--- /dev/null
+From e64fd41107edbf2e2308271bcac2f04789591438 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 10:18:29 +0300
+Subject: ASoC: SOF: imx: fix undefined reference issue
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit cb0312f61c3e95c71ec8955a94d42bf7eb5ba617 ]
+
+make.cross ARCH=mips allyesconfig fails with the following error:
+
+sound/soc/sof/sof-of-dev.o:(.data.sof_of_imx8qxp_desc+0x40): undefined
+reference to `sof_imx8x_ops'.
+
+This seems to be a Makefile order issue, solve by using the same
+structure as for Intel platforms.
+
+Fixes: f9ad75468453 ("ASoC: SOF: imx: fix reverse CONFIG_SND_SOC_SOF_OF
+dependency")
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/20200409071832.2039-3-daniel.baluta@oss.nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/imx/Kconfig | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/sof/imx/Kconfig b/sound/soc/sof/imx/Kconfig
+index 812749064ca8..9586635cf8ab 100644
+--- a/sound/soc/sof/imx/Kconfig
++++ b/sound/soc/sof/imx/Kconfig
+@@ -11,17 +11,26 @@ config SND_SOC_SOF_IMX_TOPLEVEL
+
+ if SND_SOC_SOF_IMX_TOPLEVEL
+
++config SND_SOC_SOF_IMX_OF
++ def_tristate SND_SOC_SOF_OF
++ select SND_SOC_SOF_IMX8 if SND_SOC_SOF_IMX8_SUPPORT
++ help
++ This option is not user-selectable but automagically handled by
++ 'select' statements at a higher level
++
+ config SND_SOC_SOF_IMX8_SUPPORT
+ bool "SOF support for i.MX8"
+- depends on IMX_SCU
+- select IMX_DSP
+ help
+ This adds support for Sound Open Firmware for NXP i.MX8 platforms
+ Say Y if you have such a device.
+ If unsure select "N".
+
+ config SND_SOC_SOF_IMX8
+- def_tristate SND_SOC_SOF_OF
+- depends on SND_SOC_SOF_IMX8_SUPPORT
++ tristate
++ depends on IMX_SCU
++ select IMX_DSP
++ help
++ This option is not user-selectable but automagically handled by
++ 'select' statements at a higher level
+
+ endif ## SND_SOC_SOF_IMX_IMX_TOPLEVEL
+--
+2.25.1
+
--- /dev/null
+From 7b719d9459231033d48e7763e3f805ce40647528 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 10:18:28 +0300
+Subject: ASoC: SOF: imx8: Fix randbuild error
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit fe17e6cdc0fefca96ba9659be4b2b07487cbf0c5 ]
+
+when do randconfig like this:
+CONFIG_SND_SOC_SOF_IMX8_SUPPORT=y
+CONFIG_SND_SOC_SOF_IMX8=y
+CONFIG_SND_SOC_SOF_OF=y
+CONFIG_IMX_DSP=m
+CONFIG_IMX_SCU=y
+
+there is a link error:
+
+sound/soc/sof/imx/imx8.o: In function 'imx8_send_msg':
+imx8.c:(.text+0x380): undefined reference to 'imx_dsp_ring_doorbell'
+
+Select IMX_DSP in SND_SOC_SOF_IMX8_SUPPORT to fix this
+
+Fixes: f9ad75468453 ("ASoC: SOF: imx: fix reverse CONFIG_SND_SOC_SOF_OF dependency")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/20200409071832.2039-2-daniel.baluta@oss.nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/imx/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/imx/Kconfig b/sound/soc/sof/imx/Kconfig
+index bae4f7bf5f75..812749064ca8 100644
+--- a/sound/soc/sof/imx/Kconfig
++++ b/sound/soc/sof/imx/Kconfig
+@@ -14,7 +14,7 @@ if SND_SOC_SOF_IMX_TOPLEVEL
+ config SND_SOC_SOF_IMX8_SUPPORT
+ bool "SOF support for i.MX8"
+ depends on IMX_SCU
+- depends on IMX_DSP
++ select IMX_DSP
+ help
+ This adds support for Sound Open Firmware for NXP i.MX8 platforms
+ Say Y if you have such a device.
+--
+2.25.1
+
--- /dev/null
+From ff780d52959401d309ecb34962d2b3ff1cc245a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 06:44:43 +0900
+Subject: ath9k_htc: Silence undersized packet warnings
+
+From: Masashi Honma <masashi.honma@gmail.com>
+
+[ Upstream commit 450edd2805982d14ed79733a82927d2857b27cac ]
+
+Some devices like TP-Link TL-WN722N produces this kind of messages
+frequently.
+
+kernel: ath: phy0: Short RX data len, dropping (dlen: 4)
+
+This warning is useful for developers to recognize that the device
+(Wi-Fi dongle or USB hub etc) is noisy but not for general users. So
+this patch make this warning to debug message.
+
+Reported-By: Denis <pro.denis@protonmail.com>
+Ref: https://bugzilla.kernel.org/show_bug.cgi?id=207539
+Fixes: cd486e627e67 ("ath9k_htc: Discard undersized packets")
+Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200504214443.4485-1-masashi.honma@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+index 9cec5c216e1f..118e5550b10c 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+@@ -999,9 +999,9 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
+ * which are not PHY_ERROR (short radar pulses have a length of 3)
+ */
+ if (unlikely(!rs_datalen || (rs_datalen < 10 && !is_phyerr))) {
+- ath_warn(common,
+- "Short RX data len, dropping (dlen: %d)\n",
+- rs_datalen);
++ ath_dbg(common, ANY,
++ "Short RX data len, dropping (dlen: %d)\n",
++ rs_datalen);
+ goto rx_next;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b20211fb46e5cfe9f99ed2657f91f72040e1f25a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 May 2020 15:09:27 -0700
+Subject: driver core: Update device link status correctly for SYNC_STATE_ONLY
+ links
+
+From: Saravana Kannan <saravanak@google.com>
+
+[ Upstream commit 8c3e315d4296421cd26b3300ee0ac117f0877f20 ]
+
+When SYNC_STATE_ONLY support was added in commit 05ef983e0d65 ("driver
+core: Add device link support for SYNC_STATE_ONLY flag"),
+SYNC_STATE_ONLY links were treated similar to STATELESS links in terms
+of not blocking consumer probe if the supplier hasn't probed yet.
+
+That caused a SYNC_STATE_ONLY device link's status to not get updated.
+Since SYNC_STATE_ONLY device link is no longer useful once the
+consumer probes, commit 21c27f06587d ("driver core: Fix
+SYNC_STATE_ONLY device link implementation") addresses the status
+update issue by deleting the SYNC_STATE_ONLY device link instead of
+complicating the status update code.
+
+However, there are still some cases where we need to update the status
+of a SYNC_STATE_ONLY device link. This is because a SYNC_STATE_ONLY
+device link can later get converted into a normal MANAGED device link
+when a normal MANAGED device link is created between a supplier and
+consumer that already have a SYNC_STATE_ONLY device link between them.
+
+If a SYNC_STATE_ONLY device link's status isn't maintained correctly
+till it's converted to a normal MANAGED device link, then the normal
+MANAGED device link will end up with a wrong link status. This can cause
+a warning stack trace[1] when the consumer device probes successfully.
+
+This commit fixes the SYNC_STATE_ONLY device link status update issue
+where it wouldn't transition correctly from DL_STATE_DORMANT or
+DL_STATE_AVAILABLE to DL_STATE_CONSUMER_PROBE. It also resets the status
+back to DL_STATE_DORMANT or DL_STATE_AVAILABLE if the consumer probe
+fails.
