--- /dev/null
+From d76029032ee1f94a486cce5cdd351b994abb568c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 16:10:37 -0400
+Subject: ALSA: hda/ca0132 - Add AE-7 microphone selection commands.
+
+From: Connor McAdams <conmanx360@gmail.com>
+
+[ Upstream commit ed93f9750c6c2ed371347d0aac3dcd31cb9cf256 ]
+
+Add AE-7 quirk data for setting of microphone. The AE-7 has no front
+panel connector, so only rear-mic/line-in have new commands.
+
+Signed-off-by: Connor McAdams <conmanx360@gmail.com>
+Link: https://lore.kernel.org/r/20200825201040.30339-19-conmanx360@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index 6aa39339db0ab..98a11c38e7a8e 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4674,6 +4674,15 @@ static int ca0132_alt_select_in(struct hda_codec *codec)
+ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00);
+ tmp = FLOAT_THREE;
+ break;
++ case QUIRK_AE7:
++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00);
++ tmp = FLOAT_THREE;
++ chipio_set_conn_rate(codec, MEM_CONNID_MICIN2,
++ SR_96_000);
++ chipio_set_conn_rate(codec, MEM_CONNID_MICOUT2,
++ SR_96_000);
++ dspio_set_uint_param(codec, 0x80, 0x01, FLOAT_ZERO);
++ break;
+ default:
+ tmp = FLOAT_ONE;
+ break;
+@@ -4719,6 +4728,14 @@ static int ca0132_alt_select_in(struct hda_codec *codec)
+ case QUIRK_AE5:
+ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00);
+ break;
++ case QUIRK_AE7:
++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x3f);
++ chipio_set_conn_rate(codec, MEM_CONNID_MICIN2,
++ SR_96_000);
++ chipio_set_conn_rate(codec, MEM_CONNID_MICOUT2,
++ SR_96_000);
++ dspio_set_uint_param(codec, 0x80, 0x01, FLOAT_ZERO);
++ break;
+ default:
+ break;
+ }
+@@ -4728,7 +4745,10 @@ static int ca0132_alt_select_in(struct hda_codec *codec)
+ if (ca0132_quirk(spec) == QUIRK_R3DI)
+ chipio_set_conn_rate(codec, 0x0F, SR_96_000);
+
+- tmp = FLOAT_ZERO;
++ if (ca0132_quirk(spec) == QUIRK_AE7)
++ tmp = FLOAT_THREE;
++ else
++ tmp = FLOAT_ZERO;
+ dspio_set_uint_param(codec, 0x80, 0x00, tmp);
+
+ switch (ca0132_quirk(spec)) {
+--
+2.25.1
+
--- /dev/null
+From 5f577af703d3edf7cd114d1de3ace2e0d4d1c720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 16:10:29 -0400
+Subject: ALSA: hda/ca0132 - Add new quirk ID for SoundBlaster AE-7.
+
+From: Connor McAdams <conmanx360@gmail.com>
+
+[ Upstream commit 620f08eea6d6961b789af3fa3ea86725c8c93ece ]
+
+Add a new PCI subsystem ID for the SoundBlaster AE-7 card.
+
+Signed-off-by: Connor McAdams <conmanx360@gmail.com>
+Link: https://lore.kernel.org/r/20200825201040.30339-11-conmanx360@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index 98a11c38e7a8e..459aff6c10bc5 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -1065,6 +1065,7 @@ enum {
+ QUIRK_R3DI,
+ QUIRK_R3D,
+ QUIRK_AE5,
++ QUIRK_AE7,
+ };
+
+ #ifdef CONFIG_PCI
+@@ -1184,6 +1185,7 @@ static const struct snd_pci_quirk ca0132_quirks[] = {
+ SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D),
+ SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D),
+ SND_PCI_QUIRK(0x1102, 0x0051, "Sound Blaster AE-5", QUIRK_AE5),
++ SND_PCI_QUIRK(0x1102, 0x0081, "Sound Blaster AE-7", QUIRK_AE7),
+ {}
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 80fe0c4a60c357b3c83e9b49b252b45d841f7e52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 10:38:56 +0200
+Subject: ALSA: seq: oss: Avoid mutex lock for a long-time ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 2759caad2600d503c3b0ed800e7e03d2cd7a4c05 ]
+
+Recently we applied a fix to cover the whole OSS sequencer ioctls with
+the mutex for dealing with the possible races. This works fine in
+general, but in theory, this may lead to unexpectedly long stall if an
+ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future
+timestamp was queued.
+
+For fixing such a potential stall, this patch changes the mutex lock
+applied conditionally excluding such an ioctl command. Also, change
+the mutex_lock() with the interruptible version for user to allow
+escaping from the big-hammer mutex.
+
+Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls")
+Suggested-by: Pavel Machek <pavel@ucw.cz>
+Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/oss/seq_oss.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c
+index c8b9c0b315d8f..250a92b187265 100644
+--- a/sound/core/seq/oss/seq_oss.c
++++ b/sound/core/seq/oss/seq_oss.c
+@@ -174,9 +174,12 @@ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ if (snd_BUG_ON(!dp))
+ return -ENXIO;
+
+- mutex_lock(®ister_mutex);
++ if (cmd != SNDCTL_SEQ_SYNC &&
++ mutex_lock_interruptible(®ister_mutex))
++ return -ERESTARTSYS;
+ rc = snd_seq_oss_ioctl(dp, cmd, arg);
+- mutex_unlock(®ister_mutex);
++ if (cmd != SNDCTL_SEQ_SYNC)
++ mutex_unlock(®ister_mutex);
+ return rc;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 5b17f5a1571de754a085878160aea178cc69fc12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 14:46:52 +0300
+Subject: arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+[ Upstream commit 63bcf87cb1c57956e1179f1a78dde625c7e3cba7 ]
+
+When ARC_SOC_HSDK is enabled and RESET_CONTROLLER is disabled, it results
+in the following Kbuild warning:
+
+WARNING: unmet direct dependencies detected for RESET_HSDK
+ Depends on [n]: RESET_CONTROLLER [=n] && HAS_IOMEM [=y] && (ARC_SOC_HSDK [=y] || COMPILE_TEST [=n])
+ Selected by [y]:
+ - ARC_SOC_HSDK [=y] && ISA_ARCV2 [=y]
+
+The reason is that ARC_SOC_HSDK selects RESET_HSDK without depending on or
+selecting RESET_CONTROLLER while RESET_HSDK is subordinate to
+RESET_CONTROLLER.
+
+Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
+
+Fixes: a528629dfd3b ("ARC: [plat-hsdk] select CONFIG_RESET_HSDK from Kconfig")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arc/plat-hsdk/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arc/plat-hsdk/Kconfig b/arch/arc/plat-hsdk/Kconfig
+index ce81018345184..6b5c54576f54d 100644
+--- a/arch/arc/plat-hsdk/Kconfig
++++ b/arch/arc/plat-hsdk/Kconfig
+@@ -8,5 +8,6 @@ menuconfig ARC_SOC_HSDK
+ select ARC_HAS_ACCL_REGS
+ select ARC_IRQ_NO_AUTOSAVE
+ select CLK_HSDK
++ select RESET_CONTROLLER
+ select RESET_HSDK
+ select HAVE_PCI
+--
+2.25.1
+
--- /dev/null
+From 0e7c0f5db529a170ee384ebbfb17ea8ca9b1b68f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 16:58:06 +0100
+Subject: ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT
+ values
+
+From: Guillaume Tucker <guillaume.tucker@collabora.com>
+
+[ Upstream commit 8e007b367a59bcdf484c81f6df9bd5a4cc179ca6 ]
+
+The L310_PREFETCH_CTRL register bits 28 and 29 to enable data and
+instruction prefetch respectively can also be accessed via the
+L2X0_AUX_CTRL register. They appear to be actually wired together in
+hardware between the registers. Changing them in the prefetch
+register only will get undone when restoring the aux control register
+later on. For this reason, set these bits in both registers during
+initialisation according to the devicetree property values.
+
+Link: https://lore.kernel.org/lkml/76f2f3ad5e77e356e0a5b99ceee1e774a2842c25.1597061474.git.guillaume.tucker@collabora.com/
+
+Fixes: ec3bd0e68a67 ("ARM: 8391/1: l2c: add options to overwrite prefetching behavior")
+Signed-off-by: Guillaume Tucker <guillaume.tucker@collabora.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/cache-l2x0.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
+index 12c26eb88afbc..43d91bfd23600 100644
+--- a/arch/arm/mm/cache-l2x0.c
++++ b/arch/arm/mm/cache-l2x0.c
+@@ -1249,20 +1249,28 @@ static void __init l2c310_of_parse(const struct device_node *np,
+
+ ret = of_property_read_u32(np, "prefetch-data", &val);
+ if (ret == 0) {
+- if (val)
++ if (val) {
+ prefetch |= L310_PREFETCH_CTRL_DATA_PREFETCH;
+- else
++ *aux_val |= L310_PREFETCH_CTRL_DATA_PREFETCH;
++ } else {
+ prefetch &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
++ *aux_val &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
++ }
++ *aux_mask &= ~L310_PREFETCH_CTRL_DATA_PREFETCH;
+ } else if (ret != -EINVAL) {
+ pr_err("L2C-310 OF prefetch-data property value is missing\n");
+ }
+
+ ret = of_property_read_u32(np, "prefetch-instr", &val);
+ if (ret == 0) {
+- if (val)
++ if (val) {
+ prefetch |= L310_PREFETCH_CTRL_INSTR_PREFETCH;
+- else
++ *aux_val |= L310_PREFETCH_CTRL_INSTR_PREFETCH;
++ } else {
+ prefetch &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
++ *aux_val &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
++ }
++ *aux_mask &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH;
+ } else if (ret != -EINVAL) {
+ pr_err("L2C-310 OF prefetch-instr property value is missing\n");
+ }
+--
+2.25.1
+
--- /dev/null
+From 53a5bdcb74cca901b0318da9aeef8533e4235749 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:36:50 +0300
+Subject: ARM: at91: pm: of_node_put() after its usage
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit e222f943519564978e082c152b4140a47e93392c ]
+
+Put node after it has been used.
+
+Fixes: 13f16017d3e3f ("ARM: at91: pm: Tie the USB clock mask to the pmc")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/1596616610-15460-4-git-send-email-claudiu.beznea@microchip.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-at91/pm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c
+index 6bc3000deb86e..676cc2a318f41 100644
+--- a/arch/arm/mach-at91/pm.c
++++ b/arch/arm/mach-at91/pm.c
+@@ -777,6 +777,7 @@ static void __init at91_pm_init(void (*pm_idle)(void))
+
+ pmc_np = of_find_matching_node_and_match(NULL, atmel_pmc_ids, &of_id);
+ soc_pm.data.pmc = of_iomap(pmc_np, 0);
++ of_node_put(pmc_np);
+ if (!soc_pm.data.pmc) {
+ pr_err("AT91: PM not supported, PMC not found\n");
+ return;
+--
+2.25.1
+
--- /dev/null
+From f469fbef075719ae8df97fad13d0d3baffeb9373 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jul 2020 18:26:01 +0300
+Subject: ARM: dts: imx6sl: fix rng node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Horia Geantă <horia.geanta@nxp.com>
+
+[ Upstream commit 82ffb35c2ce63ef8e0325f75eb48022abcf8edbe ]
+
+rng DT node was added without a compatible string.
