cause a NULL pointer
dereference at the last but one SG entry, because sg_next will return
NULL.

The patch only applies to all kernels up to and including 4.13. The
patch 2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1
introduced a complete new code base which addresses this bug in
a different way. Yet, that patch is too invasive for stable kernels
and was therefore not marked for stable.

Fixes: 8ff590903d5fc ("crypto: algif_skcipher - User-space interface for 
skcipher operations")
Signed-off-by: Stephan Mueller 
Acked-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 
---
 crypto/algif_skcipher.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -143,8 +143,10 @@ static int skcipher_alloc_sgl(struct soc
sg_init_table(sgl->sg, MAX_SGL_ENTS + 1);
sgl->cur = 0;
 
-   if (sg)
+   if (sg) {
sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg);
+   sg_unmark_end(sg + (MAX_SGL_ENTS - 1));
+   }
 
list_add_tail(>list, >tsgl);
}

[PATCH 4.4 39/66] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 1a5d999ebfc7bfe28deb48931bb57faa8e4102b6 upstream.

For problem determination we need to see that we were in scsi_eh
as well as whether and why we were successful or not.

The following commits introduced new early returns without adding
a trace record:

v2.6.35 commit a1dbfddd02d2
("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
on fc_block_scsi_eh() returning != 0 which is FAST_IO_FAIL,

v2.6.30 commit 63caf367e1c9
("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
on not having gotten an FSF request after the maximum number of retry
attempts and thus could not issue a TMF and has to return FAILED.

Signed-off-by: Steffen Maier 
Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to 
scsi eh")
Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in 
zfcp")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_scsi.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -273,8 +273,10 @@ static int zfcp_task_mgmt_function(struc
 
zfcp_erp_wait(adapter);
ret = fc_block_scsi_eh(scpnt);
-   if (ret)
+   if (ret) {
+   zfcp_dbf_scsi_devreset("fiof", scpnt, tm_flags, NULL);
return ret;
+   }
 
if (!(atomic_read(>status) &
  ZFCP_STATUS_COMMON_RUNNING)) {
@@ -282,8 +284,10 @@ static int zfcp_task_mgmt_function(struc
return SUCCESS;
}
}
-   if (!fsf_req)
+   if (!fsf_req) {
+   zfcp_dbf_scsi_devreset("reqf", scpnt, tm_flags, NULL);
return FAILED;
+   }
 
wait_for_completion(_req->completion);
 

[PATCH 4.4 06/66] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Wei Wang 


[ Upstream commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8 ]

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

Reported-by: Andrey Konovalov  
Signed-off-by: Wei Wang 
Signed-off-by: Eric Dumazet 
Signed-off-by: Neal Cardwell 
Signed-off-by: Yuchung Cheng 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp.c |4 
 1 file changed, 4 insertions(+)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2260,6 +2260,10 @@ int tcp_disconnect(struct sock *sk, int
tcp_set_ca_state(sk, TCP_CA_Open);
tcp_clear_retrans(tp);
inet_csk_delack_init(sk);
+   /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+* issue in __tcp_select_window()
+*/
+   icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
tcp_init_send_head(sk);
memset(>rx_opt, 0, sizeof(tp->rx_opt));
__sk_dst_reset(sk);

[PATCH 4.4 48/66] scsi: sg: off by one in sg_ioctl()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 

commit bd46fc406b30d1db1aff8dabaff8d18bb423fdcf upstream.

If "val" is SG_MAX_QUEUE then we are one element beyond the end of the
"rinfo" array so the > should be >=.

Fixes: 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
Signed-off-by: Dan Carpenter 
Acked-by: Douglas Gilbert 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1041,7 +1041,7 @@ sg_ioctl(struct file *filp, unsigned int
read_lock_irqsave(>rq_list_lock, iflags);
val = 0;
list_for_each_entry(srp, >rq_list, entry) {
-   if (val > SG_MAX_QUEUE)
+   if (val >= SG_MAX_QUEUE)
break;
memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;

[PATCH 4.4 15/66] nfsd: Fix general protection fault in release_lock_stateid()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Chuck Lever 

commit f46c445b79906a9da55c13e0a6f6b6a006b892fe upstream.

When I push NFSv4.1 / RDMA hard, (xfstests generic/089, for example),
I get this crash on the server:

Oct 28 22:04:30 klimt kernel: general protection fault:  [#1] SMP 
DEBUG_PAGEALLOC
Oct 28 22:04:30 klimt kernel: Modules linked in: cts rpcsec_gss_krb5 iTCO_wdt 
iTCO_vendor_support sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp 
coretemp kvm_intel kvm btrfs irqbypass crct10dif_pclmul crc32_pclmul 
ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd xor 
pcspkr raid6_pq i2c_i801 i2c_smbus lpc_ich mfd_core sg mei_me mei ioatdma 
shpchp wmi ipmi_si ipmi_msghandler rpcrdma ib_ipoib rdma_ucm acpi_power_meter 
acpi_pad ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd auth_rpcgss nfs_acl 
lockd grace sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom 
sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm 
crc32c_intel igb ahci libahci ptp mlx4_core pps_core dca libata i2c_algo_bit 
i2c_core dm_mirror dm_region_hash dm_log dm_mod
Oct 28 22:04:30 klimt kernel: CPU: 7 PID: 1558 Comm: nfsd Not tainted 
4.9.0-rc2-5-g82cd754 #8
Oct 28 22:04:30 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, 
BIOS 1.0c 09/09/2015
Oct 28 22:04:30 klimt kernel: task: 880835c3a100 task.stack: 
8808420d8000
Oct 28 22:04:30 klimt kernel: RIP: 0010:[]  
[] release_lock_stateid+0x1f/0x60 [nfsd]
Oct 28 22:04:30 klimt kernel: RSP: 0018:8808420dbce0  EFLAGS: 00010246
Oct 28 22:04:30 klimt kernel: RAX: 88084e6660f0 RBX: 88084e667020 RCX: 

Oct 28 22:04:30 klimt kernel: RDX: 0007 RSI:  RDI: 
88084e667020
Oct 28 22:04:30 klimt kernel: RBP: 8808420dbcf8 R08: 0001 R09: 

Oct 28 22:04:30 klimt kernel: R10: 880835c3a100 R11: 880835c3aca8 R12: 
6b6b6b6b6b6b6b6b
Oct 28 22:04:30 klimt kernel: R13: 88084e6670d8 R14: 880835f546f0 R15: 
880835f1c548
Oct 28 22:04:30 klimt kernel: FS:  () 
GS:88087bdc() knlGS:
Oct 28 22:04:30 klimt kernel: CS:  0010 DS:  ES:  CR0: 80050033
Oct 28 22:04:30 klimt kernel: CR2: 7ff020389000 CR3: 01c06000 CR4: 
001406e0
Oct 28 22:04:30 klimt kernel: Stack:
Oct 28 22:04:30 klimt kernel: 88084e667020  
88084e6670d8 8808420dbd20
Oct 28 22:04:30 klimt kernel: a05ac80d 880835f54548 
88084e640008 880835f545b0
Oct 28 22:04:30 klimt kernel: 8808420dbd70 a059803d 
880835f1c768 0870
Oct 28 22:04:30 klimt kernel: Call Trace:
Oct 28 22:04:30 klimt kernel: [] 
nfsd4_free_stateid+0xfd/0x1b0 [nfsd]
Oct 28 22:04:30 klimt kernel: [] 
nfsd4_proc_compound+0x40d/0x690 [nfsd]
Oct 28 22:04:30 klimt kernel: [] nfsd_dispatch+0xd4/0x1d0 
[nfsd]
Oct 28 22:04:30 klimt kernel: [] 
svc_process_common+0x3d9/0x700 [sunrpc]
Oct 28 22:04:30 klimt kernel: [] svc_process+0xf4/0x330 
[sunrpc]
Oct 28 22:04:30 klimt kernel: [] nfsd+0xfa/0x160 [nfsd]
Oct 28 22:04:30 klimt kernel: [] ? nfsd_destroy+0x170/0x170 
[nfsd]
Oct 28 22:04:30 klimt kernel: [] kthread+0x10b/0x120
Oct 28 22:04:30 klimt kernel: [] ? kthread_stop+0x280/0x280
Oct 28 22:04:30 klimt kernel: [] ret_from_fork+0x2a/0x40
Oct 28 22:04:30 klimt kernel: Code: c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 
44 00 00 55 48 89 e5 41 55 41 54 53 48 8b 87 b0 00 00 00 48 89 fb 4c 8b a0 98 
00 00 00 <49> 8b 44 24 20 48 8d b8 80 03 00 00 e8 10 66 1a e1 48 89 df e8
Oct 28 22:04:30 klimt kernel: RIP  [] 
release_lock_stateid+0x1f/0x60 [nfsd]
Oct 28 22:04:30 klimt kernel: RSP 
Oct 28 22:04:30 klimt kernel: ---[ end trace cf5d0b371973e167 ]---

Jeff Layton says:
> Hm...now that I look though, this is a little suspicious:
>
>struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
>
> I wonder if it's possible for the openstateid to have already been
> destroyed at this point.
>
> We might be better off doing something like this to get the client pointer:
>
>stp->st_stid.sc_client;
>
> ...which should be more direct and less dependent on other stateids
> staying valid.

With the suggested change, I am no longer able to reproduce the above oops.

v2: Fix unhash_lock_stateid() as well

Fix-suggested-by: Jeff Layton 
Fixes: 42691398be08 ('nfsd: Fix race between FREE_STATEID and LOCK')
Signed-off-by: Chuck Lever 
Reviewed-by: Jeff Layton 
Cc: Christian Theune 
Signed-off-by: J. Bruce Fields 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfsd/nfs4state.c |   10 --
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1145,9 +1145,7 @@ static void 

[PATCH 4.4 09/66] gianfar: Fix Tx flow control deactivation

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Claudiu Manoil 


[ Upstream commit 5d621672bc1a1e5090c1ac5432a18c79e0e13e03 ]

The wrong register is checked for the Tx flow control bit,
it should have been maccfg1 not maccfg2.
This went unnoticed for so long probably because the impact is
hardly visible, not to mention the tangled code from adjust_link().
First, link flow control (i.e. handling of Rx/Tx link level pause frames)
is disabled by default (needs to be enabled via 'ethtool -A').
Secondly, maccfg2 always returns 0 for tx_flow_oldval (except for a few
old boards), which results in Tx flow control remaining always on
once activated.