+
+[1] - https://lore.kernel.org/lkml/20200522204120.3b3c9ed6@apollo/
+Fixes: 05ef983e0d65 ("driver core: Add device link support for SYNC_STATE_ONLY flag")
+Fixes: 21c27f06587d ("driver core: Fix SYNC_STATE_ONLY device link implementation")
+Reported-by: Michael Walle <michael@walle.cc>
+Tested-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Saravana Kannan <saravanak@google.com>
+Reviewed-by: Rafael J. Wysocki <rrafael.j.wysocki@intel.com>
+Link: https://lore.kernel.org/r/20200526220928.49939-1-saravanak@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/core.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/base/core.c b/drivers/base/core.c
+index 68277687c160..3c4ecb824247 100644
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -643,9 +643,17 @@ static void device_links_missing_supplier(struct device *dev)
+ {
+ struct device_link *link;
+
+- list_for_each_entry(link, &dev->links.suppliers, c_node)
+- if (link->status == DL_STATE_CONSUMER_PROBE)
++ list_for_each_entry(link, &dev->links.suppliers, c_node) {
++ if (link->status != DL_STATE_CONSUMER_PROBE)
++ continue;
++
++ if (link->supplier->links.status == DL_DEV_DRIVER_BOUND) {
+ WRITE_ONCE(link->status, DL_STATE_AVAILABLE);
++ } else {
++ WARN_ON(!(link->flags & DL_FLAG_SYNC_STATE_ONLY));
++ WRITE_ONCE(link->status, DL_STATE_DORMANT);
++ }
++ }
+ }
+
+ /**
+@@ -684,11 +692,11 @@ int device_links_check_suppliers(struct device *dev)
+ device_links_write_lock();
+
+ list_for_each_entry(link, &dev->links.suppliers, c_node) {
+- if (!(link->flags & DL_FLAG_MANAGED) ||
+- link->flags & DL_FLAG_SYNC_STATE_ONLY)
++ if (!(link->flags & DL_FLAG_MANAGED))
+ continue;
+
+- if (link->status != DL_STATE_AVAILABLE) {
++ if (link->status != DL_STATE_AVAILABLE &&
++ !(link->flags & DL_FLAG_SYNC_STATE_ONLY)) {
+ device_links_missing_supplier(dev);
+ ret = -EPROBE_DEFER;
+ break;
+@@ -949,11 +957,21 @@ static void __device_links_no_driver(struct device *dev)
+ if (!(link->flags & DL_FLAG_MANAGED))
+ continue;
+
+- if (link->flags & DL_FLAG_AUTOREMOVE_CONSUMER)
++ if (link->flags & DL_FLAG_AUTOREMOVE_CONSUMER) {
+ device_link_drop_managed(link);
+- else if (link->status == DL_STATE_CONSUMER_PROBE ||
+- link->status == DL_STATE_ACTIVE)
++ continue;
++ }
++
++ if (link->status != DL_STATE_CONSUMER_PROBE &&
++ link->status != DL_STATE_ACTIVE)
++ continue;
++
++ if (link->supplier->links.status == DL_DEV_DRIVER_BOUND) {
+ WRITE_ONCE(link->status, DL_STATE_AVAILABLE);
++ } else {
++ WARN_ON(!(link->flags & DL_FLAG_SYNC_STATE_ONLY));
++ WRITE_ONCE(link->status, DL_STATE_DORMANT);
++ }
+ }
+
+ dev->links.status = DL_DEV_NO_DRIVER;
+--
+2.25.1
+
--- /dev/null
+From 76dd67d90c0ee9e69b10a2f35a92fcb50ab653e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 May 2020 10:24:41 +0300
+Subject: fanotify: fix ignore mask logic for events on child and on dir
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 2f02fd3fa13e51713b630164f8a8e5b42de8283b ]
+
+The comments in fanotify_group_event_mask() say:
+
+ "If the event is on dir/child and this mark doesn't care about
+ events on dir/child, don't send it!"
+
+Specifically, mount and filesystem marks do not care about events
+on child, but they can still specify an ignore mask for those events.
+For example, a group that has:
+- A mount mark with mask 0 and ignore_mask FAN_OPEN
+- An inode mark on a directory with mask FAN_OPEN | FAN_OPEN_EXEC
+ with flag FAN_EVENT_ON_CHILD
+
+A child file open for exec would be reported to group with the FAN_OPEN
+event despite the fact that FAN_OPEN is in ignore mask of mount mark,
+because the mark iteration loop skips over non-inode marks for events
+on child when calculating the ignore mask.
+
+Move ignore mask calculation to the top of the iteration loop block
+before excluding marks for events on dir/child.
+
+Link: https://lore.kernel.org/r/20200524072441.18258-1-amir73il@gmail.com
+Reported-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/linux-fsdevel/20200521162443.GA26052@quack2.suse.cz/
+Fixes: 55bf882c7f13 "fanotify: fix merging marks masks with FAN_ONDIR"
+Fixes: b469e7e47c8a "fanotify: fix handling of events on child..."
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/notify/fanotify/fanotify.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
+index deb13f0a0f7d..d24548ed31b9 100644
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -171,6 +171,10 @@ static u32 fanotify_group_event_mask(struct fsnotify_group *group,
+ if (!fsnotify_iter_should_report_type(iter_info, type))
+ continue;
+ mark = iter_info->marks[type];
++
++ /* Apply ignore mask regardless of ISDIR and ON_CHILD flags */
++ marks_ignored_mask |= mark->ignored_mask;
++
+ /*
+ * If the event is on dir and this mark doesn't care about
+ * events on dir, don't send it!
+@@ -188,7 +192,6 @@ static u32 fanotify_group_event_mask(struct fsnotify_group *group,
+ continue;
+
+ marks_mask |= mark->mask;
+- marks_ignored_mask |= mark->ignored_mask;
+ }
+
+ test_mask = event_mask & marks_mask & ~marks_ignored_mask;
+--
+2.25.1
+
--- /dev/null
+From 985789e2caed2b3b7facc9f8c7dfde8a6ab7666f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 May 2020 18:18:40 +0300
+Subject: kobject: Make sure the parent does not get released before its
+ children
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+[ Upstream commit 4ef12f7198023c09ad6d25b652bd8748c965c7fa ]
+
+In the function kobject_cleanup(), kobject_del(kobj) is
+called before the kobj->release(). That makes it possible to
+release the parent of the kobject before the kobject itself.
+
+To fix that, adding function __kboject_del() that does
+everything that kobject_del() does except release the parent
+reference. kobject_cleanup() then calls __kobject_del()
+instead of kobject_del(), and separately decrements the
+reference count of the parent kobject after kobj->release()
+has been called.
+
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"")
+Suggested-by: "Rafael J. Wysocki" <rafael@kernel.org>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Brendan Higgins <brendanhiggins@google.com>
+Tested-by: Brendan Higgins <brendanhiggins@google.com>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20200513151840.36400-1-heikki.krogerus@linux.intel.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kobject.c | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/lib/kobject.c b/lib/kobject.c
+index 83198cb37d8d..2bd631460e18 100644
+--- a/lib/kobject.c
++++ b/lib/kobject.c
+@@ -599,14 +599,7 @@ int kobject_move(struct kobject *kobj, struct kobject *new_parent)
+ }
+ EXPORT_SYMBOL_GPL(kobject_move);
+
+-/**
+- * kobject_del() - Unlink kobject from hierarchy.
+- * @kobj: object.
+- *
+- * This is the function that should be called to delete an object
+- * successfully added via kobject_add().