+
+i.MX driver for RNGC (drivers/char/hw_random/imx-rngc.c) also claims
+support for RNGB, and is currently used for i.MX25.
+
+Let's use this driver also for RNGB block in i.MX6SL.
+
+Fixes: e29fe21cff96 ("ARM: dts: add device tree source for imx6sl SoC")
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sl.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi
+index 3a96b5538a2a1..540880f0413fd 100644
+--- a/arch/arm/boot/dts/imx6sl.dtsi
++++ b/arch/arm/boot/dts/imx6sl.dtsi
+@@ -936,8 +936,10 @@ memory-controller@21b0000 {
+ };
+
+ rngb: rngb@21b4000 {
++ compatible = "fsl,imx6sl-rngb", "fsl,imx25-rngb";
+ reg = <0x021b4000 0x4000>;
+ interrupts = <0 5 IRQ_TYPE_LEVEL_HIGH>;
++ clocks = <&clks IMX6SL_CLK_DUMMY>;
+ };
+
+ weim: weim@21b8000 {
+--
+2.25.1
+
--- /dev/null
+From 5539185dcd5fd8850f99a189cd8f229a7dc7704a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Aug 2020 20:19:57 +0200
+Subject: ARM: dts: meson8: remove two invalid interrupt lines from the GPU
+ node
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 737e7610b545cc901a9696083c1824a7104b8d1b ]
+
+The 3.10 vendor kernel defines the following GPU 20 interrupt lines:
+ #define INT_MALI_GP AM_IRQ(160)
+ #define INT_MALI_GP_MMU AM_IRQ(161)
+ #define INT_MALI_PP AM_IRQ(162)
+ #define INT_MALI_PMU AM_IRQ(163)
+ #define INT_MALI_PP0 AM_IRQ(164)
+ #define INT_MALI_PP0_MMU AM_IRQ(165)
+ #define INT_MALI_PP1 AM_IRQ(166)
+ #define INT_MALI_PP1_MMU AM_IRQ(167)
+ #define INT_MALI_PP2 AM_IRQ(168)
+ #define INT_MALI_PP2_MMU AM_IRQ(169)
+ #define INT_MALI_PP3 AM_IRQ(170)
+ #define INT_MALI_PP3_MMU AM_IRQ(171)
+ #define INT_MALI_PP4 AM_IRQ(172)
+ #define INT_MALI_PP4_MMU AM_IRQ(173)
+ #define INT_MALI_PP5 AM_IRQ(174)
+ #define INT_MALI_PP5_MMU AM_IRQ(175)
+ #define INT_MALI_PP6 AM_IRQ(176)
+ #define INT_MALI_PP6_MMU AM_IRQ(177)
+ #define INT_MALI_PP7 AM_IRQ(178)
+ #define INT_MALI_PP7_MMU AM_IRQ(179)
+
+However, the driver from the 3.10 vendor kernel does not use the
+following four interrupt lines:
+- INT_MALI_PP3
+- INT_MALI_PP3_MMU
+- INT_MALI_PP7
+- INT_MALI_PP7_MMU
+
+Drop the "pp3" and "ppmmu3" interrupt lines. This is also important
+because there is no matching entry in interrupt-names for it (meaning
+the "pp2" interrupt is actually assigned to the "pp3" interrupt line).
+
+Fixes: 7d3f6b536e72c9 ("ARM: dts: meson8: add the Mali-450 MP6 GPU")
+Reported-by: Thomas Graichen <thomas.graichen@gmail.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Tested-by: thomas graichen <thomas.graichen@gmail.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20200815181957.408649-1-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/meson8.dtsi | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/meson8.dtsi b/arch/arm/boot/dts/meson8.dtsi
+index db2033f674c67..3efe9d41c2bb6 100644
+--- a/arch/arm/boot/dts/meson8.dtsi
++++ b/arch/arm/boot/dts/meson8.dtsi
+@@ -230,8 +230,6 @@ mali: gpu@c0000 {
+ <GIC_SPI 167 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 168 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 169 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 170 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 171 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 172 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 173 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 174 IRQ_TYPE_LEVEL_HIGH>,
+--
+2.25.1
+
--- /dev/null
+From d0712c2dfe1cd26ef67f9279b640a2f01fd93ee5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 16:53:17 +0300
+Subject: ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+[ Upstream commit 55f6c9931f7c32f19cf221211f099dfd8dab3af9 ]
+
+The PPI interrupts for cortex-a9 were incorrectly specified, fix them.
+
+Fixes: fdfe7f4f9d85 ("ARM: dts: Add Actions Semi S500 and LeMaker Guitar")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Peter Korsgaard <peter@korsgaard.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/owl-s500.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/owl-s500.dtsi b/arch/arm/boot/dts/owl-s500.dtsi
+index 5ceb6cc4451d2..1dbe4e8b38ac7 100644
+--- a/arch/arm/boot/dts/owl-s500.dtsi
++++ b/arch/arm/boot/dts/owl-s500.dtsi
+@@ -84,21 +84,21 @@ scu: scu@b0020000 {
+ global_timer: timer@b0020200 {
+ compatible = "arm,cortex-a9-global-timer";
+ reg = <0xb0020200 0x100>;
+- interrupts = <GIC_PPI 0 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ interrupts = <GIC_PPI 11 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
+ status = "disabled";
+ };
+
+ twd_timer: timer@b0020600 {
+ compatible = "arm,cortex-a9-twd-timer";
+ reg = <0xb0020600 0x20>;
+- interrupts = <GIC_PPI 2 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ interrupts = <GIC_PPI 13 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
+ status = "disabled";
+ };
+
+ twd_wdt: wdt@b0020620 {
+ compatible = "arm,cortex-a9-twd-wdt";
+ reg = <0xb0020620 0xe0>;
+- interrupts = <GIC_PPI 3 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
++ interrupts = <GIC_PPI 14 (GIC_CPU_MASK_SIMPLE(4) | IRQ_TYPE_EDGE_RISING)>;
+ status = "disabled";
+ };
+
+--
+2.25.1
+
--- /dev/null
+From fdcc94e7f3f1dcf3a7a928c00bb80e5b52f33899 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 21:36:49 +0200
+Subject: ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix dcdc1 regulator
+
+From: Jernej Skrabec <jernej.skrabec@siol.net>
+
+[ Upstream commit 3658a2b7f3e16c7053eb8d70657b94bb62c5a0f4 ]
+
+DCDC1 regulator powers many different subsystems. While some of them can
+work at 3.0 V, some of them can not. For example, VCC-HDMI can only work
+between 3.24 V and 3.36 V. According to OS images provided by the board
+manufacturer this regulator should be set to 3.3 V.
+
+Set DCDC1 and DCDC1SW to 3.3 V in order to fix this.
+
+Fixes: da7ac948fa93 ("ARM: dts: sun8i: Add board dts file for Banana Pi M2 Ultra")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20200824193649.978197-1-jernej.skrabec@siol.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts
+index 42d62d1ba1dc7..ea15073f0c79c 100644
+--- a/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts
++++ b/arch/arm/boot/dts/sun8i-r40-bananapi-m2-ultra.dts
+@@ -223,16 +223,16 @@ ®_aldo3 {
+ };
+
+ ®_dc1sw {
+- regulator-min-microvolt = <3000000>;
+- regulator-max-microvolt = <3000000>;
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
+ regulator-name = "vcc-gmac-phy";
+ };
+
+ ®_dcdc1 {
+ regulator-always-on;
+- regulator-min-microvolt = <3000000>;
+- regulator-max-microvolt = <3000000>;
+- regulator-name = "vcc-3v0";
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ regulator-name = "vcc-3v3";
+ };
+
+ ®_dcdc2 {
+--
+2.25.1
+
--- /dev/null
+From 075c3b1a2d23bea588a3d1e9bef26f5ad724419e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 09:16:22 +0300
+Subject: ARM: OMAP2+: Restore MPU power domain if cpu_cluster_pm_enter() fails
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 8f04aea048d56f3e39a7e543939450246542a6fc ]
+
+If cpu_cluster_pm_enter() fails, we need to set MPU power domain back
+to enabled to prevent the next WFI from potentially triggering an
+undesired MPU power domain state change.
+
+We already do this for omap_enter_idle_smp() but are missing it for
+omap_enter_idle_coupled().
+
+Fixes: 55be2f50336f ("ARM: OMAP2+: Handle errors for cpu_pm")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/cpuidle44xx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/cpuidle44xx.c b/arch/arm/mach-omap2/cpuidle44xx.c
+index 6f5f89711f256..a92d277f81a08 100644
+--- a/arch/arm/mach-omap2/cpuidle44xx.c
++++ b/arch/arm/mach-omap2/cpuidle44xx.c
+@@ -174,8 +174,10 @@ static int omap_enter_idle_coupled(struct cpuidle_device *dev,
+ */
+ if (mpuss_can_lose_context) {
+ error = cpu_cluster_pm_enter();
+- if (error)
++ if (error) {
++ omap_set_pwrdm_state(mpu_pd, PWRDM_POWER_ON);
+ goto cpu_cluster_pm_out;
++ }
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 0126d403b40a0fdae19922d4515e2ea931709ecf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 20:20:20 +0200
+Subject: ARM: s3c24xx: fix mmc gpio lookup tables
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 3af4e8774b6d03683932b0961998e01355bccd74 ]
+
+The gpio controller names differ between s3c24xx and s3c64xx,
+and it seems that these all got the wrong names, using GPx instead
+of GPIOx.