Fixes: 45b679c9a3ccd9e34f28e6ec677b812a860eb8eb ("gianfar: Implement PAUSE 
frame generation support")
Signed-off-by: Claudiu Manoil 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/ethernet/freescale/gianfar.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/freescale/gianfar.c
+++ b/drivers/net/ethernet/freescale/gianfar.c
@@ -3676,7 +3676,7 @@ static noinline void gfar_update_link_st
u32 tempval1 = gfar_read(>maccfg1);
u32 tempval = gfar_read(>maccfg2);
u32 ecntrl = gfar_read(>ecntrl);
-   u32 tx_flow_oldval = (tempval & MACCFG1_TX_FLOW);
+   u32 tx_flow_oldval = (tempval1 & MACCFG1_TX_FLOW);
 
if (phydev->duplex != priv->oldduplex) {
if (!(phydev->duplex))

[PATCH 4.4 18/66] tty: improve tty_insert_flip_char() slow path

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Arnd Bergmann 

commit 065ea0a7afd64d6cf3464bdd1d8cd227527e2045 upstream.

While working on improving the fast path of tty_insert_flip_char(),
I noticed that by calling tty_buffer_request_room(), we needlessly
move to the separate flag buffer mode for the tty, even when all
characters use TTY_NORMAL as the flag.

This changes the code to call __tty_buffer_request_room() with the
correct flag, which will then allocate a regular buffer when it rounds
out of space but no special flags have been used. I'm guessing that
this is the behavior that Peter Hurley intended when he introduced
the compacted flip buffers.

Fixes: acc0f67f307f ("tty: Halve flip buffer GFP_ATOMIC memory consumption")
Cc: Peter Hurley 
Signed-off-by: Arnd Bergmann 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/tty/tty_buffer.c |5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/tty/tty_buffer.c
+++ b/drivers/tty/tty_buffer.c
@@ -375,10 +375,11 @@ int __tty_insert_flip_char(struct tty_po
struct tty_buffer *tb = port->buf.tail;
int flags = (flag == TTY_NORMAL) ? TTYB_NORMAL : 0;
 
-   if (!tty_buffer_request_room(port, 1))
+   if (!__tty_buffer_request_room(port, 1, flags))
return 0;
 
-   *flag_buf_ptr(tb, tb->used) = flag;
+   if (~tb->flags & TTYB_NORMAL)
+   *flag_buf_ptr(tb, tb->used) = flag;
*char_buf_ptr(tb, tb->used++) = ch;
 
return 1;

[PATCH 4.4 13/66] x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Andy Lutomirski 

commit 9584d98bed7a7a904d0702ad06bbcc94703cb5b4 upstream.

In ELF_COPY_CORE_REGS, we're copying from the current task, so
accessing thread.fsbase and thread.gsbase makes no sense.  Just read
the values from the CPU registers.

In practice, the old code would have been correct most of the time
simply because thread.fsbase and thread.gsbase usually matched the
CPU registers.

Signed-off-by: Andy Lutomirski 
Cc: Borislav Petkov 
Cc: Borislav Petkov 
Cc: Brian Gerst 
Cc: Chang Seok 
Cc: Denys Vlasenko 
Cc: H. Peter Anvin 
Cc: Josh Poimboeuf 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Signed-off-by: Ingo Molnar 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/x86/include/asm/elf.h |5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/arch/x86/include/asm/elf.h
+++ b/arch/x86/include/asm/elf.h
@@ -204,6 +204,7 @@ void set_personality_ia32(bool);
 
 #define ELF_CORE_COPY_REGS(pr_reg, regs)   \
 do {   \
+   unsigned long base; \
unsigned v; \
(pr_reg)[0] = (regs)->r15;  \
(pr_reg)[1] = (regs)->r14;  \
@@ -226,8 +227,8 @@ do {
\
(pr_reg)[18] = (regs)->flags;   \
(pr_reg)[19] = (regs)->sp;  \
(pr_reg)[20] = (regs)->ss;  \
-   (pr_reg)[21] = current->thread.fs;  \
-   (pr_reg)[22] = current->thread.gs;  \
+   rdmsrl(MSR_FS_BASE, base); (pr_reg)[21] = base; \
+   rdmsrl(MSR_KERNEL_GS_BASE, base); (pr_reg)[22] = base;  \
asm("movl %%ds,%0" : "=r" (v)); (pr_reg)[23] = v;   \
asm("movl %%es,%0" : "=r" (v)); (pr_reg)[24] = v;   \
asm("movl %%fs,%0" : "=r" (v)); (pr_reg)[25] = v;   \

[PATCH 4.4 36/66] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Benjamin Block 

commit a099b7b1fc1f0418ab8d79ecf98153e1e134656e upstream.