+- */
+-void kobject_del(struct kobject *kobj)
++static void __kobject_del(struct kobject *kobj)
+ {
+ struct kernfs_node *sd;
+ const struct kobj_type *ktype;
+@@ -625,9 +618,23 @@ void kobject_del(struct kobject *kobj)
+
+ kobj->state_in_sysfs = 0;
+ kobj_kset_leave(kobj);
+- kobject_put(kobj->parent);
+ kobj->parent = NULL;
+ }
++
++/**
++ * kobject_del() - Unlink kobject from hierarchy.
++ * @kobj: object.
++ *
++ * This is the function that should be called to delete an object
++ * successfully added via kobject_add().
++ */
++void kobject_del(struct kobject *kobj)
++{
++ struct kobject *parent = kobj->parent;
++
++ __kobject_del(kobj);
++ kobject_put(parent);
++}
+ EXPORT_SYMBOL(kobject_del);
+
+ /**
+@@ -663,6 +670,7 @@ EXPORT_SYMBOL(kobject_get_unless_zero);
+ */
+ static void kobject_cleanup(struct kobject *kobj)
+ {
++ struct kobject *parent = kobj->parent;
+ struct kobj_type *t = get_ktype(kobj);
+ const char *name = kobj->name;
+
+@@ -684,7 +692,7 @@ static void kobject_cleanup(struct kobject *kobj)
+ if (kobj->state_in_sysfs) {
+ pr_debug("kobject: '%s' (%p): auto cleanup kobject_del\n",
+ kobject_name(kobj), kobj);
+- kobject_del(kobj);
++ __kobject_del(kobj);
+ }
+
+ if (t && t->release) {
+@@ -698,6 +706,8 @@ static void kobject_cleanup(struct kobject *kobj)
+ pr_debug("kobject: '%s': free name\n", name);
+ kfree_const(name);
+ }
++
++ kobject_put(parent);
+ }
+
+ #ifdef CONFIG_DEBUG_KOBJECT_RELEASE
+--
+2.25.1
+
--- /dev/null
+From 936beb78f893b1325250c0eb28209d619fd17c54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 May 2020 05:34:41 -0400
+Subject: KVM: x86: only do L1TF workaround on affected processors
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit d43e2675e96fc6ae1a633b6a69d296394448cc32 ]
+
+KVM stores the gfn in MMIO SPTEs as a caching optimization. These are split
+in two parts, as in "[high 11111 low]", to thwart any attempt to use these bits
+in an L1TF attack. This works as long as there are 5 free bits between
+MAXPHYADDR and bit 50 (inclusive), leaving bit 51 free so that the MMIO
+access triggers a reserved-bit-set page fault.
+
+The bit positions however were computed wrongly for AMD processors that have
+encryption support. In this case, x86_phys_bits is reduced (for example
+from 48 to 43, to account for the C bit at position 47 and four bits used
+internally to store the SEV ASID and other stuff) while x86_cache_bits in
+would remain set to 48, and _all_ bits between the reduced MAXPHYADDR
+and bit 51 are set. Then low_phys_bits would also cover some of the
+bits that are set in the shadow_mmio_value, terribly confusing the gfn
+caching mechanism.
+
+To fix this, avoid splitting gfns as long as the processor does not have
+the L1TF bug (which includes all AMD processors). When there is no
+splitting, low_phys_bits can be set to the reduced MAXPHYADDR removing
+the overlap. This fixes "npt=0" operation on EPYC processors.
+
+Thanks to Maxim Levitsky for bisecting this bug.
+
+Cc: stable@vger.kernel.org
+Fixes: 52918ed5fcf0 ("KVM: SVM: Override default MMIO mask if memory encryption is enabled")
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/mmu/mmu.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
+index 87e9ba27ada1..b0138530d085 100644
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -343,6 +343,8 @@ void kvm_mmu_set_mmio_spte_mask(u64 mmio_mask, u64 mmio_value, u64 access_mask)
+ {
+ BUG_ON((u64)(unsigned)access_mask != access_mask);
+ BUG_ON((mmio_mask & mmio_value) != mmio_value);
++ WARN_ON(mmio_value & (shadow_nonpresent_or_rsvd_mask << shadow_nonpresent_or_rsvd_mask_len));
++ WARN_ON(mmio_value & shadow_nonpresent_or_rsvd_lower_gfn_mask);
+ shadow_mmio_value = mmio_value | SPTE_MMIO_MASK;
+ shadow_mmio_mask = mmio_mask | SPTE_SPECIAL_MASK;
+ shadow_mmio_access_mask = access_mask;
+@@ -591,16 +593,15 @@ static void kvm_mmu_reset_all_pte_masks(void)
+ * the most significant bits of legal physical address space.
+ */
+ shadow_nonpresent_or_rsvd_mask = 0;
+- low_phys_bits = boot_cpu_data.x86_cache_bits;
+- if (boot_cpu_data.x86_cache_bits <
+- 52 - shadow_nonpresent_or_rsvd_mask_len) {
++ low_phys_bits = boot_cpu_data.x86_phys_bits;
++ if (boot_cpu_has_bug(X86_BUG_L1TF) &&
++ !WARN_ON_ONCE(boot_cpu_data.x86_cache_bits >=
++ 52 - shadow_nonpresent_or_rsvd_mask_len)) {
++ low_phys_bits = boot_cpu_data.x86_cache_bits
++ - shadow_nonpresent_or_rsvd_mask_len;
+ shadow_nonpresent_or_rsvd_mask =
+- rsvd_bits(boot_cpu_data.x86_cache_bits -
+- shadow_nonpresent_or_rsvd_mask_len,
+- boot_cpu_data.x86_cache_bits - 1);
+- low_phys_bits -= shadow_nonpresent_or_rsvd_mask_len;
+- } else
+- WARN_ON_ONCE(boot_cpu_has_bug(X86_BUG_L1TF));
++ rsvd_bits(low_phys_bits, boot_cpu_data.x86_cache_bits - 1);
++ }
+
+ shadow_nonpresent_or_rsvd_lower_gfn_mask =
+ GENMASK_ULL(low_phys_bits - 1, PAGE_SHIFT);
+--
+2.25.1
+
--- /dev/null
+From 0fa13eafbee0c33a16e4894ae6278527a5f0fa92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 16:48:21 -0700
+Subject: mm: add kvfree_sensitive() for freeing sensitive data objects
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit d4eaa2837851db2bfed572898bfc17f9a9f9151e ]
+
+For kvmalloc'ed data object that contains sensitive information like
+cryptographic keys, we need to make sure that the buffer is always cleared
+before freeing it. Using memset() alone for buffer clearing may not
+provide certainty as the compiler may compile it away. To be sure, the
+special memzero_explicit() has to be used.
+
+This patch introduces a new kvfree_sensitive() for freeing those sensitive
+data objects allocated by kvmalloc(). The relevant places where
+kvfree_sensitive() can be used are modified to use it.
+
+Fixes: 4f0882491a14 ("KEYS: Avoid false positive ENOMEM error on key read")
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: James Morris <jmorris@namei.org>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Uladzislau Rezki <urezki@gmail.com>
+Link: http://lkml.kernel.org/r/20200407200318.11711-1-longman@redhat.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mm.h | 1 +
+ mm/util.c | 18 ++++++++++++++++++
+ security/keys/internal.h | 11 -----------
+ security/keys/keyctl.c | 16 +++++-----------
+ 4 files changed, 24 insertions(+), 22 deletions(-)
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 96deeecd9179..9b9f48489576 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -669,6 +669,7 @@ static inline void *kvcalloc(size_t n, size_t size, gfp_t flags)
+ }
+
+ extern void kvfree(const void *addr);
++extern void kvfree_sensitive(const void *addr, size_t len);
+
+ /*
+ * Mapcount of compound page as a whole, does not include mapped sub-pages.