+
+Fixes: d2951dfa070d ("mmc: s3cmci: Use the slot GPIO descriptor")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20200806182059.2431-3-krzk@kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-s3c24xx/mach-at2440evb.c | 2 +-
+ arch/arm/mach-s3c24xx/mach-h1940.c | 4 ++--
+ arch/arm/mach-s3c24xx/mach-mini2440.c | 4 ++--
+ arch/arm/mach-s3c24xx/mach-n30.c | 4 ++--
+ arch/arm/mach-s3c24xx/mach-rx1950.c | 4 ++--
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm/mach-s3c24xx/mach-at2440evb.c b/arch/arm/mach-s3c24xx/mach-at2440evb.c
+index 58c5ef3cf1d7e..2d370f7f75fa2 100644
+--- a/arch/arm/mach-s3c24xx/mach-at2440evb.c
++++ b/arch/arm/mach-s3c24xx/mach-at2440evb.c
+@@ -143,7 +143,7 @@ static struct gpiod_lookup_table at2440evb_mci_gpio_table = {
+ .dev_id = "s3c2410-sdi",
+ .table = {
+ /* Card detect S3C2410_GPG(10) */
+- GPIO_LOOKUP("GPG", 10, "cd", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOG", 10, "cd", GPIO_ACTIVE_LOW),
+ { },
+ },
+ };
+diff --git a/arch/arm/mach-s3c24xx/mach-h1940.c b/arch/arm/mach-s3c24xx/mach-h1940.c
+index 74d6b68e91c74..8d9d8e7c71d4c 100644
+--- a/arch/arm/mach-s3c24xx/mach-h1940.c
++++ b/arch/arm/mach-s3c24xx/mach-h1940.c
+@@ -468,9 +468,9 @@ static struct gpiod_lookup_table h1940_mmc_gpio_table = {
+ .dev_id = "s3c2410-sdi",
+ .table = {
+ /* Card detect S3C2410_GPF(5) */
+- GPIO_LOOKUP("GPF", 5, "cd", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOF", 5, "cd", GPIO_ACTIVE_LOW),
+ /* Write protect S3C2410_GPH(8) */
+- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_LOW),
+ { },
+ },
+ };
+diff --git a/arch/arm/mach-s3c24xx/mach-mini2440.c b/arch/arm/mach-s3c24xx/mach-mini2440.c
+index 9035f868fb34e..3a5b1124037b2 100644
+--- a/arch/arm/mach-s3c24xx/mach-mini2440.c
++++ b/arch/arm/mach-s3c24xx/mach-mini2440.c
+@@ -244,9 +244,9 @@ static struct gpiod_lookup_table mini2440_mmc_gpio_table = {
+ .dev_id = "s3c2410-sdi",
+ .table = {
+ /* Card detect S3C2410_GPG(8) */
+- GPIO_LOOKUP("GPG", 8, "cd", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOG", 8, "cd", GPIO_ACTIVE_LOW),
+ /* Write protect S3C2410_GPH(8) */
+- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_HIGH),
++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_HIGH),
+ { },
+ },
+ };
+diff --git a/arch/arm/mach-s3c24xx/mach-n30.c b/arch/arm/mach-s3c24xx/mach-n30.c
+index d856f23939aff..ffa20f52aa832 100644
+--- a/arch/arm/mach-s3c24xx/mach-n30.c
++++ b/arch/arm/mach-s3c24xx/mach-n30.c
+@@ -359,9 +359,9 @@ static struct gpiod_lookup_table n30_mci_gpio_table = {
+ .dev_id = "s3c2410-sdi",
+ .table = {
+ /* Card detect S3C2410_GPF(1) */
+- GPIO_LOOKUP("GPF", 1, "cd", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOF", 1, "cd", GPIO_ACTIVE_LOW),
+ /* Write protect S3C2410_GPG(10) */
+- GPIO_LOOKUP("GPG", 10, "wp", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOG", 10, "wp", GPIO_ACTIVE_LOW),
+ { },
+ },
+ };
+diff --git a/arch/arm/mach-s3c24xx/mach-rx1950.c b/arch/arm/mach-s3c24xx/mach-rx1950.c
+index 29f9b345a5311..534e9c1d8161f 100644
+--- a/arch/arm/mach-s3c24xx/mach-rx1950.c
++++ b/arch/arm/mach-s3c24xx/mach-rx1950.c
+@@ -567,9 +567,9 @@ static struct gpiod_lookup_table rx1950_mmc_gpio_table = {
+ .dev_id = "s3c2410-sdi",
+ .table = {
+ /* Card detect S3C2410_GPF(5) */
+- GPIO_LOOKUP("GPF", 5, "cd", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOF", 5, "cd", GPIO_ACTIVE_LOW),
+ /* Write protect S3C2410_GPH(8) */
+- GPIO_LOOKUP("GPH", 8, "wp", GPIO_ACTIVE_LOW),
++ GPIO_LOOKUP("GPIOH", 8, "wp", GPIO_ACTIVE_LOW),
+ { },
+ },
+ };
+--
+2.25.1
+
--- /dev/null
+From 7aed01a039af40bca9bbd986bff3f26c2e968ee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jul 2020 23:12:02 +0530
+Subject: arm64: dts: actions: limit address range for pinctrl node
+
+From: Amit Singh Tomar <amittomer25@gmail.com>
+
+[ Upstream commit 4bb1eb3cd4bd6241d5e5f99bbfd801ea5a007b6c ]
+
+After commit 7cdf8446ed1d ("arm64: dts: actions: Add pinctrl node for
+Actions Semi S700") following error has been observed while booting
+Linux on Cubieboard7-lite(based on S700 SoC).
+
+[ 0.257415] pinctrl-s700 e01b0000.pinctrl: can't request region for
+resource [mem 0xe01b0000-0xe01b0fff]
+[ 0.266902] pinctrl-s700: probe of e01b0000.pinctrl failed with error -16
+
+This is due to the fact that memory range for "sps" power domain controller
+clashes with pinctrl.
+
+One way to fix it, is to limit pinctrl address range which is safe
+to do as current pinctrl driver uses address range only up to 0x100.
+
+This commit limits the pinctrl address range to 0x100 so that it doesn't
+conflict with sps range.
+
+Fixes: 7cdf8446ed1d ("arm64: dts: actions: Add pinctrl node for Actions
+Semi S700")
+
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Suggested-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Amit Singh Tomar <amittomer25@gmail.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/actions/s700.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/actions/s700.dtsi b/arch/arm64/boot/dts/actions/s700.dtsi
+index 2006ad5424fa6..f8eb72bb41254 100644
+--- a/arch/arm64/boot/dts/actions/s700.dtsi
++++ b/arch/arm64/boot/dts/actions/s700.dtsi
+@@ -231,7 +231,7 @@ timer: timer@e024c000 {
+
+ pinctrl: pinctrl@e01b0000 {
+ compatible = "actions,s700-pinctrl";
+- reg = <0x0 0xe01b0000 0x0 0x1000>;
++ reg = <0x0 0xe01b0000 0x0 0x100>;
+ clocks = <&cmu CLK_GPIO>;
+ gpio-controller;
+ gpio-ranges = <&pinctrl 0 0 136>;
+--
+2.25.1
+
--- /dev/null
+From 7f8274ac0628a3418a3e72c468d825249692cadc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Aug 2020 14:27:55 +0800
+Subject: arm64: dts: allwinner: h5: remove Mali GPU PMU module
+
+From: Qiang Yu <yuq825@gmail.com>
+
+[ Upstream commit 2933bf3528007f834fb7f5eab033f9c5b0683f91 ]
+
+H5's Mali GPU PMU is not present or working corretly although
+H5 datasheet record its interrupt vector.
+
+Adding this module will miss lead lima driver try to shutdown
+it and get waiting timeout. This problem is not exposed before
+lima runtime PM support is added.
+
+Fixes: bb39ed07e55b ("arm64: dts: allwinner: h5: Add device node for Mali-450 GPU")
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20200822062755.534761-1-yuq825@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi
+index eaf8f83794fd9..8466d44ee0b15 100644
+--- a/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi
++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5.dtsi
+@@ -155,8 +155,7 @@ mali: gpu@1e80000 {
+ <GIC_SPI 104 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 105 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 106 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 107 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 98 IRQ_TYPE_LEVEL_HIGH>;
++ <GIC_SPI 107 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "gp",
+ "gpmmu",
+ "pp",
+@@ -167,8 +166,7 @@ mali: gpu@1e80000 {
+ "pp2",
+ "ppmmu2",
+ "pp3",
+- "ppmmu3",
+- "pmu";
++ "ppmmu3";
+ clocks = <&ccu CLK_BUS_GPU>, <&ccu CLK_GPU>;
+ clock-names = "bus", "core";
+ resets = <&ccu RST_BUS_GPU>;
+--
+2.25.1
+
--- /dev/null
+From 6ca1028252c9103344880f04b1cc0bececeb88b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 16:53:09 +0200
+Subject: arm64: dts: imx8mq: Add missing interrupts to GPC
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 791619f66843a213784efb2f171be98933bad991 ]
+
+The i.MX General Power Controller v2 device node was missing interrupts
+property necessary to route its interrupt to GIC. This also fixes the
+dbts_check warnings like:
+
+ arch/arm64/boot/dts/freescale/imx8mq-evk.dt.yaml: gpc@303a0000:
+ {'compatible': ... '$nodename': ['gpc@303a0000']} is not valid under any of the given schemas
+ arch/arm64/boot/dts/freescale/imx8mq-evk.dt.yaml: gpc@303a0000: 'interrupts' is a required property
+
+Fixes: fdbcc04da246 ("arm64: dts: imx8mq: add GPC power domains")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+index bc8540f879654..f1011bcd5ed5a 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+@@ -516,6 +516,7 @@ src: reset-controller@30390000 {
+ gpc: gpc@303a0000 {
+ compatible = "fsl,imx8mq-gpc";
+ reg = <0x303a0000 0x10000>;
++ interrupts = <GIC_SPI 87 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-parent = <&gic>;
+ interrupt-controller;
+ #interrupt-cells = <3>;
+--
+2.25.1
+
--- /dev/null
+From 060d26a70deed8de9717a3e7833c765348ee5eca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 16:18:50 +0200
+Subject: arm64: dts: meson: vim3: correct led polarity
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 1f9d87d08e4a2299e86f8a1600aedf87ecd3b636 ]
+
+The LEDs on the vim3 are active when the gpio is high, not low.
+
+Fixes: c6d29c66e582 ("arm64: dts: meson-g12b-khadas-vim3: add initial device-tree")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Link: https://lore.kernel.org/r/20200803141850.172704-1-jbrunet@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi b/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi
+index 8647da7d6609b..f6694aad84db3 100644
+--- a/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi
++++ b/arch/arm64/boot/dts/amlogic/meson-khadas-vim3.dtsi
+@@ -43,13 +43,13 @@ leds {
+
+ white {
+ label = "vim3:white:sys";
+- gpios = <&gpio_ao GPIOAO_4 GPIO_ACTIVE_LOW>;
++ gpios = <&gpio_ao GPIOAO_4 GPIO_ACTIVE_HIGH>;
+ linux,default-trigger = "heartbeat";
+ };
+
+ red {
+ label = "vim3:red";
+- gpios = <&gpio_expander 5 GPIO_ACTIVE_LOW>;
++ gpios = <&gpio_expander 5 GPIO_ACTIVE_HIGH>;
+ };
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 0e77e0f5466f38e6821aef80b7036f7f5bdff538 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 09:12:11 +0200
+Subject: arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit 027cca9eb5b450c3f6bb916ba999144c2ec23cb7 ]
+
+The mdss node sets #interrupt-cells = <1>, so its interrupts
+should be referenced using a single cell (in this case: only the
+interrupt number).