Up until now zfcp would just ignore the FCP_RESID_OVER flag in the FCP
response IU. When this flag is set, it is possible, in regards to the
FCP standard, that the storage-server processes the command normally, up
to the point where data is missing and simply ignores those.

In this case no CHECK CONDITION would be set, and because we ignored the
FCP_RESID_OVER flag we resulted in at least a data loss or even
-corruption as a follow-up error, depending on how the
applications/layers on top behave. To prevent this, we now set the
host-byte of the corresponding scsi_cmnd to DID_ERROR.

Other storage-behaviors, where the same condition results in a CHECK
CONDITION set in the answer, don't need to be changed as they are
handled in the mid-layer already.

Following is an example trace record decoded with zfcpdbf from the
s390-tools package. We forcefully injected a fc_dl which is one byte too
small:

Timestamp  : ...
Area   : SCSI
Subarea: 00
Level  : 3
Exception  : -
CPU ID : ..
Caller : 0x...
Record ID  : 1
Tag: rsl_err
Request ID : 0x...
SCSI ID: 0x...
SCSI LUN   : 0x...
SCSI result: 0x0007
 ^^DID_ERROR
SCSI retries   : 0x..
SCSI allowed   : 0x..
SCSI scribble  : 0x...
SCSI opcode: 2a00  0800 
FCP rsp inf cod: 0x00
FCP rsp IU :   0400 0001
   ^^fr_flags==FCP_RESID_OVER
 ^^fr_status==SAM_STAT_GOOD
fr_resid
  

As of now, we don't actively handle to possibility that a response IU
has both flags - FCP_RESID_OVER and FCP_RESID_UNDER - set at once.

Reported-by: Luke M. Hopkins 
Reviewed-by: Steffen Maier 
Fixes: 553448f6c483 ("[SCSI] zfcp: Message cleanup")
Fixes: ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter.") 
(tglx/history.git)
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_fc.h |6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/s390/scsi/zfcp_fc.h
+++ b/drivers/s390/scsi/zfcp_fc.h
@@ -4,7 +4,7 @@
  * Fibre Channel related definitions and inline functions for the zfcp
  * device driver
  *
- * Copyright IBM Corp. 2009
+ * Copyright IBM Corp. 2009, 2017
  */
 
 #ifndef ZFCP_FC_H
@@ -279,6 +279,10 @@ void zfcp_fc_eval_fcp_rsp(struct fcp_res
 !(rsp_flags & FCP_SNS_LEN_VAL) &&
 fcp_rsp->resp.fr_status == SAM_STAT_GOOD)
set_host_byte(scsi, DID_ERROR);
+   } else if (unlikely(rsp_flags & FCP_RESID_OVER)) {
+   /* FCP_DL was not sufficient for SCSI data length */
+   if (fcp_rsp->resp.fr_status == SAM_STAT_GOOD)
+   set_host_byte(scsi, DID_ERROR);
}
 }
 

[PATCH 4.4 05/66] Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Florian Fainelli 


[ Upstream commit ebc8254aeae34226d0bc8fda309fd9790d4dccfe ]

This reverts commit 7ad813f208533cebfcc32d3d7474dc1677d1b09a ("net: phy:
Correctly process PHY_HALTED in phy_stop_machine()") because it is
creating the possibility for a NULL pointer dereference.

David Daney provide the following call trace and diagram of events:

When ndo_stop() is called we call:

 phy_disconnect()
+---> phy_stop_interrupts() implies: phydev->irq = PHY_POLL;
+---> phy_stop_machine()
|  +---> phy_state_machine()
|  +> queue_delayed_work(): Work queued.
+--->phy_detach() implies: phydev->attached_dev = NULL;

Now at a later time the queued work does:

 phy_state_machine()
+>netif_carrier_off(phydev->attached_dev): Oh no! It is NULL:

 CPU 12 Unable to handle kernel paging request at virtual address
0048, epc == 80de37ec, ra == 80c7c
Oops[#1]:
CPU: 12 PID: 1502 Comm: kworker/12:1 Not tainted 4.9.43-Cavium-Octeon+ #1
Workqueue: events_power_efficient phy_state_machine
task: 8004021ed100 task.stack: 800409d7
$ 0   :  84720060 0048 0004
$ 4   :  0001 0004 
$ 8   :   98f3 
$12   : 800409d73fe0 9c00 846547c8 af3b
$16   : 8004096bab68 8004096babd0  8004096ba800
$20   :   8109 0008
$24   : 0061 808637b0
$28   : 800409d7 800409d73cf0 8000271bd300 80c7804c
Hi: 002a
Lo: 003f
epc   : 80de37ec netif_carrier_off+0xc/0x58
ra: 80c7804c phy_state_machine+0x48c/0x4f8
Status: 14009ce3KX SX UX KERNEL EXL IE
Cause : 0088 (ExcCode 02)
BadVA : 0048
PrId  : 000d9501 (Cavium Octeon III)
Modules linked in:
Process kworker/12:1 (pid: 1502, threadinfo=800409d7,
task=8004021ed100, tls=)
Stack : 800409a54000 8004096bab68 8000271bd300 8000271c1e00
 808a1708 800409a54000 8000271bd300
8000271bd320 800409a54030 80ff0f00 0001
8109 808a1ac0 800402182080 8465
800402182080 8465 80ff 800409a54000
808a1970  8004099e8000 800402099240
 808a8598  800408eeeb00
800409a54000 810a1d00  800409d73de8
800409d73de8 0088 0c009c00 800409d73e08
800409d73e08 800402182080 808a84d0 800402182080
...
Call Trace:
[] netif_carrier_off+0xc/0x58
[] phy_state_machine+0x48c/0x4f8
[] process_one_work+0x158/0x368
[] worker_thread+0x150/0x4c0
[] kthread+0xc8/0xe0
[] ret_from_kernel_thread+0x14/0x1c