+diff --git a/mm/util.c b/mm/util.c
+index 988d11e6c17c..dc1c877d5481 100644
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -604,6 +604,24 @@ void kvfree(const void *addr)
+ }
+ EXPORT_SYMBOL(kvfree);
+
++/**
++ * kvfree_sensitive - Free a data object containing sensitive information.
++ * @addr: address of the data object to be freed.
++ * @len: length of the data object.
++ *
++ * Use the special memzero_explicit() function to clear the content of a
++ * kvmalloc'ed object containing sensitive data to make sure that the
++ * compiler won't optimize out the data clearing.
++ */
++void kvfree_sensitive(const void *addr, size_t len)
++{
++ if (likely(!ZERO_OR_NULL_PTR(addr))) {
++ memzero_explicit((void *)addr, len);
++ kvfree(addr);
++ }
++}
++EXPORT_SYMBOL(kvfree_sensitive);
++
+ static inline void *__page_rmapping(struct page *page)
+ {
+ unsigned long mapping;
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 6d0ca48ae9a5..153d35c20d3d 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -350,15 +350,4 @@ static inline void key_check(const struct key *key)
+ #define key_check(key) do {} while(0)
+
+ #endif
+-
+-/*
+- * Helper function to clear and free a kvmalloc'ed memory object.
+- */
+-static inline void __kvzfree(const void *addr, size_t len)
+-{
+- if (addr) {
+- memset((void *)addr, 0, len);
+- kvfree(addr);
+- }
+-}
+ #endif /* _INTERNAL_H */
+diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
+index 5e01192e222a..edde63a63007 100644
+--- a/security/keys/keyctl.c
++++ b/security/keys/keyctl.c
+@@ -142,10 +142,7 @@ SYSCALL_DEFINE5(add_key, const char __user *, _type,
+
+ key_ref_put(keyring_ref);
+ error3:
+- if (payload) {
+- memzero_explicit(payload, plen);
+- kvfree(payload);
+- }
++ kvfree_sensitive(payload, plen);
+ error2:
+ kfree(description);
+ error:
+@@ -360,7 +357,7 @@ long keyctl_update_key(key_serial_t id,
+
+ key_ref_put(key_ref);
+ error2:
+- __kvzfree(payload, plen);
++ kvfree_sensitive(payload, plen);
+ error:
+ return ret;
+ }
+@@ -914,7 +911,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+ */
+ if (ret > key_data_len) {
+ if (unlikely(key_data))
+- __kvzfree(key_data, key_data_len);
++ kvfree_sensitive(key_data, key_data_len);
+ key_data_len = ret;
+ continue; /* Allocate buffer */
+ }
+@@ -923,7 +920,7 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen)
+ ret = -EFAULT;
+ break;
+ }
+- __kvzfree(key_data, key_data_len);
++ kvfree_sensitive(key_data, key_data_len);
+
+ key_put_out:
+ key_put(key);
+@@ -1225,10 +1222,7 @@ long keyctl_instantiate_key_common(key_serial_t id,
+ keyctl_change_reqkey_auth(NULL);
+
+ error2:
+- if (payload) {
+- memzero_explicit(payload, plen);
+- kvfree(payload);
+- }
++ kvfree_sensitive(payload, plen);
+ error:
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 72625a30f9bb129979f5f22e80bfd4c62bf8eae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Apr 2020 12:34:55 -0400
+Subject: padata: add separate cpuhp node for CPUHP_PADATA_DEAD
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 3c2214b6027ff37945799de717c417212e1a8c54 ]
+
+Removing the pcrypt module triggers this:
+
+ general protection fault, probably for non-canonical
+ address 0xdead000000000122
+ CPU: 5 PID: 264 Comm: modprobe Not tainted 5.6.0+ #2
+ Hardware name: QEMU Standard PC
+ RIP: 0010:__cpuhp_state_remove_instance+0xcc/0x120
+ Call Trace:
+ padata_sysfs_release+0x74/0xce
+ kobject_put+0x81/0xd0
+ padata_free+0x12/0x20
+ pcrypt_exit+0x43/0x8ee [pcrypt]
+
+padata instances wrongly use the same hlist node for the online and dead
+states, so __padata_free()'s second cpuhp remove call chokes on the node
+that the first poisoned.
+
+cpuhp multi-instance callbacks only walk forward in cpuhp_step->list and
+the same node is linked in both the online and dead lists, so the list
+corruption that results from padata_alloc() adding the node to a second
+list without removing it from the first doesn't cause problems as long
+as no instances are freed.
+
+Avoid the issue by giving each state its own node.
+
+Fixes: 894c9ef9780c ("padata: validate cpumask without removed CPU during offline")
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: linux-crypto@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v5.4+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/padata.h | 6 ++++--
+ kernel/padata.c | 14 ++++++++------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/padata.h b/include/linux/padata.h
+index a0d8b41850b2..693cae9bfe66 100644
+--- a/include/linux/padata.h
++++ b/include/linux/padata.h
+@@ -139,7 +139,8 @@ struct padata_shell {
+ /**
+ * struct padata_instance - The overall control structure.
+ *
+- * @node: Used by CPU hotplug.
++ * @cpu_online_node: Linkage for CPU online callback.
++ * @cpu_dead_node: Linkage for CPU offline callback.
+ * @parallel_wq: The workqueue used for parallel work.
+ * @serial_wq: The workqueue used for serial work.
+ * @pslist: List of padata_shell objects attached to this instance.
+@@ -150,7 +151,8 @@ struct padata_shell {
+ * @flags: padata flags.
+ */
+ struct padata_instance {
+- struct hlist_node node;
++ struct hlist_node cpu_online_node;
++ struct hlist_node cpu_dead_node;
+ struct workqueue_struct *parallel_wq;
+ struct workqueue_struct *serial_wq;
+ struct list_head pslist;
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 62082597d4a2..fee14ae90d96 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -703,7 +703,7 @@ static int padata_cpu_online(unsigned int cpu, struct hlist_node *node)
+ struct padata_instance *pinst;
+ int ret;
+
+- pinst = hlist_entry_safe(node, struct padata_instance, node);
++ pinst = hlist_entry_safe(node, struct padata_instance, cpu_online_node);
+ if (!pinst_has_cpu(pinst, cpu))
+ return 0;
+
+@@ -718,7 +718,7 @@ static int padata_cpu_dead(unsigned int cpu, struct hlist_node *node)
+ struct padata_instance *pinst;
+ int ret;
+
+- pinst = hlist_entry_safe(node, struct padata_instance, node);
++ pinst = hlist_entry_safe(node, struct padata_instance, cpu_dead_node);
+ if (!pinst_has_cpu(pinst, cpu))
+ return 0;
+
+@@ -734,8 +734,9 @@ static enum cpuhp_state hp_online;
+ static void __padata_free(struct padata_instance *pinst)
+ {
+ #ifdef CONFIG_HOTPLUG_CPU
+- cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD, &pinst->node);
+- cpuhp_state_remove_instance_nocalls(hp_online, &pinst->node);
++ cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD,
++ &pinst->cpu_dead_node);
++ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpu_online_node);
+ #endif
+
+ WARN_ON(!list_empty(&pinst->pslist));
+@@ -939,9 +940,10 @@ static struct padata_instance *padata_alloc(const char *name,
+ mutex_init(&pinst->lock);
+
+ #ifdef CONFIG_HOTPLUG_CPU
+- cpuhp_state_add_instance_nocalls_cpuslocked(hp_online, &pinst->node);
++ cpuhp_state_add_instance_nocalls_cpuslocked(hp_online,
++ &pinst->cpu_online_node);
+ cpuhp_state_add_instance_nocalls_cpuslocked(CPUHP_PADATA_DEAD,
+- &pinst->node);
++ &pinst->cpu_dead_node);
+ #endif
+
+ put_online_cpus();
+--
+2.25.1
+
--- /dev/null
+From f3607d81f3f903f3aaf9a15dd891c378745f44dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 May 2020 14:31:16 -0500
+Subject: PCI/PM: Adjust pcie_wait_for_link_delay() for caller delay
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit f044baaff1eb7ae5aa7a36f1b7ad5bd8eeb672c4 ]
+
+The caller of pcie_wait_for_link_delay() specifies the time to wait after
+the link becomes active. When the downstream port doesn't support link
+active reporting, obviously we can't tell when the link becomes active, so
+we waited the worst-case time (1000 ms) plus 100 ms, ignoring the delay
+from the caller.