+
+However, right now the mdp/dsi node both have two interrupt cells
+set, e.g. interrupts = <4 0>. The 0 is probably meant to say
+IRQ_TYPE_NONE (= 0), but with #interrupt-cells = <1> this is
+actually interpreted as a second interrupt line.
+
+Remove the IRQ flags from both interrupts to fix this.
+
+Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200915071221.72895-5-stephan@gerhold.net
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index ade2eb1781e37..d95273af9f1e4 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -934,7 +934,7 @@ mdp: mdp@1a01000 {
+ reg-names = "mdp_phys";
+
+ interrupt-parent = <&mdss>;
+- interrupts = <0 0>;
++ interrupts = <0>;
+
+ clocks = <&gcc GCC_MDSS_AHB_CLK>,
+ <&gcc GCC_MDSS_AXI_CLK>,
+@@ -966,7 +966,7 @@ dsi0: dsi@1a98000 {
+ reg-names = "dsi_ctrl";
+
+ interrupt-parent = <&mdss>;
+- interrupts = <4 0>;
++ interrupts = <4>;
+
+ assigned-clocks = <&gcc BYTE0_CLK_SRC>,
+ <&gcc PCLK0_CLK_SRC>;
+--
+2.25.1
+
--- /dev/null
+From 78ac66ae4de1fa049d58f6670d12c77d104617e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 09:12:09 +0200
+Subject: arm64: dts: qcom: msm8916: Remove one more thermal trip point unit
+ name
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit e6859ae8603c5946b8f3ecbd9b4f02b72955b9d0 ]
+
+Commit fe2aff0c574d2 ("arm64: dts: qcom: msm8916: remove unit name for thermal trip points")
+removed the unit names for most of the thermal trip points defined
+in msm8916.dtsi, but missed to update the one for cpu0_1-thermal.
+
+So why wasn't this spotted by "make dtbs_check"? Apparently, the name
+of the thermal zone is already invalid: thermal-zones.yaml specifies
+a regex of ^[a-zA-Z][a-zA-Z0-9\\-]{1,12}-thermal$, so it is not allowed
+to contain underscores. Therefore the thermal zone was never verified
+using the DTB schema.
+
+After replacing the underscore in the thermal zone name, the warning
+shows up:
+
+ apq8016-sbc.dt.yaml: thermal-zones: cpu0-1-thermal:trips: 'trip-point@0'
+ does not match any of the regexes: '^[a-zA-Z][a-zA-Z0-9\\-_]{0,63}$', 'pinctrl-[0-9]+'
+
+Fix up the thermal zone names and remove the unit name for the trip point.
+
+Cc: Amit Kucheria <amit.kucheria@linaro.org>
+Fixes: fe2aff0c574d2 ("arm64: dts: qcom: msm8916: remove unit name for thermal trip points")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200915071221.72895-3-stephan@gerhold.net
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index 340da154d4e37..ade2eb1781e37 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -175,14 +175,14 @@ pmu {
+ };
+
+ thermal-zones {
+- cpu0_1-thermal {
++ cpu0-1-thermal {
+ polling-delay-passive = <250>;
+ polling-delay = <1000>;
+
+ thermal-sensors = <&tsens 4>;
+
+ trips {
+- cpu0_1_alert0: trip-point@0 {
++ cpu0_1_alert0: trip-point0 {
+ temperature = <75000>;
+ hysteresis = <2000>;
+ type = "passive";
+@@ -205,7 +205,7 @@ map0 {
+ };
+ };
+
+- cpu2_3-thermal {
++ cpu2-3-thermal {
+ polling-delay-passive = <250>;
+ polling-delay = <1000>;
+
+--
+2.25.1
+
--- /dev/null
+From f1d259393862d52a9aacc3fa0ba4eafaa3e6cbde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 09:12:10 +0200
+Subject: arm64: dts: qcom: pm8916: Remove invalid reg size from wcd_codec
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit c2f0cbb57dbac6da3d38b47b5b96de0fe4e23884 ]
+
+Tha parent node of "wcd_codec" specifies #address-cells = <1>
+and #size-cells = <0>, which means that each resource should be
+described by one cell for the address and size omitted.
+
+However, wcd_codec currently lists 0x200 as second cell (probably
+the size of the resource). When parsing this would be treated like
+another memory resource - which is entirely wrong.
+
+To quote the device tree specification [1]:
+ "If the parent node specifies a value of 0 for #size-cells,
+ the length field in the value of reg shall be omitted."
+
+[1]: https://www.devicetree.org/specifications/
+
+Fixes: 5582fcb3829f ("arm64: dts: apq8016-sbc: add analog audio support with multicodec")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200915071221.72895-4-stephan@gerhold.net
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/pm8916.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/pm8916.dtsi b/arch/arm64/boot/dts/qcom/pm8916.dtsi
+index 9dd2df1cbf47d..40df4d95a47ac 100644
+--- a/arch/arm64/boot/dts/qcom/pm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/pm8916.dtsi
+@@ -113,7 +113,7 @@ pm8916_1: pm8916@1 {
+
+ wcd_codec: codec@f000 {
+ compatible = "qcom,pm8916-wcd-analog-codec";
+- reg = <0xf000 0x200>;
++ reg = <0xf000>;
+ reg-names = "pmic-codec-core";
+ clocks = <&gcc GCC_CODEC_DIGCODEC_CLK>;
+ clock-names = "mclk";
+--
+2.25.1
+
--- /dev/null
+From e8e980af6e848e22da743c833f1da0fc1acdc843 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 15:21:17 +0200
+Subject: arm64: dts: renesas: r8a774c0: Fix MSIOF1 DMA channels
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit c91dfc9818df5f43c10c727f1cecaebdb5e2fa92 ]
+
+According to Technical Update TN-RCT-S0352A/E, MSIOF1 DMA can only be
+used with SYS-DMAC0 on R-Car E3.
+
+Fixes: 62c0056f1c3eb15d ("arm64: dts: renesas: r8a774c0: Add MSIOF nodes")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20200917132117.8515-3-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a774c0.dtsi | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a774c0.dtsi b/arch/arm64/boot/dts/renesas/r8a774c0.dtsi
+index a1c2de90e4706..73ded80a79ba0 100644
+--- a/arch/arm64/boot/dts/renesas/r8a774c0.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a774c0.dtsi
+@@ -1212,9 +1212,8 @@ msiof1: spi@e6ea0000 {
+ reg = <0 0xe6ea0000 0 0x0064>;
+ interrupts = <GIC_SPI 157 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 210>;
+- dmas = <&dmac1 0x43>, <&dmac1 0x42>,
+- <&dmac2 0x43>, <&dmac2 0x42>;
+- dma-names = "tx", "rx", "tx", "rx";
++ dmas = <&dmac0 0x43>, <&dmac0 0x42>;
++ dma-names = "tx", "rx";
+ power-domains = <&sysc R8A774C0_PD_ALWAYS_ON>;
+ resets = <&cpg 210>;
+ #address-cells = <1>;
+--
+2.25.1
+
--- /dev/null
+From 51ca09d14fa5cb633fdacabff87d96442bc57691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 15:21:16 +0200
+Subject: arm64: dts: renesas: r8a77990: Fix MSIOF1 DMA channels
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 453802c463abd003a7c38ffbc90b67ba162335b6 ]
+
+According to Technical Update TN-RCT-S0352A/E, MSIOF1 DMA can only be
+used with SYS-DMAC0 on R-Car E3.
+
+Fixes: 8517042060b55a37 ("arm64: dts: renesas: r8a77990: Add DMA properties to MSIOF nodes")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20200917132117.8515-2-geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r8a77990.dtsi | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a77990.dtsi b/arch/arm64/boot/dts/renesas/r8a77990.dtsi
+index 455954c3d98ea..dabee157119f9 100644
+--- a/arch/arm64/boot/dts/renesas/r8a77990.dtsi
++++ b/arch/arm64/boot/dts/renesas/r8a77990.dtsi
+@@ -1168,9 +1168,8 @@ msiof1: spi@e6ea0000 {
+ reg = <0 0xe6ea0000 0 0x0064>;
+ interrupts = <GIC_SPI 157 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cpg CPG_MOD 210>;
+- dmas = <&dmac1 0x43>, <&dmac1 0x42>,
+- <&dmac2 0x43>, <&dmac2 0x42>;
+- dma-names = "tx", "rx", "tx", "rx";
++ dmas = <&dmac0 0x43>, <&dmac0 0x42>;
++ dma-names = "tx", "rx";
+ power-domains = <&sysc R8A77990_PD_ALWAYS_ON>;
+ resets = <&cpg 210>;
+ #address-cells = <1>;
+--
+2.25.1
+
--- /dev/null
+From 4a132167c58e62b28e77f5aa2b305389c80ef4e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 10:59:14 +0200
+Subject: arm64: dts: zynqmp: Remove additional compatible string for i2c IPs
+
+From: Michal Simek <michal.simek@xilinx.com>
+
+[ Upstream commit 35292518cb0a626fcdcabf739aed75060a018ab5 ]
+
+DT binding permits only one compatible string which was decribed in past by
+commit 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq
+Ultrascale+ MPSoC").
+The commit aea37006e183 ("dt-bindings: i2c: cadence: Migrate i2c-cadence
+documentation to YAML") has converted binding to yaml and the following
+issues is reported:
+...: i2c@ff030000: compatible: Additional items are not allowed
+('cdns,i2c-r1p10' was unexpected)
+ From schema:
+.../Documentation/devicetree/bindings/i2c/cdns,i2c-r1p10.yaml fds
+...: i2c@ff030000: compatible: ['cdns,i2c-r1p14', 'cdns,i2c-r1p10'] is too
+long
+
+The commit c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string")
+has added the second compatible string but without removing origin one.
+The patch is only keeping one compatible string "cdns,i2c-r1p14".
+
+Fixes: c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string")
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Link: https://lore.kernel.org/r/cc294ae1a79ef845af6809ddb4049f0c0f5bb87a.1598259551.git.michal.simek@xilinx.com
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
+index 9aa67340a4d8c..a2645262f8623 100644
+--- a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
++++ b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi
+@@ -419,7 +419,7 @@ gpio: gpio@ff0a0000 {
+ };
+
+ i2c0: i2c@ff020000 {
+- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10";
++ compatible = "cdns,i2c-r1p14";
+ status = "disabled";
+ interrupt-parent = <&gic>;
+ interrupts = <0 17 4>;
+@@ -429,7 +429,7 @@ i2c0: i2c@ff020000 {
+ };
+
+ i2c1: i2c@ff030000 {
+- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10";
++ compatible = "cdns,i2c-r1p14";
+ status = "disabled";
+ interrupt-parent = <&gic>;
+ interrupts = <0 18 4>;
+--
+2.25.1
+
--- /dev/null
+From e38060a4b961846448f79d747311fa5f86df325e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 21:02:24 +0800
+Subject: ASoC: fsl: imx-es8328: add missing put_device() call in
+ imx_es8328_probe()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit e525db7e4b44c5b2b5aac0dad24e23cb58c54d22 ]
+
+if of_find_device_by_node() succeed, imx_es8328_probe() doesn't have
+a corresponding put_device(). Thus add a jump target to fix the exception
+handling for this function implementation.