The original motivation for this change originated from Marc Gonzales
indicating that his network driver did not have its adjust_link callback
executing with phydev->link = 0 while he was expecting it.

PHYLIB has never made any such guarantees ever because phy_stop() merely just
tells the workqueue to move into PHY_HALTED state which will happen
asynchronously.

Reported-by: Geert Uytterhoeven 
Reported-by: David Daney 
Fixes: 7ad813f20853 ("net: phy: Correctly process PHY_HALTED in 
phy_stop_machine()")
Signed-off-by: Florian Fainelli 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 drivers/net/phy/phy.c |3 ---
 1 file changed, 3 deletions(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -541,9 +541,6 @@ void phy_stop_machine(struct phy_device
if (phydev->state > PHY_UP && phydev->state != PHY_HALTED)
phydev->state = PHY_UP;
mutex_unlock(>lock);
-
-   /* Now we can run the state machine synchronously */
-   phy_state_machine(>state_queue.work);
 }
 
 /**

[PATCH 4.4 27/66] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Stephan Mueller 

Fixed differently upstream as commit 2d97591ef43d ("crypto: af_alg - 
consolidation of duplicate code")

The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the
chaining and is properly updated with the sg_chain invocation. During
the filling-in of the initial SG entries, sg_mark_end is called for each
SG entry. This is appropriate as long as no additional SGL is chained
with the current SGL. However, when a new SGL is chained and the last
SG entry is updated with sg_chain, the last but one entry still contains
the end marker from the sg_mark_end. This end marker must be removed as
otherwise a walk of the chained SGLs will cause a NULL pointer
dereference at the last but one SG entry, because sg_next will return
NULL.

The patch only applies to all kernels up to and including 4.13. The
patch 2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1
introduced a complete new code base which addresses this bug in
a different way. Yet, that patch is too invasive for stable kernels
and was therefore not marked for stable.

Fixes: 8ff590903d5fc ("crypto: algif_skcipher - User-space interface for 
skcipher operations")
Signed-off-by: Stephan Mueller 
Acked-by: Herbert Xu 
Signed-off-by: Greg Kroah-Hartman 
---
 crypto/algif_skcipher.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -143,8 +143,10 @@ static int skcipher_alloc_sgl(struct soc
sg_init_table(sgl->sg, MAX_SGL_ENTS + 1);
sgl->cur = 0;
 
-   if (sg)
+   if (sg) {
sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg);
+   sg_unmark_end(sg + (MAX_SGL_ENTS - 1));
+   }
 
list_add_tail(>list, >tsgl);
}

[PATCH 4.4 39/66] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Steffen Maier 

commit 1a5d999ebfc7bfe28deb48931bb57faa8e4102b6 upstream.

For problem determination we need to see that we were in scsi_eh
as well as whether and why we were successful or not.

The following commits introduced new early returns without adding
a trace record:

v2.6.35 commit a1dbfddd02d2
("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh")
on fc_block_scsi_eh() returning != 0 which is FAST_IO_FAIL,

v2.6.30 commit 63caf367e1c9
("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp")
on not having gotten an FSF request after the maximum number of retry
attempts and thus could not issue a TMF and has to return FAILED.

Signed-off-by: Steffen Maier 
Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to 
scsi eh")
Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in 
zfcp")
Reviewed-by: Benjamin Block 
Signed-off-by: Benjamin Block 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/s390/scsi/zfcp_scsi.c |8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -273,8 +273,10 @@ static int zfcp_task_mgmt_function(struc
 
zfcp_erp_wait(adapter);
ret = fc_block_scsi_eh(scpnt);
-   if (ret)
+   if (ret) {
+   zfcp_dbf_scsi_devreset("fiof", scpnt, tm_flags, NULL);
return ret;
+   }
 
if (!(atomic_read(>status) &
  ZFCP_STATUS_COMMON_RUNNING)) {
@@ -282,8 +284,10 @@ static int zfcp_task_mgmt_function(struc
return SUCCESS;
}
}
-   if (!fsf_req)
+   if (!fsf_req) {
+   zfcp_dbf_scsi_devreset("reqf", scpnt, tm_flags, NULL);
return FAILED;
+   }
 
wait_for_completion(_req->completion);
 