+
+Instead, wait for 1000 ms + the delay from the caller.
+
+Fixes: 4827d63891b6 ("PCI/PM: Add pcie_wait_for_link_delay()")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index d828ca835a98..fe9fbb74ce72 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -4616,10 +4616,10 @@ static bool pcie_wait_for_link_delay(struct pci_dev *pdev, bool active,
+
+ /*
+ * Some controllers might not implement link active reporting. In this
+- * case, we wait for 1000 + 100 ms.
++ * case, we wait for 1000 ms + any delay requested by the caller.
+ */
+ if (!pdev->link_active_reporting) {
+- msleep(1100);
++ msleep(timeout + delay);
+ return true;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 0828cbf64bc77dce1391aa3c5eb5c7f2c3f841d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 May 2020 23:29:12 +0900
+Subject: perf probe: Accept the instance number of kretprobe event
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+[ Upstream commit c6aab66a728b6518772c74bd9dff66e1a1c652fd ]
+
+Since the commit 6a13a0d7b4d1 ("ftrace/kprobe: Show the maxactive number
+on kprobe_events") introduced to show the instance number of kretprobe
+events, the length of the 1st format of the kprobe event will not 1, but
+it can be longer. This caused a parser error in perf-probe.
+
+Skip the length check the 1st format of the kprobe event to accept this
+instance number.
+
+Without this fix:
+
+ # perf probe -a vfs_read%return
+ Added new event:
+ probe:vfs_read__return (on vfs_read%return)
+
+ You can now use it in all perf tools, such as:
+
+ perf record -e probe:vfs_read__return -aR sleep 1
+
+ # perf probe -l
+ Semantic error :Failed to parse event name: r16:probe/vfs_read__return
+ Error: Failed to show event list.
+
+And with this fixes:
+
+ # perf probe -a vfs_read%return
+ ...
+ # perf probe -l
+ probe:vfs_read__return (on vfs_read%return)
+
+Fixes: 6a13a0d7b4d1 ("ftrace/kprobe: Show the maxactive number on kprobe_events")
+Reported-by: Yuxuan Shui <yshuiv7@gmail.com>
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Yuxuan Shui <yshuiv7@gmail.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: stable@vger.kernel.org
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207587
+Link: http://lore.kernel.org/lkml/158877535215.26469.1113127926699134067.stgit@devnote2
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-event.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
+index eea132f512b0..c6bcf5709564 100644
+--- a/tools/perf/util/probe-event.c
++++ b/tools/perf/util/probe-event.c
+@@ -1765,8 +1765,7 @@ int parse_probe_trace_command(const char *cmd, struct probe_trace_event *tev)
+ fmt1_str = strtok_r(argv0_str, ":", &fmt);
+ fmt2_str = strtok_r(NULL, "/", &fmt);
+ fmt3_str = strtok_r(NULL, " \t", &fmt);
+- if (fmt1_str == NULL || strlen(fmt1_str) != 1 || fmt2_str == NULL
+- || fmt3_str == NULL) {
++ if (fmt1_str == NULL || fmt2_str == NULL || fmt3_str == NULL) {
+ semantic_error("Failed to parse event name: %s\n", argv[0]);
+ ret = -EINVAL;
+ goto out;
+--
+2.25.1
+
--- /dev/null
+From 4da0f9d9078951990a3c40ac708f3e0c565d8b09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Apr 2020 09:51:20 +0200
+Subject: powerpc/xive: Clear the page tables for the ESB IO mapping
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cédric Le Goater <clg@kaod.org>
+
+[ Upstream commit a101950fcb78b0ba20cd487be6627dea58d55c2b ]
+
+Commit 1ca3dec2b2df ("powerpc/xive: Prevent page fault issues in the
+machine crash handler") fixed an issue in the FW assisted dump of
+machines using hash MMU and the XIVE interrupt mode under the POWER
+hypervisor. It forced the mapping of the ESB page of interrupts being
+mapped in the Linux IRQ number space to make sure the 'crash kexec'
+sequence worked during such an event. But it didn't handle the
+un-mapping.
+
+This mapping is now blocking the removal of a passthrough IO adapter
+under the POWER hypervisor because it expects the guest OS to have
+cleared all page table entries related to the adapter. If some are
+still present, the RTAS call which isolates the PCI slot returns error
+9001 "valid outstanding translations".
+
+Remove these mapping in the IRQ data cleanup routine.
+
+Under KVM, this cleanup is not required because the ESB pages for the
+adapter interrupts are un-mapped from the guest by the hypervisor in
+the KVM XIVE native device. This is now redundant but it's harmless.
+
+Fixes: 1ca3dec2b2df ("powerpc/xive: Prevent page fault issues in the machine crash handler")
+Cc: stable@vger.kernel.org # v5.5+
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200429075122.1216388-2-clg@kaod.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xive/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/xive/common.c b/arch/powerpc/sysdev/xive/common.c
+index fe8d396e2301..16df9cc8f360 100644
+--- a/arch/powerpc/sysdev/xive/common.c
++++ b/arch/powerpc/sysdev/xive/common.c
+@@ -19,6 +19,7 @@
+ #include <linux/slab.h>
+ #include <linux/spinlock.h>
+ #include <linux/msi.h>
++#include <linux/vmalloc.h>
+
+ #include <asm/prom.h>
+ #include <asm/io.h>
+@@ -1013,12 +1014,16 @@ EXPORT_SYMBOL_GPL(is_xive_irq);
+ void xive_cleanup_irq_data(struct xive_irq_data *xd)
+ {
+ if (xd->eoi_mmio) {
++ unmap_kernel_range((unsigned long)xd->eoi_mmio,
++ 1u << xd->esb_shift);
+ iounmap(xd->eoi_mmio);
+ if (xd->eoi_mmio == xd->trig_mmio)
+ xd->trig_mmio = NULL;
+ xd->eoi_mmio = NULL;
+ }
+ if (xd->trig_mmio) {
++ unmap_kernel_range((unsigned long)xd->trig_mmio,
++ 1u << xd->esb_shift);
+ iounmap(xd->trig_mmio);
+ xd->trig_mmio = NULL;
+ }
+--
+2.25.1
+
--- /dev/null
+From c583c92d5761321c7dffa1517f7762d0bb0adfda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Apr 2020 21:44:26 -0300
+Subject: RDMA/uverbs: Make the event_queue fds return POLLERR when
+ disassociated
+
+From: Jason Gunthorpe <jgg@mellanox.com>
+
+[ Upstream commit eb356e6dc15a30af604f052cd0e170450193c254 ]
+
+If is_closed is set, and the event list is empty, then read() will return
+-EIO without blocking. After setting is_closed in
+ib_uverbs_free_event_queue(), we do trigger a wake_up on the poll_wait,
+but the fops->poll() function does not check it, so poll will continue to
+sleep on an empty list.