+
+Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20200825130224.1488694-1-yukuai3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-es8328.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/fsl/imx-es8328.c b/sound/soc/fsl/imx-es8328.c
+index 15a27a2cd0cae..fad1eb6253d53 100644
+--- a/sound/soc/fsl/imx-es8328.c
++++ b/sound/soc/fsl/imx-es8328.c
+@@ -145,13 +145,13 @@ static int imx_es8328_probe(struct platform_device *pdev)
+ data = devm_kzalloc(dev, sizeof(*data), GFP_KERNEL);
+ if (!data) {
+ ret = -ENOMEM;
+- goto fail;
++ goto put_device;
+ }
+
+ comp = devm_kzalloc(dev, 3 * sizeof(*comp), GFP_KERNEL);
+ if (!comp) {
+ ret = -ENOMEM;
+- goto fail;
++ goto put_device;
+ }
+
+ data->dev = dev;
+@@ -182,12 +182,12 @@ static int imx_es8328_probe(struct platform_device *pdev)
+ ret = snd_soc_of_parse_card_name(&data->card, "model");
+ if (ret) {
+ dev_err(dev, "Unable to parse card name\n");
+- goto fail;
++ goto put_device;
+ }
+ ret = snd_soc_of_parse_audio_routing(&data->card, "audio-routing");
+ if (ret) {
+ dev_err(dev, "Unable to parse routing: %d\n", ret);
+- goto fail;
++ goto put_device;
+ }
+ data->card.num_links = 1;
+ data->card.owner = THIS_MODULE;
+@@ -196,10 +196,12 @@ static int imx_es8328_probe(struct platform_device *pdev)
+ ret = snd_soc_register_card(&data->card);
+ if (ret) {
+ dev_err(dev, "Unable to register: %d\n", ret);
+- goto fail;
++ goto put_device;
+ }
+
+ platform_set_drvdata(pdev, data);
++put_device:
++ put_device(&ssi_pdev->dev);
+ fail:
+ of_node_put(ssi_np);
+ of_node_put(codec_np);
+--
+2.25.1
+
--- /dev/null
+From 3cae98325dbb7994c2274bd62a52559691a26538 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Sep 2020 18:26:00 +0800
+Subject: ASoC: fsl_sai: Instantiate snd_soc_dai_driver
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 22a16145af824f91014d07f8664114859900b9e6 ]
+
+Instantiate snd_soc_dai_driver for independent symmetric control.
+Otherwise the symmetric setting may be overwritten by other
+instance.
+
+Fixes: 08fdf65e37d5 ("ASoC: fsl_sai: Add asynchronous mode support")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1600424760-32071-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 19 +++++++++++--------
+ sound/soc/fsl/fsl_sai.h | 1 +
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index 914b75c23d1bf..027259695551c 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -694,7 +694,7 @@ static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai)
+ return 0;
+ }
+
+-static struct snd_soc_dai_driver fsl_sai_dai = {
++static struct snd_soc_dai_driver fsl_sai_dai_template = {
+ .probe = fsl_sai_dai_probe,
+ .playback = {
+ .stream_name = "CPU-Playback",
+@@ -965,12 +965,15 @@ static int fsl_sai_probe(struct platform_device *pdev)
+ return ret;
+ }
+
++ memcpy(&sai->cpu_dai_drv, &fsl_sai_dai_template,
++ sizeof(fsl_sai_dai_template));
++
+ /* Sync Tx with Rx as default by following old DT binding */
+ sai->synchronous[RX] = true;
+ sai->synchronous[TX] = false;
+- fsl_sai_dai.symmetric_rates = 1;
+- fsl_sai_dai.symmetric_channels = 1;
+- fsl_sai_dai.symmetric_samplebits = 1;
++ sai->cpu_dai_drv.symmetric_rates = 1;
++ sai->cpu_dai_drv.symmetric_channels = 1;
++ sai->cpu_dai_drv.symmetric_samplebits = 1;
+
+ if (of_find_property(np, "fsl,sai-synchronous-rx", NULL) &&
+ of_find_property(np, "fsl,sai-asynchronous", NULL)) {
+@@ -987,9 +990,9 @@ static int fsl_sai_probe(struct platform_device *pdev)
+ /* Discard all settings for asynchronous mode */
+ sai->synchronous[RX] = false;
+ sai->synchronous[TX] = false;
+- fsl_sai_dai.symmetric_rates = 0;
+- fsl_sai_dai.symmetric_channels = 0;
+- fsl_sai_dai.symmetric_samplebits = 0;
++ sai->cpu_dai_drv.symmetric_rates = 0;
++ sai->cpu_dai_drv.symmetric_channels = 0;
++ sai->cpu_dai_drv.symmetric_samplebits = 0;
+ }
+
+ if (of_find_property(np, "fsl,sai-mclk-direction-output", NULL) &&
+@@ -1018,7 +1021,7 @@ static int fsl_sai_probe(struct platform_device *pdev)
+ pm_runtime_enable(&pdev->dev);
+
+ ret = devm_snd_soc_register_component(&pdev->dev, &fsl_component,
+- &fsl_sai_dai, 1);
++ &sai->cpu_dai_drv, 1);
+ if (ret)
+ goto err_pm_disable;
+
+diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h
+index 6aba7d28f5f34..677ecfc1ec68f 100644
+--- a/sound/soc/fsl/fsl_sai.h
++++ b/sound/soc/fsl/fsl_sai.h
+@@ -180,6 +180,7 @@ struct fsl_sai {
+ unsigned int bclk_ratio;
+
+ const struct fsl_sai_soc_data *soc_data;
++ struct snd_soc_dai_driver cpu_dai_drv;
+ struct snd_dmaengine_dai_dma_data dma_params_rx;
+ struct snd_dmaengine_dai_dma_data dma_params_tx;
+ };
+--
+2.25.1
+
--- /dev/null
+From 385e4556b5366b6077b59049f8a0f3af099f0c61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 16:23:02 +0530
+Subject: ASoC: qcom: lpass-cpu: fix concurrency issue
+
+From: Rohit kumar <rohitkr@codeaurora.org>
+
+[ Upstream commit 753a6e17942f6f425ca622e1610625998312ad89 ]
+
+i2sctl register value is set to 0 during hw_free(). This
+impacts any ongoing concurrent session on the same i2s
+port. As trigger() stop already resets enable bit to 0,
+there is no need of explicit hw_free. Removing it to
+fix the issue.
+
+Fixes: 80beab8e1d86 ("ASoC: qcom: Add LPASS CPU DAI driver")
+Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/1597402388-14112-7-git-send-email-rohitkr@codeaurora.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/lpass-cpu.c | 16 ----------------
+ 1 file changed, 16 deletions(-)
+
+diff --git a/sound/soc/qcom/lpass-cpu.c b/sound/soc/qcom/lpass-cpu.c
+index dbce7e92baf3c..c5d6952a4a33f 100644
+--- a/sound/soc/qcom/lpass-cpu.c
++++ b/sound/soc/qcom/lpass-cpu.c
+@@ -174,21 +174,6 @@ static int lpass_cpu_daiops_hw_params(struct snd_pcm_substream *substream,
+ return 0;
+ }
+
+-static int lpass_cpu_daiops_hw_free(struct snd_pcm_substream *substream,
+- struct snd_soc_dai *dai)
+-{
+- struct lpass_data *drvdata = snd_soc_dai_get_drvdata(dai);
+- int ret;
+-
+- ret = regmap_write(drvdata->lpaif_map,
+- LPAIF_I2SCTL_REG(drvdata->variant, dai->driver->id),
+- 0);
+- if (ret)
+- dev_err(dai->dev, "error writing to i2sctl reg: %d\n", ret);
+-
+- return ret;
+-}
+-
+ static int lpass_cpu_daiops_prepare(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+@@ -269,7 +254,6 @@ const struct snd_soc_dai_ops asoc_qcom_lpass_cpu_dai_ops = {
+ .startup = lpass_cpu_daiops_startup,
+ .shutdown = lpass_cpu_daiops_shutdown,
+ .hw_params = lpass_cpu_daiops_hw_params,
+- .hw_free = lpass_cpu_daiops_hw_free,
+ .prepare = lpass_cpu_daiops_prepare,
+ .trigger = lpass_cpu_daiops_trigger,
+ };
+--
+2.25.1
+
--- /dev/null
+From 2eb949a858fbd71fc2136ec8884ff5e1d874f6e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 16:23:00 +0530
+Subject: ASoC: qcom: lpass-platform: fix memory leak
+
+From: Rohit kumar <rohitkr@codeaurora.org>
+
+[ Upstream commit 5fd188215d4eb52703600d8986b22311099a5940 ]
+
+lpass_pcm_data is never freed. Free it in close
+ops to avoid memory leak.
+
+Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage")
+Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/1597402388-14112-5-git-send-email-rohitkr@codeaurora.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/lpass-platform.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/qcom/lpass-platform.c b/sound/soc/qcom/lpass-platform.c
+index 4c745baa39f73..9acaef81dd74c 100644
+--- a/sound/soc/qcom/lpass-platform.c
++++ b/sound/soc/qcom/lpass-platform.c
+@@ -61,7 +61,7 @@ static int lpass_platform_pcmops_open(struct snd_pcm_substream *substream)
+ int ret, dma_ch, dir = substream->stream;
+ struct lpass_pcm_data *data;
+
+- data = devm_kzalloc(soc_runtime->dev, sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -119,6 +119,7 @@ static int lpass_platform_pcmops_close(struct snd_pcm_substream *substream)
+ if (v->free_dma_channel)
+ v->free_dma_channel(drvdata, data->dma_ch);
+
++ kfree(data);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c26664fa3a714e8364ecfc7ea76946df99b14f0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 19:31:39 +0200
+Subject: ASoC: tlv320aic32x4: Fix bdiv clock rate derivation
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit 40b37136287ba6b34aa2f1f6123f3d6d205dc2f0 ]
+
+Current code expects a single channel to be always used. Fix this
+situation by forwarding the number of channels used. Then fix the
+derivation of the bdiv clock rate.