[PATCH 4.4 06/66] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Wei Wang 


[ Upstream commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8 ]

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

Reported-by: Andrey Konovalov  
Signed-off-by: Wei Wang 
Signed-off-by: Eric Dumazet 
Signed-off-by: Neal Cardwell 
Signed-off-by: Yuchung Cheng 
Signed-off-by: David S. Miller 
Signed-off-by: Greg Kroah-Hartman 
---
 net/ipv4/tcp.c |4 
 1 file changed, 4 insertions(+)

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2260,6 +2260,10 @@ int tcp_disconnect(struct sock *sk, int
tcp_set_ca_state(sk, TCP_CA_Open);
tcp_clear_retrans(tp);
inet_csk_delack_init(sk);
+   /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+* issue in __tcp_select_window()
+*/
+   icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
tcp_init_send_head(sk);
memset(>rx_opt, 0, sizeof(tp->rx_opt));
__sk_dst_reset(sk);

[PATCH 4.4 48/66] scsi: sg: off by one in sg_ioctl()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Dan Carpenter 

commit bd46fc406b30d1db1aff8dabaff8d18bb423fdcf upstream.

If "val" is SG_MAX_QUEUE then we are one element beyond the end of the
"rinfo" array so the > should be >=.

Fixes: 109bade9c625 ("scsi: sg: use standard lists for sg_requests")
Signed-off-by: Dan Carpenter 
Acked-by: Douglas Gilbert 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/sg.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1041,7 +1041,7 @@ sg_ioctl(struct file *filp, unsigned int
read_lock_irqsave(>rq_list_lock, iflags);
val = 0;
list_for_each_entry(srp, >rq_list, entry) {
-   if (val > SG_MAX_QUEUE)
+   if (val >= SG_MAX_QUEUE)
break;
memset([val], 0, SZ_SG_REQ_INFO);
rinfo[val].req_state = srp->done + 1;

[PATCH 4.4 15/66] nfsd: Fix general protection fault in release_lock_stateid()

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Chuck Lever 

commit f46c445b79906a9da55c13e0a6f6b6a006b892fe upstream.

When I push NFSv4.1 / RDMA hard, (xfstests generic/089, for example),
I get this crash on the server:

Oct 28 22:04:30 klimt kernel: general protection fault:  [#1] SMP 
DEBUG_PAGEALLOC
Oct 28 22:04:30 klimt kernel: Modules linked in: cts rpcsec_gss_krb5 iTCO_wdt 
iTCO_vendor_support sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp 
coretemp kvm_intel kvm btrfs irqbypass crct10dif_pclmul crc32_pclmul 
ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd xor 
pcspkr raid6_pq i2c_i801 i2c_smbus lpc_ich mfd_core sg mei_me mei ioatdma 
shpchp wmi ipmi_si ipmi_msghandler rpcrdma ib_ipoib rdma_ucm acpi_power_meter 
acpi_pad ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd auth_rpcgss nfs_acl 
lockd grace sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom 
sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm 
crc32c_intel igb ahci libahci ptp mlx4_core pps_core dca libata i2c_algo_bit 
i2c_core dm_mirror dm_region_hash dm_log dm_mod
Oct 28 22:04:30 klimt kernel: CPU: 7 PID: 1558 Comm: nfsd Not tainted 
4.9.0-rc2-5-g82cd754 #8
Oct 28 22:04:30 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, 
BIOS 1.0c 09/09/2015
Oct 28 22:04:30 klimt kernel: task: 880835c3a100 task.stack: 
8808420d8000
Oct 28 22:04:30 klimt kernel: RIP: 0010:[]  
[] release_lock_stateid+0x1f/0x60 [nfsd]
Oct 28 22:04:30 klimt kernel: RSP: 0018:8808420dbce0  EFLAGS: 00010246
Oct 28 22:04:30 klimt kernel: RAX: 88084e6660f0 RBX: 88084e667020 RCX: 

Oct 28 22:04:30 klimt kernel: RDX: 0007 RSI:  RDI: 
88084e667020
Oct 28 22:04:30 klimt kernel: RBP: 8808420dbcf8 R08: 0001 R09: 