+
+Fixes: 14e23bd6d221 ("RDMA/core: Fix locking in ib_uverbs_event_read")
+Link: https://lore.kernel.org/r/0-v1-ace813388969+48859-uverbs_poll_fix%25jgg@mellanox.com
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/uverbs_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
+index 1bab8de14757..b94572e9c24f 100644
+--- a/drivers/infiniband/core/uverbs_main.c
++++ b/drivers/infiniband/core/uverbs_main.c
+@@ -296,6 +296,8 @@ static __poll_t ib_uverbs_event_poll(struct ib_uverbs_event_queue *ev_queue,
+ spin_lock_irq(&ev_queue->lock);
+ if (!list_empty(&ev_queue->event_list))
+ pollflags = EPOLLIN | EPOLLRDNORM;
++ else if (ev_queue->is_closed)
++ pollflags = EPOLLERR;
+ spin_unlock_irq(&ev_queue->lock);
+
+ return pollflags;
+--
+2.25.1
+
--- /dev/null
+From 1a92d7e00b754fb26897079ae7e3785d037c82f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2020 20:39:22 +0200
+Subject: s390/pci: Log new handle in clp_disable_fh()
+
+From: Petr Tesarik <ptesarik@suse.com>
+
+[ Upstream commit e1750a3d9abbea2ece29cac8dc5a6f5bc19c1492 ]
+
+After disabling a function, the original handle is logged instead of
+the disabled handle.
+
+Link: https://lkml.kernel.org/r/20200522183922.5253-1-ptesarik@suse.com
+Fixes: 17cdec960cf7 ("s390/pci: Recover handle in clp_set_pci_fn()")
+Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
+Signed-off-by: Petr Tesarik <ptesarik@suse.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_clp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/s390/pci/pci_clp.c b/arch/s390/pci/pci_clp.c
+index 0d3d8f170ea4..25208fa95426 100644
+--- a/arch/s390/pci/pci_clp.c
++++ b/arch/s390/pci/pci_clp.c
+@@ -309,14 +309,13 @@ int clp_enable_fh(struct zpci_dev *zdev, u8 nr_dma_as)
+
+ int clp_disable_fh(struct zpci_dev *zdev)
+ {
+- u32 fh = zdev->fh;
+ int rc;
+
+ if (!zdev_enabled(zdev))
+ return 0;
+
+ rc = clp_set_pci_fn(zdev, 0, CLP_SET_DISABLE_PCI_FN);
+- zpci_dbg(3, "dis fid:%x, fh:%x, rc:%d\n", zdev->fid, fh, rc);
++ zpci_dbg(3, "dis fid:%x, fh:%x, rc:%d\n", zdev->fid, zdev->fh, rc);
+ return rc;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 20e7ce34eb2ba754c405a00682852e42074f98c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 May 2020 09:35:52 +0300
+Subject: selftests: fix flower parent qdisc
+
+From: Vlad Buslov <vladbu@mellanox.com>
+
+[ Upstream commit 0531b0357ba37464e5c0033e1b7c69bbf5ecd8fb ]
+
+Flower tests used to create ingress filter with specified parent qdisc
+"parent ffff:" but dump them on "ingress". With recent commit that fixed
+tcm_parent handling in dump those are not considered same parent anymore,
+which causes iproute2 tc to emit additional "parent ffff:" in first line of
+filter dump output. The change in output causes filter match in tests to
+fail.
+
+Prevent parent qdisc output when dumping filters in flower tests by always
+correctly specifying "ingress" parent both when creating and dumping
+filters.
+
+Fixes: a7df4870d79b ("net_sched: fix tcm_parent in tc filter dump")
+Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/tc-testing/tc-tests/filters/tests.json | 6 +++---
+ tools/testing/selftests/tc-testing/tdc_batch.py | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json b/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json
+index 8877f7b2b809..12aa4bc1f6a0 100644
+--- a/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json
++++ b/tools/testing/selftests/tc-testing/tc-tests/filters/tests.json
+@@ -32,7 +32,7 @@
+ "setup": [
+ "$TC qdisc add dev $DEV2 ingress"
+ ],
+- "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip pref 1 parent ffff: handle 0xffffffff flower action ok",
++ "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip pref 1 ingress handle 0xffffffff flower action ok",
+ "expExitCode": "0",
+ "verifyCmd": "$TC filter show dev $DEV2 ingress",
+ "matchPattern": "filter protocol ip pref 1 flower.*handle 0xffffffff",
+@@ -77,9 +77,9 @@
+ },
+ "setup": [
+ "$TC qdisc add dev $DEV2 ingress",
+- "$TC filter add dev $DEV2 protocol ip prio 1 parent ffff: flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop"
++ "$TC filter add dev $DEV2 protocol ip prio 1 ingress flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop"
+ ],
+- "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip prio 1 parent ffff: flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop",
++ "cmdUnderTest": "$TC filter add dev $DEV2 protocol ip prio 1 ingress flower dst_mac e4:11:22:11:4a:51 src_mac e4:11:22:11:4a:50 ip_proto tcp src_ip 1.1.1.1 dst_ip 2.2.2.2 action drop",
+ "expExitCode": "2",
+ "verifyCmd": "$TC -s filter show dev $DEV2 ingress",
+ "matchPattern": "filter protocol ip pref 1 flower chain 0 handle",
+diff --git a/tools/testing/selftests/tc-testing/tdc_batch.py b/tools/testing/selftests/tc-testing/tdc_batch.py
+index 6a2bd2cf528e..995f66ce43eb 100755
+--- a/tools/testing/selftests/tc-testing/tdc_batch.py
++++ b/tools/testing/selftests/tc-testing/tdc_batch.py
+@@ -72,21 +72,21 @@ mac_prefix = args.mac_prefix
+
+ def format_add_filter(device, prio, handle, skip, src_mac, dst_mac,
+ share_action):
+- return ("filter add dev {} {} protocol ip parent ffff: handle {} "
++ return ("filter add dev {} {} protocol ip ingress handle {} "
+ " flower {} src_mac {} dst_mac {} action drop {}".format(
+ device, prio, handle, skip, src_mac, dst_mac, share_action))
+
+
+ def format_rep_filter(device, prio, handle, skip, src_mac, dst_mac,
+ share_action):
+- return ("filter replace dev {} {} protocol ip parent ffff: handle {} "
++ return ("filter replace dev {} {} protocol ip ingress handle {} "
+ " flower {} src_mac {} dst_mac {} action drop {}".format(
+ device, prio, handle, skip, src_mac, dst_mac, share_action))
+
+
+ def format_del_filter(device, prio, handle, skip, src_mac, dst_mac,
+ share_action):
+- return ("filter del dev {} {} protocol ip parent ffff: handle {} "
++ return ("filter del dev {} {} protocol ip ingress handle {} "
+ "flower".format(device, prio, handle))
+
+
+--
+2.25.1
+
csky-fixup-abiv2-syscall_trace-break-a4-a5.patch
gfs2-even-more-gfs2_find_jhead-fixes.patch
drivers-net-ibmvnic-update-vnic-protocol-version-rep.patch
+staging-wfx-fix-double-free.patch
+staging-mt7621-pci-properly-power-off-dual-ported-pc.patch
+perf-probe-accept-the-instance-number-of-kretprobe-e.patch
+mm-add-kvfree_sensitive-for-freeing-sensitive-data-o.patch
+selftests-fix-flower-parent-qdisc.patch
+fanotify-fix-ignore-mask-logic-for-events-on-child-a.patch
+driver-core-update-device-link-status-correctly-for-.patch
+powerpc-xive-clear-the-page-tables-for-the-esb-io-ma.patch
+asoc-sof-imx8-fix-randbuild-error.patch
+asoc-sof-imx-fix-undefined-reference-issue.patch
+spi-dw-fix-native-cs-being-unset.patch
+ath9k_htc-silence-undersized-packet-warnings.patch
+smack-avoid-unused-sip-variable-warning.patch
+rdma-uverbs-make-the-event_queue-fds-return-pollerr-.patch
+padata-add-separate-cpuhp-node-for-cpuhp_padata_dead.patch
+s390-pci-log-new-handle-in-clp_disable_fh.patch
+x86-cpu-amd-make-erratum-1054-a-legacy-erratum.patch
+kvm-x86-only-do-l1tf-workaround-on-affected-processo.patch
+pci-pm-adjust-pcie_wait_for_link_delay-for-caller-de.patch
+kobject-make-sure-the-parent-does-not-get-released-b.patch
--- /dev/null
+From 177ca905ab7f1026f4921d1168f45046b0ee22c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2020 21:04:31 +0200
+Subject: smack: avoid unused 'sip' variable warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 00720f0e7f288d29681d265c23b22bb0f0f4e5b4 ]
+
+The mix of IS_ENABLED() and #ifdef checks has left a combination
+that causes a warning about an unused variable:
+
+security/smack/smack_lsm.c: In function 'smack_socket_connect':
+security/smack/smack_lsm.c:2838:24: error: unused variable 'sip' [-Werror=unused-variable]
+ 2838 | struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
+
+Change the code to use C-style checks consistently so the compiler
+can handle it correctly.