+
+Fixes: 96c3bb00239d ("ASoC: tlv320aic32x4: Dynamically Determine Clocking")
+Suggested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20200911173140.29984-3-miquel.raynal@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tlv320aic32x4.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/tlv320aic32x4.c b/sound/soc/codecs/tlv320aic32x4.c
+index 68165de1c8dea..7a1ffbaf48be5 100644
+--- a/sound/soc/codecs/tlv320aic32x4.c
++++ b/sound/soc/codecs/tlv320aic32x4.c
+@@ -662,7 +662,7 @@ static int aic32x4_set_processing_blocks(struct snd_soc_component *component,
+ }
+
+ static int aic32x4_setup_clocks(struct snd_soc_component *component,
+- unsigned int sample_rate)
++ unsigned int sample_rate, unsigned int channels)
+ {
+ u8 aosr;
+ u16 dosr;
+@@ -750,7 +750,9 @@ static int aic32x4_setup_clocks(struct snd_soc_component *component,
+ dosr);
+
+ clk_set_rate(clocks[5].clk,
+- sample_rate * 32);
++ sample_rate * 32 *
++ channels);
++
+ return 0;
+ }
+ }
+@@ -772,7 +774,8 @@ static int aic32x4_hw_params(struct snd_pcm_substream *substream,
+ u8 iface1_reg = 0;
+ u8 dacsetup_reg = 0;
+
+- aic32x4_setup_clocks(component, params_rate(params));
++ aic32x4_setup_clocks(component, params_rate(params),
++ params_channels(params));
+
+ switch (params_width(params)) {
+ case 16:
+--
+2.25.1
+
--- /dev/null
+From 6aea8cab73778ca67fa373a802481d0329cd4b9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 18:11:05 -0400
+Subject: ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n()
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ]
+
+The idx in __ath10k_htt_rx_ring_fill_n function lives in
+consistent dma region writable by the device. Malfunctional
+or malicious device could manipulate such idx to have a OOB
+write. Either by
+ htt->rx_ring.netbufs_ring[idx] = skb;
+or by
+ ath10k_htt_set_paddrs_ring(htt, paddr, idx);
+
+The idx can also be negative as it's signed, giving a large
+memory space to write to.
+
+It's possibly exploitable by corruptting a legit pointer with
+a skb pointer. And then fill skb with payload as rougue object.
+
+Part of the log here. Sometimes it appears as UAF when writing
+to a freed memory by chance.
+
+ [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
+ [ 15.595483] #PF: supervisor write access in kernel mode
+ [ 15.596250] #PF: error_code(0x0002) - not-present page
+ [ 15.597013] PGD 0 P4D 0
+ [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI
+ [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
+ [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+ BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+ [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
+ [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
+ (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
+
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
+index 9f0e7b4943ec6..8ca0a808a644d 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -142,6 +142,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num)
+ BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2);
+
+ idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr);
++
++ if (idx < 0 || idx >= htt->rx_ring.size) {
++ ath10k_err(htt->ar, "rx ring index is not valid, firmware malfunctioning?\n");
++ idx &= htt->rx_ring.size_mask;
++ ret = -ENOMEM;
++ goto fail;
++ }
++
+ while (num > 0) {
+ skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN);
+ if (!skb) {
+--
+2.25.1
+
--- /dev/null
+From 0470ac8685a5f667d2a5c05fe0c06b1d7cf67237 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 14:22:27 +0200
+Subject: ath10k: Fix the size used in a 'dma_free_coherent()' call in an error
+ handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 454530a9950b5a26d4998908249564cedfc4babc ]
+
+Update the size used in 'dma_free_coherent()' in order to match the one
+used in the corresponding 'dma_alloc_coherent()'.
+
+Fixes: 1863008369ae ("ath10k: fix shadow register implementation for WCN3990")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Rakesh Pillai <pillair@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200802122227.678637-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/ce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
+index eca87f7c5b6c1..01e05af5ae085 100644
+--- a/drivers/net/wireless/ath/ath10k/ce.c
++++ b/drivers/net/wireless/ath/ath10k/ce.c
+@@ -1555,7 +1555,7 @@ ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id,
+ ret = ath10k_ce_alloc_shadow_base(ar, src_ring, nentries);
+ if (ret) {
+ dma_free_coherent(ar->dev,
+- (nentries * sizeof(struct ce_desc_64) +
++ (nentries * sizeof(struct ce_desc) +
+ CE_DESC_RING_ALIGN),
+ src_ring->base_addr_owner_space_unaligned,
+ base_addr);
+--
+2.25.1
+
--- /dev/null
+From e9cf25c876ac2ca7557cce33f4f8a3e5f17b9c5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 20:29:03 +0300
+Subject: ath10k: provide survey info as accumulated data
+
+From: Venkateswara Naralasetty <vnaralas@codeaurora.org>
+
+[ Upstream commit 720e5c03e5cb26d33d97f55192b791bb48478aa5 ]
+
+It is expected that the returned counters by .get_survey are monotonic
+increasing. But the data from ath10k gets reset to zero regularly. Channel
+active/busy time are then showing incorrect values (less than previous or
+sometimes zero) for the currently active channel during successive survey
+dump commands.
+
+example:
+
+ $ iw dev wlan0 survey dump
+ Survey data from wlan0
+ frequency: 5180 MHz [in use]
+ channel active time: 54995 ms
+ channel busy time: 432 ms
+ channel receive time: 0 ms
+ channel transmit time: 59 ms
+ ...
+
+ $ iw dev wlan0 survey dump
+ Survey data from wlan0
+ frequency: 5180 MHz [in use]
+ channel active time: 32592 ms
+ channel busy time: 254 ms
+ channel receive time: 0 ms
+ channel transmit time: 0 ms
+ ...
+
+The correct way to handle this is to use the non-clearing
+WMI_BSS_SURVEY_REQ_TYPE_READ wmi_bss_survey_req_type. The firmware will
+then accumulate the survey data and handle wrap arounds.
+
+Tested-on: QCA9984 hw1.0 10.4-3.5.3-00057
+Tested-on: QCA988X hw2.0 10.2.4-1.0-00047
+Tested-on: QCA9888 hw2.0 10.4-3.9.0.2-00024
+Tested-on: QCA4019 hw1.0 10.4-3.6-00140
+
+Fixes: fa7937e3d5c2 ("ath10k: update bss channel survey information")
+Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
+Tested-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Tested-by: John Deere <24601deerej@gmail.com>
+[sven@narfation.org: adjust commit message]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1592232686-28712-1-git-send-email-kvalo@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index d373602a80145..915ba2a7f7448 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -7131,7 +7131,7 @@ ath10k_mac_update_bss_chan_survey(struct ath10k *ar,
+ struct ieee80211_channel *channel)
+ {
+ int ret;
+- enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ_CLEAR;
++ enum wmi_bss_survey_req_type type = WMI_BSS_SURVEY_REQ_TYPE_READ;
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+--
+2.25.1
+
--- /dev/null
+From 849d1ec50dcf73f629647d9865b418d74f4b6165 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 17:13:15 +0300
+Subject: ath6kl: prevent potential array overflow in ath6kl_add_new_sta()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ]
+
+The value for "aid" comes from skb->data so Smatch marks it as
+untrusted. If it's invalid then it can result in an out of bounds array
+access in ath6kl_add_new_sta().
+
+Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
+index 5e7ea838a9218..814131a0680a4 100644
+--- a/drivers/net/wireless/ath/ath6kl/main.c
++++ b/drivers/net/wireless/ath/ath6kl/main.c
+@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,
+
+ ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);
+
++ if (aid < 1 || aid > AP_MAX_NUM_STA)
++ return;
++
+ if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
+ struct ieee80211_mgmt *mgmt =
+ (struct ieee80211_mgmt *) assoc_info;
+--
+2.25.1
+
--- /dev/null
+From 962546d225d6fa1dd1037b22549180f50bca919a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Sep 2020 17:27:32 +0300
+Subject: ath6kl: wmi: prevent a shift wrapping bug in
+ ath6kl_wmi_delete_pstream_cmd()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 6a950755cec1a90ddaaff3e4acb5333617441c32 ]
+
+The "tsid" is a user controlled u8 which comes from debugfs. Values
+more than 15 are invalid because "active_tsids" is a 16 bit variable.
+If the value of "tsid" is more than 31 then that leads to a shift
+wrapping bug.
+
+Fixes: 8fffd9e5ec9e ("ath6kl: Implement support for QOS-enable and QOS-disable from userspace")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200918142732.GA909725@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/wmi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
+index 2382c6c46851e..c610fe21c85c0 100644
+--- a/drivers/net/wireless/ath/ath6kl/wmi.c
++++ b/drivers/net/wireless/ath/ath6kl/wmi.c
+@@ -2645,6 +2645,11 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class,
+ return -EINVAL;
+ }
+
++ if (tsid >= 16) {
++ ath6kl_err("invalid tsid: %d\n", tsid);
++ return -EINVAL;
++ }
++
+ skb = ath6kl_wmi_get_new_buf(sizeof(*cmd));
+ if (!skb)
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From 467f5dd0d3a2f7d984271ca1e0a8a244e5031148 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 17:12:53 +0300
+Subject: ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ]
+
+The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks
+it as untrusted so we have to check it before using it as an array
+offset.
+
+This is similar to a bug that syzkaller found in commit e4ff08a4d727
+("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is
+probably a real issue.
+
+Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index d2e062eaf5614..510e61e97dbcb 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -339,6 +339,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
+
+ if (skb) {
+ htc_hdr = (struct htc_frame_hdr *) skb->data;
++ if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint))
++ goto ret;
+ endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id];
+ skb_pull(skb, sizeof(struct htc_frame_hdr));
+
+--
+2.25.1
+
--- /dev/null
+From 1418d1585503d0b7b2715687dea18d3f1a38deca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 03:14:27 -0400
+Subject: ath9k: hif_usb: fix race condition between usb_get_urb() and
+ usb_kill_anchored_urbs()
+
+From: Brooke Basile <brookebasile@gmail.com>
+
+[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ]
+
+Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor
+systems create a race condition in which usb_kill_anchored_urbs() deallocates
+the URB before the completer callback is called in usb_kill_urb(), resulting
+in a use-after-free.
+To fix this, add proper lock protection to usb_kill_urb() calls that can
+possibly run concurrently with usb_kill_anchored_urbs().
+
+Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf
+Signed-off-by: Brooke Basile <brookebasile@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
+index 3f563e02d17da..2ed98aaed6fb5 100644
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle)
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ /* The pending URBs have to be canceled. */
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ list_for_each_entry_safe(tx_buf, tx_buf_tmp,
+ &hif_dev->tx.tx_pending, list) {
++ usb_get_urb(tx_buf->urb);
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ usb_kill_urb(tx_buf->urb);
++ list_del(&tx_buf->list);
++ usb_free_urb(tx_buf->urb);
++ kfree(tx_buf->buf);
++ kfree(tx_buf);
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ }
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
+ }
+@@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
+ struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL;
+ unsigned long flags;
+
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ list_for_each_entry_safe(tx_buf, tx_buf_tmp,
+ &hif_dev->tx.tx_buf, list) {
++ usb_get_urb(tx_buf->urb);
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ usb_kill_urb(tx_buf->urb);
+ list_del(&tx_buf->list);
+ usb_free_urb(tx_buf->urb);
+ kfree(tx_buf->buf);
+ kfree(tx_buf);
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ }
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ hif_dev->tx.flags |= HIF_USB_TX_FLUSH;
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ list_for_each_entry_safe(tx_buf, tx_buf_tmp,
+ &hif_dev->tx.tx_pending, list) {
++ usb_get_urb(tx_buf->urb);
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ usb_kill_urb(tx_buf->urb);
+ list_del(&tx_buf->list);
+ usb_free_urb(tx_buf->urb);
+ kfree(tx_buf->buf);
+ kfree(tx_buf);
++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ }
++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+
+ usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
+ }
+--
+2.25.1
+
--- /dev/null
+From 8cd6e0d18523bd3987fa19be091e0e89e8199215 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:38:17 +0800
+Subject: backlight: sky81452-backlight: Fix refcount imbalance on error
+
+From: dinghao.liu@zju.edu.cn <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit b7a4f80bc316a56d6ec8750e93e66f42431ed960 ]
+
+When of_property_read_u32_array() returns an error code, a
+pairing refcount decrement is needed to keep np's refcount
+balanced.