Oct 28 22:04:30 klimt kernel: R10: 880835c3a100 R11: 880835c3aca8 R12: 
6b6b6b6b6b6b6b6b
Oct 28 22:04:30 klimt kernel: R13: 88084e6670d8 R14: 880835f546f0 R15: 
880835f1c548
Oct 28 22:04:30 klimt kernel: FS:  () 
GS:88087bdc() knlGS:
Oct 28 22:04:30 klimt kernel: CS:  0010 DS:  ES:  CR0: 80050033
Oct 28 22:04:30 klimt kernel: CR2: 7ff020389000 CR3: 01c06000 CR4: 
001406e0
Oct 28 22:04:30 klimt kernel: Stack:
Oct 28 22:04:30 klimt kernel: 88084e667020  
88084e6670d8 8808420dbd20
Oct 28 22:04:30 klimt kernel: a05ac80d 880835f54548 
88084e640008 880835f545b0
Oct 28 22:04:30 klimt kernel: 8808420dbd70 a059803d 
880835f1c768 0870
Oct 28 22:04:30 klimt kernel: Call Trace:
Oct 28 22:04:30 klimt kernel: [] 
nfsd4_free_stateid+0xfd/0x1b0 [nfsd]
Oct 28 22:04:30 klimt kernel: [] 
nfsd4_proc_compound+0x40d/0x690 [nfsd]
Oct 28 22:04:30 klimt kernel: [] nfsd_dispatch+0xd4/0x1d0 
[nfsd]
Oct 28 22:04:30 klimt kernel: [] 
svc_process_common+0x3d9/0x700 [sunrpc]
Oct 28 22:04:30 klimt kernel: [] svc_process+0xf4/0x330 
[sunrpc]
Oct 28 22:04:30 klimt kernel: [] nfsd+0xfa/0x160 [nfsd]
Oct 28 22:04:30 klimt kernel: [] ? nfsd_destroy+0x170/0x170 
[nfsd]
Oct 28 22:04:30 klimt kernel: [] kthread+0x10b/0x120
Oct 28 22:04:30 klimt kernel: [] ? kthread_stop+0x280/0x280
Oct 28 22:04:30 klimt kernel: [] ret_from_fork+0x2a/0x40
Oct 28 22:04:30 klimt kernel: Code: c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 
44 00 00 55 48 89 e5 41 55 41 54 53 48 8b 87 b0 00 00 00 48 89 fb 4c 8b a0 98 
00 00 00 <49> 8b 44 24 20 48 8d b8 80 03 00 00 e8 10 66 1a e1 48 89 df e8
Oct 28 22:04:30 klimt kernel: RIP  [] 
release_lock_stateid+0x1f/0x60 [nfsd]
Oct 28 22:04:30 klimt kernel: RSP 
Oct 28 22:04:30 klimt kernel: ---[ end trace cf5d0b371973e167 ]---

Jeff Layton says:
> Hm...now that I look though, this is a little suspicious:
>
>struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
>
> I wonder if it's possible for the openstateid to have already been
> destroyed at this point.
>
> We might be better off doing something like this to get the client pointer:
>
>stp->st_stid.sc_client;
>
> ...which should be more direct and less dependent on other stateids
> staying valid.

With the suggested change, I am no longer able to reproduce the above oops.

v2: Fix unhash_lock_stateid() as well

Fix-suggested-by: Jeff Layton 
Fixes: 42691398be08 ('nfsd: Fix race between FREE_STATEID and LOCK')
Signed-off-by: Chuck Lever 
Reviewed-by: Jeff Layton 
Cc: Christian Theune 
Signed-off-by: J. Bruce Fields 
Signed-off-by: Greg Kroah-Hartman 

---
 fs/nfsd/nfs4state.c |   10 --
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1145,9 +1145,7 @@ static void put_ol_stateid_locked(struct
 
 static bool unhash_lock_stateid(struct nfs4_ol_stateid *stp)
 {
-   struct nfs4_openowner *oo = 

[PATCH 4.4 24/66] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 1a41b3b441508ae63b1a9ec699ec94065739eb60 upstream.

Fix the value returned by ., if the inputs are normal
fp numbers of the same absolute value, but opposite signs.

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains -3.0, and ft contains +3.0, fd is going to contain
  +3.0 (without this patch, it used to contain -3.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16883/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |6 +-
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |6 +-
 4 files changed, 22 insertions(+), 6 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }

[PATCH 4.4 20/66] Input: i8042 - add Gigabyte P57 to the keyboard reset table

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Kai-Heng Feng 

commit 697c5d8a36768b36729533fb44622b35d56d6ad0 upstream.

Similar to other Gigabyte laptops, the touchpad on P57 requires a
keyboard reset to detect Elantech touchpad correctly.

BugLink: https://bugs.launchpad.net/bugs/1594214
Signed-off-by: Kai-Heng Feng 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/serio/i8042-x86ia64io.h |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -905,6 +905,13 @@ static const struct dmi_system_id __init
},
},
{
+   /* Gigabyte P57 - Elantech touchpad */
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
+   DMI_MATCH(DMI_PRODUCT_NAME, "P57"),
+   },
+   },
+   {
/* Schenker XMG C504 - Elantech touchpad */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "XMG"),

[PATCH 4.4 45/66] scsi: storvsc: fix memory leak on ring buffer busy

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Long Li 

commit 0208eeaa650c5c866a3242201678a19e6dc4a14e upstream.

When storvsc is sending I/O to Hyper-v, it may allocate a bigger buffer
descriptor for large data payload that can't fit into a pre-allocated
buffer descriptor. This bigger buffer is freed on return path.

If I/O request to Hyper-v fails due to ring buffer busy, the storvsc
allocated buffer descriptor should also be freed.