+
+Fixes: 87fbfffcc89b ("broken ping to ipv6 linklocal addresses on debian buster")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack.h | 6 ------
+ security/smack/smack_lsm.c | 25 ++++++++-----------------
+ 2 files changed, 8 insertions(+), 23 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index 62529f382942..335d2411abe4 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -148,7 +148,6 @@ struct smk_net4addr {
+ struct smack_known *smk_label; /* label */
+ };
+
+-#if IS_ENABLED(CONFIG_IPV6)
+ /*
+ * An entry in the table identifying IPv6 hosts.
+ */
+@@ -159,9 +158,7 @@ struct smk_net6addr {
+ int smk_masks; /* mask size */
+ struct smack_known *smk_label; /* label */
+ };
+-#endif /* CONFIG_IPV6 */
+
+-#ifdef SMACK_IPV6_PORT_LABELING
+ /*
+ * An entry in the table identifying ports.
+ */
+@@ -174,7 +171,6 @@ struct smk_port_label {
+ short smk_sock_type; /* Socket type */
+ short smk_can_reuse;
+ };
+-#endif /* SMACK_IPV6_PORT_LABELING */
+
+ struct smack_known_list_elem {
+ struct list_head list;
+@@ -335,9 +331,7 @@ extern struct smack_known smack_known_web;
+ extern struct mutex smack_known_lock;
+ extern struct list_head smack_known_list;
+ extern struct list_head smk_net4addr_list;
+-#if IS_ENABLED(CONFIG_IPV6)
+ extern struct list_head smk_net6addr_list;
+-#endif /* CONFIG_IPV6 */
+
+ extern struct mutex smack_onlycap_lock;
+ extern struct list_head smack_onlycap_list;
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 8c61d175e195..14bf2f4aea3b 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -50,10 +50,8 @@
+ #define SMK_RECEIVING 1
+ #define SMK_SENDING 2
+
+-#ifdef SMACK_IPV6_PORT_LABELING
+-DEFINE_MUTEX(smack_ipv6_lock);
++static DEFINE_MUTEX(smack_ipv6_lock);
+ static LIST_HEAD(smk_ipv6_port_list);
+-#endif
+ static struct kmem_cache *smack_inode_cache;
+ struct kmem_cache *smack_rule_cache;
+ int smack_enabled;
+@@ -2320,7 +2318,6 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip)
+ return NULL;
+ }
+
+-#if IS_ENABLED(CONFIG_IPV6)
+ /*
+ * smk_ipv6_localhost - Check for local ipv6 host address
+ * @sip: the address
+@@ -2388,7 +2385,6 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
+
+ return NULL;
+ }
+-#endif /* CONFIG_IPV6 */
+
+ /**
+ * smack_netlabel - Set the secattr on a socket
+@@ -2477,7 +2473,6 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
+ return smack_netlabel(sk, sk_lbl);
+ }
+
+-#if IS_ENABLED(CONFIG_IPV6)
+ /**
+ * smk_ipv6_check - check Smack access
+ * @subject: subject Smack label
+@@ -2510,7 +2505,6 @@ static int smk_ipv6_check(struct smack_known *subject,
+ rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);
+ return rc;
+ }
+-#endif /* CONFIG_IPV6 */
+
+ #ifdef SMACK_IPV6_PORT_LABELING
+ /**
+@@ -2599,6 +2593,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
+ mutex_unlock(&smack_ipv6_lock);
+ return;
+ }
++#endif
+
+ /**
+ * smk_ipv6_port_check - check Smack port access
+@@ -2661,7 +2656,6 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
+
+ return smk_ipv6_check(skp, object, address, act);
+ }
+-#endif /* SMACK_IPV6_PORT_LABELING */
+
+ /**
+ * smack_inode_setsecurity - set smack xattrs
+@@ -2836,24 +2830,21 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
+ return 0;
+ if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {
+ struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
+-#ifdef SMACK_IPV6_SECMARK_LABELING
+- struct smack_known *rsp;
+-#endif
++ struct smack_known *rsp = NULL;
+
+ if (addrlen < SIN6_LEN_RFC2133)
+ return 0;
+-#ifdef SMACK_IPV6_SECMARK_LABELING
+- rsp = smack_ipv6host_label(sip);
++ if (__is_defined(SMACK_IPV6_SECMARK_LABELING))
++ rsp = smack_ipv6host_label(sip);
+ if (rsp != NULL) {
+ struct socket_smack *ssp = sock->sk->sk_security;
+
+ rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
+ SMK_CONNECTING);
+ }
+-#endif
+-#ifdef SMACK_IPV6_PORT_LABELING
+- rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
+-#endif
++ if (__is_defined(SMACK_IPV6_PORT_LABELING))
++ rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
++
+ return rc;
+ }
+ if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in))
+--
+2.25.1
+
--- /dev/null
+From e22638324b4d3a02a9012b394957bd0922028a93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jun 2020 20:17:21 -0400
+Subject: spi: dw: Fix native CS being unset
+
+[ Upstream commit 9aea644ca17b94f82ad7fa767cbc4509642f4420 ]
+
+Commit 6e0a32d6f376 ("spi: dw: Fix default polarity of native
+chipselect") attempted to fix the problem when GPIO active-high
+chip-select is utilized to communicate with some SPI slave. It fixed
+the problem, but broke the normal native CS support. At the same time
+the reversion commit ada9e3fcc175 ("spi: dw: Correct handling of native
+chipselect") didn't solve the problem either, since it just inverted
+the set_cs() polarity perception without taking into account that
+CS-high might be applicable. Here is what is done to finally fix the
+problem.
+
+DW SPI controller demands any native CS being set in order to proceed
+with data transfer. So in order to activate the SPI communications we
+must set any bit in the Slave Select DW SPI controller register no
+matter whether the platform requests the GPIO- or native CS. Preferably
+it should be the bit corresponding to the SPI slave CS number. But
+currently the dw_spi_set_cs() method activates the chip-select
+only if the second argument is false. Since the second argument of the
+set_cs callback is expected to be a boolean with "is-high" semantics
+(actual chip-select pin state value), the bit in the DW SPI Slave
+Select register will be set only if SPI core requests the driver
+to set the CS in the low state. So this will work for active-low
+GPIO-based CS case, and won't work for active-high CS setting
+the bit when SPI core actually needs to deactivate the CS.