+
+Fixes: f705806c9f355 ("backlight: Add support Skyworks SKY81452 backlight driver")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/sky81452-backlight.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c
+index 2355f00f57732..1f6301375fd33 100644
+--- a/drivers/video/backlight/sky81452-backlight.c
++++ b/drivers/video/backlight/sky81452-backlight.c
+@@ -196,6 +196,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt(
+ num_entry);
+ if (ret < 0) {
+ dev_err(dev, "led-sources node is invalid.\n");
++ of_node_put(np);
+ return ERR_PTR(-EINVAL);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 25c2ec63cc358ba677fd723955e583f0092e8880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 18:53:59 +0200
+Subject: binder: Remove bogus warning on failed same-process transaction
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit e8b8ae7ce32e17a5c29f0289e9e2a39c7dcaa1b8 ]
+
+While binder transactions with the same binder_proc as sender and recipient
+are forbidden, transactions with the same task_struct as sender and
+recipient are possible (even though currently there is a weird check in
+binder_transaction() that rejects them in the target==0 case).
+Therefore, task_struct identities can't be used to distinguish whether
+the caller is running in the context of the sender or the recipient.
+
+Since I see no easy way to make this WARN_ON() useful and correct, let's
+just remove it.
+
+Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds")
+Reported-by: syzbot+e113a0b970b7b3f394ba@syzkaller.appspotmail.com
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/r/20200806165359.2381483-1-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/android/binder.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index 0f56a82615389..b62b1ab6bb699 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2326,8 +2326,6 @@ static void binder_transaction_buffer_release(struct binder_proc *proc,
+ * file is done when the transaction is torn
+ * down.
+ */
+- WARN_ON(failed_at &&
+- proc->tsk == current->group_leader);
+ } break;
+ case BINDER_TYPE_PTR:
+ /*
+--
+2.25.1
+
--- /dev/null
+From f584084898a7f28d9493c553d5c685cd24f8ab53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Oct 2020 01:00:14 -0700
+Subject: blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue
+
+From: Yang Yang <yang.yang@vivo.com>
+
+[ Upstream commit 47ce030b7ac5a5259a9a5919f230b52497afc31a ]
+
+blk_exit_queue will free elevator_data, while blk_mq_run_work_fn
+will access it. Move cancel of hctx->run_work to the front of
+blk_exit_queue to avoid use-after-free.
+
+Fixes: 1b97871b501f ("blk-mq: move cancel of hctx->run_work into blk_mq_hw_sysfs_release")
+Signed-off-by: Yang Yang <yang.yang@vivo.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq-sysfs.c | 2 --
+ block/blk-sysfs.c | 9 ++++++++-
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
+index a09ab0c3d074d..5dafd7a8ec913 100644
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -36,8 +36,6 @@ static void blk_mq_hw_sysfs_release(struct kobject *kobj)
+ struct blk_mq_hw_ctx *hctx = container_of(kobj, struct blk_mq_hw_ctx,
+ kobj);
+
+- cancel_delayed_work_sync(&hctx->run_work);
+-
+ if (hctx->flags & BLK_MQ_F_BLOCKING)
+ cleanup_srcu_struct(hctx->srcu);
+ blk_free_flush_queue(hctx->fq);
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index 46f5198be0173..bf33570da5ac7 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -891,9 +891,16 @@ static void __blk_release_queue(struct work_struct *work)
+
+ blk_free_queue_stats(q->stats);
+
+- if (queue_is_mq(q))
++ if (queue_is_mq(q)) {
++ struct blk_mq_hw_ctx *hctx;
++ int i;
++
+ cancel_delayed_work_sync(&q->requeue_work);
+
++ queue_for_each_hw_ctx(q, hctx, i)
++ cancel_delayed_work_sync(&hctx->run_work);
++ }
++
+ blk_exit_queue(q);
+
+ blk_queue_free_zone_bitmaps(q);
+--
+2.25.1
+
--- /dev/null
+From b9e252426dbafe91e01ee3e81076a1753a119fee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 22:37:23 +0900
+Subject: block: ratelimit handle_bad_sector() message
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit f4ac712e4fe009635344b9af5d890fe25fcc8c0d ]
+
+syzbot is reporting unkillable task [1], for the caller is failing to
+handle a corrupted filesystem image which attempts to access beyond
+the end of the device. While we need to fix the caller, flooding the
+console with handle_bad_sector() message is unlikely useful.
+
+[1] https://syzkaller.appspot.com/bug?id=f1f49fb971d7a3e01bd8ab8cff2ff4572ccf3092
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 81aafb601df06..d2213220099d3 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -743,11 +743,10 @@ static void handle_bad_sector(struct bio *bio, sector_t maxsector)
+ {
+ char b[BDEVNAME_SIZE];
+
+- printk(KERN_INFO "attempt to access beyond end of device\n");
+- printk(KERN_INFO "%s: rw=%d, want=%Lu, limit=%Lu\n",
+- bio_devname(bio, b), bio->bi_opf,
+- (unsigned long long)bio_end_sector(bio),
+- (long long)maxsector);
++ pr_info_ratelimited("attempt to access beyond end of device\n"
++ "%s: rw=%d, want=%llu, limit=%llu\n",
++ bio_devname(bio, b), bio->bi_opf,
++ bio_end_sector(bio), maxsector);
+ }
+
+ #ifdef CONFIG_FAIL_MAKE_REQUEST
+--
+2.25.1
+
--- /dev/null
+From 8987380924cd0e8ce4f71f5099f6e0dc0a5b63bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Aug 2020 15:44:21 +0800
+Subject: Bluetooth: btusb: Fix memleak in btusb_mtk_submit_wmt_recv_urb
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit d33fe77bdf75806d785dabf90d21d962122e5296 ]
+
+When kmalloc() on buf fails, urb should be freed just like
+when kmalloc() on dr fails.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index f3f0529564da0..b326eeddaadf0 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2664,6 +2664,7 @@ static int btusb_mtk_submit_wmt_recv_urb(struct hci_dev *hdev)
+ buf = kmalloc(size, GFP_KERNEL);
+ if (!buf) {
+ kfree(dr);
++ usb_free_urb(urb);
+ return -ENOMEM;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 5b95ca52c87f0d945f4d4197f97f1396f87fd4bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Aug 2020 11:29:56 -0500
+Subject: Bluetooth: hci_uart: Cancel init work before unregistering
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 3b799254cf6f481460719023d7a18f46651e5e7f ]
+
+If hci_uart_tty_close() or hci_uart_unregister_device() is called while
+hu->init_ready is scheduled, hci_register_dev() could be called after
+the hci_uart is torn down. Avoid this by ensuring the work is complete
+or canceled before checking the HCI_UART_REGISTERED flag.
+
+Fixes: 9f2aee848fe6 ("Bluetooth: Add delayed init sequence support for UART controllers")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 1 +
+ drivers/bluetooth/hci_serdev.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 85a30fb9177bb..f83d67eafc9f0 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -538,6 +538,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ percpu_up_write(&hu->proto_lock);
+
++ cancel_work_sync(&hu->init_ready);
+ cancel_work_sync(&hu->write_work);
+
+ if (hdev) {
+diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c
+index ad2f26cb2622e..5b9aa73ff2b7f 100644
+--- a/drivers/bluetooth/hci_serdev.c
++++ b/drivers/bluetooth/hci_serdev.c
+@@ -357,6 +357,8 @@ void hci_uart_unregister_device(struct hci_uart *hu)
+ struct hci_dev *hdev = hu->hdev;
+
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
++
++ cancel_work_sync(&hu->init_ready);
+ if (test_bit(HCI_UART_REGISTERED, &hu->flags))
+ hci_unregister_dev(hdev);
+ hci_free_dev(hdev);
+--
+2.25.1
+
--- /dev/null
+From 58c4555c2cd4f21abc79106b1bcaab9d49143dce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 15:33:18 -0700
+Subject: Bluetooth: Only mark socket zapped after unlocking
+
+From: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+
+[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ]
+
+Since l2cap_sock_teardown_cb doesn't acquire the channel lock before
+setting the socket as zapped, it could potentially race with
+l2cap_sock_release which frees the socket. Thus, wait until the cleanup
+is complete before marking the socket as zapped.
+
+This race was reproduced on a JBL GO speaker after the remote device
+rejected L2CAP connection due to resource unavailability.
+
+Here is a dmesg log with debug logs from a repro of this bug:
+[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002
+[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0
+[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2
+[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001
+[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952
+[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c
+[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00
+[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4
+[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT
+[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT
+[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3
+[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6
+[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159
+[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053
+[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
+[ 3465.430332] Causing a watchdog bite!
+
+Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
+Reviewed-by: Manish Mandlik <mmandlik@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 40e96a610e2b4..8648c5211ebe6 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1344,8 +1344,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
+
+ parent = bt_sk(sk)->parent;
+
+- sock_set_flag(sk, SOCK_ZAPPED);
+-
+ switch (chan->state) {
+ case BT_OPEN:
+ case BT_BOUND:
+@@ -1372,8 +1370,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err)
+
+ break;
+ }
+-
+ release_sock(sk);
++
++ /* Only zap after cleanup to avoid use after free race */
++ sock_set_flag(sk, SOCK_ZAPPED);
++
+ }
+
+ static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state,
+--
+2.25.1
+
--- /dev/null
+From 459e61c2c37aedb0da2b79c8019127c06a9aa6e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 23:10:07 +0200
+Subject: bpf: Limit caller's stack depth 256 for subprogs with tailcalls
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 7f6e4312e15a5c370e84eaa685879b6bdcc717e4 ]
+
+Protect against potential stack overflow that might happen when bpf2bpf
+calls get combined with tailcalls. Limit the caller's stack depth for
+such case down to 256 so that the worst case scenario would result in 8k
+stack size (32 which is tailcall limit * 256 = 8k).