[mkp: applied by hand]

Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information 
given by the host")
Signed-off-by: Long Li 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/storvsc_drv.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1511,6 +1511,8 @@ static int storvsc_queuecommand(struct S
ret = storvsc_do_io(dev, cmd_request);
 
if (ret == -EAGAIN) {
+   if (payload_sz > sizeof(cmd_request->mpb))
+   kfree(payload);
/* no more space */
return SCSI_MLQUEUE_DEVICE_BUSY;
}

[PATCH 4.4 45/66] scsi: storvsc: fix memory leak on ring buffer busy

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Long Li 

commit 0208eeaa650c5c866a3242201678a19e6dc4a14e upstream.

When storvsc is sending I/O to Hyper-v, it may allocate a bigger buffer
descriptor for large data payload that can't fit into a pre-allocated
buffer descriptor. This bigger buffer is freed on return path.

If I/O request to Hyper-v fails due to ring buffer busy, the storvsc
allocated buffer descriptor should also be freed.

[mkp: applied by hand]

Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information 
given by the host")
Signed-off-by: Long Li 
Signed-off-by: Martin K. Petersen 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/scsi/storvsc_drv.c |2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1511,6 +1511,8 @@ static int storvsc_queuecommand(struct S
ret = storvsc_do_io(dev, cmd_request);
 
if (ret == -EAGAIN) {
+   if (payload_sz > sizeof(cmd_request->mpb))
+   kfree(payload);
/* no more space */
return SCSI_MLQUEUE_DEVICE_BUSY;
}

[PATCH 4.4 24/66] MIPS: math-emu: .: Fix cases of input values with opposite signs

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Aleksandar Markovic 

commit 1a41b3b441508ae63b1a9ec699ec94065739eb60 upstream.

Fix the value returned by ., if the inputs are normal
fp numbers of the same absolute value, but opposite signs.

A relevant example:

MAXA.S fd,fs,ft:
  If fs contains -3.0, and ft contains +3.0, fd is going to contain
  +3.0 (without this patch, it used to contain -3.0).

Fixes: a79f5f9ba508 ("MIPS: math-emu: Add support for the MIPS R6 MAX{, A} FPU 
instruction")
Fixes: 4e9561b20e2f ("MIPS: math-emu: Add support for the MIPS R6 MIN{, A} FPU 
instruction")

Signed-off-by: Miodrag Dinic 
Signed-off-by: Goran Ferenc 
Signed-off-by: Aleksandar Markovic 
Reviewed-by: James Hogan 
Cc: Bo Hu 
Cc: Douglas Leung 
Cc: Jin Qian 
Cc: Paul Burton 
Cc: Petar Jovanovic 
Cc: Raghu Gandham 
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/16883/
Signed-off-by: Ralf Baechle 
Signed-off-by: Greg Kroah-Hartman 

---
 arch/mips/math-emu/dp_fmax.c |8 ++--
 arch/mips/math-emu/dp_fmin.c |6 +-
 arch/mips/math-emu/sp_fmax.c |8 ++--
 arch/mips/math-emu/sp_fmin.c |6 +-
 4 files changed, 22 insertions(+), 6 deletions(-)

--- a/arch/mips/math-emu/dp_fmax.c
+++ b/arch/mips/math-emu/dp_fmax.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/dp_fmin.c
+++ b/arch/mips/math-emu/dp_fmin.c
@@ -243,7 +243,11 @@ union ieee754dp ieee754dp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }
--- a/arch/mips/math-emu/sp_fmax.c
+++ b/arch/mips/math-emu/sp_fmax.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmaxa(union ie
return y;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
return y;
-   return x;
+   else if (xm > ym)
+   return x;
+   else if (xs == 0)
+   return x;
+   return y;
 }
--- a/arch/mips/math-emu/sp_fmin.c
+++ b/arch/mips/math-emu/sp_fmin.c
@@ -243,7 +243,11 @@ union ieee754sp ieee754sp_fmina(union ie
return x;
 
/* Compare mantissa */
-   if (xm <= ym)
+   if (xm < ym)
+   return x;
+   else if (xm > ym)
+   return y;
+   else if (xs == 1)
return x;
return y;
 }

[PATCH 4.4 20/66] Input: i8042 - add Gigabyte P57 to the keyboard reset table

[Greg Kroah-Hartman]

4.4-stable review patch.  If anyone has any objections, please let me know.

--

From: Kai-Heng Feng 

commit 697c5d8a36768b36729533fb44622b35d56d6ad0 upstream.

Similar to other Gigabyte laptops, the touchpad on P57 requires a
keyboard reset to detect Elantech touchpad correctly.

BugLink: https://bugs.launchpad.net/bugs/1594214
Signed-off-by: Kai-Heng Feng 
Signed-off-by: Dmitry Torokhov 
Signed-off-by: Greg Kroah-Hartman 

---
 drivers/input/serio/i8042-x86ia64io.h |7 +++
 1 file changed, 7 insertions(+)

--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -905,6 +905,13 @@ static const struct dmi_system_id __init
},
},
{
+   /* Gigabyte P57 - Elantech touchpad */
+   .matches = {
+   DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"),
+   DMI_MATCH(DMI_PRODUCT_NAME, "P57"),
+   },
+   },
+   {
/* Schenker XMG C504 - Elantech touchpad */
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "XMG"),