+
+This commit fixes the problem for all described cases. So no matter
+whether an SPI slave needs GPIO- or native-based CS with active-high
+or low signal the corresponding bit will be set in SER.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Fixes: ada9e3fcc175 ("spi: dw: Correct handling of native chipselect")
+Fixes: 6e0a32d6f376 ("spi: dw: Fix default polarity of native chipselect")
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+
+Link: https://lore.kernel.org/r/20200515104758.6934-5-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dw.c b/drivers/spi/spi-dw.c
+index 31e3f866d11a..6c2d8df50507 100644
+--- a/drivers/spi/spi-dw.c
++++ b/drivers/spi/spi-dw.c
+@@ -128,12 +128,20 @@ void dw_spi_set_cs(struct spi_device *spi, bool enable)
+ {
+ struct dw_spi *dws = spi_controller_get_devdata(spi->controller);
+ struct chip_data *chip = spi_get_ctldata(spi);
++ bool cs_high = !!(spi->mode & SPI_CS_HIGH);
+
+ /* Chip select logic is inverted from spi_set_cs() */
+ if (chip && chip->cs_control)
+ chip->cs_control(!enable);
+
+- if (!enable)
++ /*
++ * DW SPI controller demands any native CS being set in order to
++ * proceed with data transfer. So in order to activate the SPI
++ * communications we must set a corresponding bit in the Slave
++ * Enable register no matter whether the SPI core is configured to
++ * support active-high or active-low CS level.
++ */
++ if (cs_high == enable)
+ dw_writel(dws, DW_SPI_SER, BIT(spi->chip_select));
+ else if (dws->cs_override)
+ dw_writel(dws, DW_SPI_SER, 0);
+--
+2.25.1
+
--- /dev/null
+From c12ccd6aa51c9165d208f281240c03b366a60322 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 13:16:52 +0200
+Subject: staging: mt7621-pci: properly power off dual-ported pcie phy
+
+From: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+
+[ Upstream commit 5fcded5e857cf66c9592e4be28c4dab4520c9177 ]
+
+Pcie phy for pcie0 and pcie1 is shared using a dual ported
+one. Current code was assuming that if nothing is connected
+in pcie0 it won't be also nothing connected in pcie1. This
+assumtion is wrong for some devices such us 'Mikrotik rbm33g'
+and 'ZyXEL LTE3301-PLUS' where only connecting a card to the
+second bus on the phy is possible. For such devices kernel
+hangs in the same point because of the wrong poweroff of the
+phy getting the following trace:
+
+mt7621-pci-phy 1e149000.pcie-phy: PHY for 0xbe149000 (dual port = 1)
+mt7621-pci-phy 1e14a000.pcie-phy: PHY for 0xbe14a000 (dual port = 0)
+mt7621-pci-phy 1e149000.pcie-phy: Xtal is 40MHz
+mt7621-pci-phy 1e14a000.pcie-phy: Xtal is 40MHz
+mt7621-pci 1e140000.pcie: pcie0 no card, disable it (RST & CLK)
+[hangs]
+
+The wrong assumption is located in the 'mt7621_pcie_init_ports'
+function where we are just making a power off of the phy for
+slots 0 and 2 if nothing is connected in them. Hence, only
+poweroff the phy if nothing is connected in both slot 0 and
+slot 1 avoiding the kernel to hang.
+
+Fixes: 5737cfe87a9c ("staging: mt7621-pci: avoid to poweroff the phy for slot one")
+Signed-off-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Link: https://lore.kernel.org/r/20200409111652.30964-1-sergio.paracuellos@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/mt7621-pci/pci-mt7621.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/mt7621-pci/pci-mt7621.c b/drivers/staging/mt7621-pci/pci-mt7621.c
+index a1dafec0890a..6eb7436af462 100644
+--- a/drivers/staging/mt7621-pci/pci-mt7621.c
++++ b/drivers/staging/mt7621-pci/pci-mt7621.c
+@@ -479,17 +479,25 @@ static void mt7621_pcie_init_ports(struct mt7621_pcie *pcie)
+
+ mt7621_perst_gpio_pcie_deassert(pcie);
+
++ tmp = NULL;
+ list_for_each_entry(port, &pcie->ports, list) {
+ u32 slot = port->slot;
+
+ if (!mt7621_pcie_port_is_linkup(port)) {
+ dev_err(dev, "pcie%d no card, disable it (RST & CLK)\n",
+ slot);
+- if (slot != 1)
+- phy_power_off(port->phy);
+ mt7621_control_assert(port);
+ mt7621_pcie_port_clk_disable(port);
+ port->enabled = false;
++
++ if (slot == 0) {
++ tmp = port;
++ continue;
++ }
++
++ if (slot == 1 && tmp && !tmp->enabled)
++ phy_power_off(tmp->phy);
++
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From f8f4b9319671f1f1e547f230630b06f87bb20e9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 14:37:45 +0200
+Subject: staging: wfx: fix double free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jérôme Pouiller <jerome.pouiller@silabs.com>
+
+[ Upstream commit 832cc98141b4b93acbb9231ca9e36f7fbe347f47 ]
+
+In case of error in wfx_probe(), wdev->hw is freed. Since an error
+occurred, wfx_free_common() is called, then wdev->hw is freed again.
+
+Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
+Reviewed-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Fixes: 4033714d6cbe ("staging: wfx: fix init/remove vs IRQ race")
+Link: https://lore.kernel.org/r/20200505123757.39506-4-Jerome.Pouiller@silabs.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/wfx/main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/staging/wfx/main.c b/drivers/staging/wfx/main.c
+index 76b2ff7fc7fe..2c757b81efa9 100644
+--- a/drivers/staging/wfx/main.c
++++ b/drivers/staging/wfx/main.c
+@@ -466,7 +466,6 @@ int wfx_probe(struct wfx_dev *wdev)
+
+ err2:
+ ieee80211_unregister_hw(wdev->hw);
+- ieee80211_free_hw(wdev->hw);
+ err1:
+ wfx_bh_unregister(wdev);
+ return err;
+--
+2.25.1
+
--- /dev/null
+From 1f8634ef8b4139e7305d02e37366de489a4d3f3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 09:33:56 -0500
+Subject: x86/cpu/amd: Make erratum #1054 a legacy erratum
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+[ Upstream commit e2abfc0448a46d8a137505aa180caf14070ec535 ]
+
+Commit
+
+ 21b5ee59ef18 ("x86/cpu/amd: Enable the fixed Instructions Retired
+ counter IRPERF")
+
+mistakenly added erratum #1054 as an OS Visible Workaround (OSVW) ID 0.
+Erratum #1054 is not OSVW ID 0 [1], so make it a legacy erratum.
+
+There would never have been a false positive on older hardware that
+has OSVW bit 0 set, since the IRPERF feature was not available.
+
+However, save a couple of RDMSR executions per thread, on modern
+system configurations that correctly set non-zero values in their
+OSVW_ID_Length MSRs.
+
+[1] Revision Guide for AMD Family 17h Models 00h-0Fh Processors. The
+revision guide is available from the bugzilla link below.
+
+Fixes: 21b5ee59ef18 ("x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF")
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200417143356.26054-1-kim.phillips@amd.com
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/amd.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 1f875fbe1384..f04cc01e629e 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1111,8 +1111,7 @@ static const int amd_erratum_383[] =
+
+ /* #1054: Instructions Retired Performance Counter May Be Inaccurate */
+ static const int amd_erratum_1054[] =
+- AMD_OSVW_ERRATUM(0, AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf));
+-
++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf));
+
+ static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum)
+ {
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