+
+Suggested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf_verifier.h | 1 +
+ kernel/bpf/verifier.c | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index 26a6d58ca78cc..81c7ea83e8079 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -342,6 +342,7 @@ struct bpf_subprog_info {
+ u32 start; /* insn idx of function entry point */
+ u32 linfo_idx; /* The idx to the main_prog->aux->linfo */
+ u16 stack_depth; /* max. stack depth used by this function */
++ bool has_tail_call;
+ };
+
+ /* single container for all structs
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index ae27dd77a73cb..507474f79195f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1160,6 +1160,10 @@ static int check_subprogs(struct bpf_verifier_env *env)
+ for (i = 0; i < insn_cnt; i++) {
+ u8 code = insn[i].code;
+
++ if (code == (BPF_JMP | BPF_CALL) &&
++ insn[i].imm == BPF_FUNC_tail_call &&
++ insn[i].src_reg != BPF_PSEUDO_CALL)
++ subprog[cur_subprog].has_tail_call = true;
+ if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32)
+ goto next;
+ if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL)
+@@ -2612,6 +2616,31 @@ static int check_max_stack_depth(struct bpf_verifier_env *env)
+ int ret_prog[MAX_CALL_FRAMES];
+
+ process_func:
++ /* protect against potential stack overflow that might happen when
++ * bpf2bpf calls get combined with tailcalls. Limit the caller's stack
++ * depth for such case down to 256 so that the worst case scenario
++ * would result in 8k stack size (32 which is tailcall limit * 256 =
++ * 8k).
++ *
++ * To get the idea what might happen, see an example:
++ * func1 -> sub rsp, 128
++ * subfunc1 -> sub rsp, 256
++ * tailcall1 -> add rsp, 256
++ * func2 -> sub rsp, 192 (total stack size = 128 + 192 = 320)
++ * subfunc2 -> sub rsp, 64
++ * subfunc22 -> sub rsp, 128
++ * tailcall2 -> add rsp, 128
++ * func3 -> sub rsp, 32 (total stack size 128 + 192 + 64 + 32 = 416)
++ *
++ * tailcall will unwind the current stack frame but it will not get rid
++ * of caller's stack as shown on the example above.
++ */
++ if (idx && subprog[idx].has_tail_call && depth >= 256) {
++ verbose(env,
++ "tail_calls are not allowed when call stack of previous frames is %d bytes. Too large\n",
++ depth);
++ return -EACCES;
++ }
+ /* round up to 32-bytes, since this is granularity
+ * of interpreter stack size
+ */
+--
+2.25.1
+
--- /dev/null
+From 3829c8358bd92807abad531df7a765155815829b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 17:36:05 +0800
+Subject: brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach
+
+From: Wang Yufen <wangyufen@huawei.com>
+
+[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ]
+
+When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL,
+we should destroy the workqueue.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Yufen <wangyufen@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+index e3dd8623be4ec..c2705d7a4247e 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
+@@ -1619,6 +1619,8 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr)
+ BRCMF_TX_IOCTL_MAX_MSG_SIZE,
+ msgbuf->ioctbuf,
+ msgbuf->ioctbuf_handle);
++ if (msgbuf->txflow_wq)
++ destroy_workqueue(msgbuf->txflow_wq);
+ kfree(msgbuf);
+ }
+ return -ENOMEM;
+--
+2.25.1
+
--- /dev/null
+From e7fcfb20caef512cb1a5f96b5b6473c7bdb4d96c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 09:18:04 -0700
+Subject: brcmfmac: check ndev pointer
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 9c9f015bc9f8839831c7ba0a6d731a3853c464e2 ]
+
+Clang static analysis reports this error
+
+brcmfmac/core.c:490:4: warning: Dereference of null pointer
+ (*ifp)->ndev->stats.rx_errors++;
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In this block of code
+
+ if (ret || !(*ifp) || !(*ifp)->ndev) {
+ if (ret != -ENODATA && *ifp)
+ (*ifp)->ndev->stats.rx_errors++;
+ brcmu_pkt_buf_free_skb(skb);
+ return -ENODATA;
+ }
+
+(*ifp)->ndev being NULL is caught as an error
+But then it is used to report the error.
+
+So add a check before using it.
+
+Fixes: 91b632803ee4 ("brcmfmac: Use net_device_stats from struct net_device")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200802161804.6126-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index 85cf96461ddeb..e9bb8dbdc9aa8 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -483,7 +483,7 @@ static int brcmf_rx_hdrpull(struct brcmf_pub *drvr, struct sk_buff *skb,
+ ret = brcmf_proto_hdrpull(drvr, true, skb, ifp);
+
+ if (ret || !(*ifp) || !(*ifp)->ndev) {
+- if (ret != -ENODATA && *ifp)
++ if (ret != -ENODATA && *ifp && (*ifp)->ndev)
+ (*ifp)->ndev->stats.rx_errors++;
+ brcmu_pkt_buf_free_skb(skb);
+ return -ENODATA;
+--
+2.25.1
+
--- /dev/null
+From 1008e6dce86b98737abbb6ac32e7e84bb5b441dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 12:17:41 +0000
+Subject: brcmsmac: fix memory leak in wlc_phy_attach_lcnphy
+
+From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+
+[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ]
+
+When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy,
+the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be
+freed in the caller function.
+
+Fix this by calling wlc_phy_detach_lcnphy in the error handler of
+wlc_phy_txpwr_srom_read_lcnphy before returning.
+
+Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
+index 7ef36234a25dc..66797dc5e90d5 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
+@@ -5065,8 +5065,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi)
+ pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft;
+ pi->pi_fptr.detach = wlc_phy_detach_lcnphy;
+
+- if (!wlc_phy_txpwr_srom_read_lcnphy(pi))
++ if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) {
++ kfree(pi->u.pi_lcnphy);
+ return false;
++ }
+
+ if (LCNREV_IS(pi->pubpi.phy_rev, 1)) {
+ if (pi_lcn->lcnphy_tempsense_option == 3) {
+--
+2.25.1
+
--- /dev/null
+From 31201d27f834e3fd721b416b1a30c4d7529a8ec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 16:44:19 +0200
+Subject: can: flexcan: flexcan_chip_stop(): add error handling and propagate
+ error value
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit 9ad02c7f4f279504bdd38ab706fdc97d5f2b2a9c ]
+
+This patch implements error handling and propagates the error value of
+flexcan_chip_stop(). This function will be called from flexcan_suspend()
+in an upcoming patch in some SoCs which support LPSR mode.
+
+Add a new function flexcan_chip_stop_disable_on_error() that tries to
+disable the chip even in case of errors.
+
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+[mkl: introduce flexcan_chip_stop_disable_on_error() and use it in flexcan_close()]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Link: https://lore.kernel.org/r/20200922144429.2613631-11-mkl@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index e5c207ad3c77d..aaa7ed1dc97ee 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1232,18 +1232,23 @@ static int flexcan_chip_start(struct net_device *dev)
+ return err;
+ }
+
+-/* flexcan_chip_stop
++/* __flexcan_chip_stop
+ *
+- * this functions is entered with clocks enabled
++ * this function is entered with clocks enabled
+ */
+-static void flexcan_chip_stop(struct net_device *dev)
++static int __flexcan_chip_stop(struct net_device *dev, bool disable_on_error)
+ {
+ struct flexcan_priv *priv = netdev_priv(dev);
+ struct flexcan_regs __iomem *regs = priv->regs;
++ int err;
+
+ /* freeze + disable module */
+- flexcan_chip_freeze(priv);
+- flexcan_chip_disable(priv);
++ err = flexcan_chip_freeze(priv);
++ if (err && !disable_on_error)
++ return err;
++ err = flexcan_chip_disable(priv);
++ if (err && !disable_on_error)
++ goto out_chip_unfreeze;
+
+ /* Disable all interrupts */
+ priv->write(0, ®s->imask2);
+@@ -1253,6 +1258,23 @@ static void flexcan_chip_stop(struct net_device *dev)
+
+ flexcan_transceiver_disable(priv);
+ priv->can.state = CAN_STATE_STOPPED;
++
++ return 0;
++
++ out_chip_unfreeze:
++ flexcan_chip_unfreeze(priv);
++
++ return err;
++}
++
++static inline int flexcan_chip_stop_disable_on_error(struct net_device *dev)
++{
++ return __flexcan_chip_stop(dev, true);
++}
++
++static inline int flexcan_chip_stop(struct net_device *dev)
++{
++ return __flexcan_chip_stop(dev, false);
+ }
+
+ static int flexcan_open(struct net_device *dev)
+@@ -1341,7 +1363,7 @@ static int flexcan_close(struct net_device *dev)
+
+ netif_stop_queue(dev);
+ can_rx_offload_disable(&priv->offload);
+- flexcan_chip_stop(dev);
++ flexcan_chip_stop_disable_on_error(dev);
+
+ can_rx_offload_del(&priv->offload);
+ free_irq(dev->irq, dev);
+--
+2.25.1
+
--- /dev/null
+From 838d16997734cda37b9a2605e12bafe0e836f6d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 09:59:10 +0300
+Subject: clk: at91: clk-main: update key before writing AT91_CKGR_MOR
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 85d071e7f19a6a9abf30476b90b3819642568756 ]
+
+SAMA5D2 datasheet specifies on chapter 33.22.8 (PMC Clock Generator
+Main Oscillator Register) that writing any value other than
+0x37 on KEY field aborts the write operation. Use the key when
+selecting main clock parent.
+
+Fixes: 27cb1c2083373 ("clk: at91: rework main clk implementation")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/1598338751-20607-3-git-send-email-claudiu.beznea@microchip.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-main.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/at91/clk-main.c b/drivers/clk/at91/clk-main.c
+index 37c22667e8319..4313ecb2af5b2 100644
+--- a/drivers/clk/at91/clk-main.c
++++ b/drivers/clk/at91/clk-main.c
+@@ -437,12 +437,17 @@ static int clk_sam9x5_main_set_parent(struct clk_hw *hw, u8 index)
+ return -EINVAL;
+
+ regmap_read(regmap, AT91_CKGR_MOR, &tmp);
+- tmp &= ~MOR_KEY_MASK;
+
+ if (index && !(tmp & AT91_PMC_MOSCSEL))
+- regmap_write(regmap, AT91_CKGR_MOR, tmp | AT91_PMC_MOSCSEL);
++ tmp = AT91_PMC_MOSCSEL;
+ else if (!index && (tmp & AT91_PMC_MOSCSEL))
+- regmap_write(regmap, AT91_CKGR_MOR, tmp & ~AT91_PMC_MOSCSEL);
++ tmp = 0;
++ else
++ return 0;
++
++ regmap_update_bits(regmap, AT91_CKGR_MOR,
++ AT91_PMC_MOSCSEL | MOR_KEY_MASK,
++ tmp | AT91_PMC_KEY);
+
+ while (!clk_sam9x5_main_ready(regmap))
+ cpu_relax();
+--
+2.25.1
+
--- /dev/null
+From c0d1bb6eae85ed98544f2de6d4db04734e316205 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Aug 2020 18:11:58 -0500
+Subject: clk: bcm2835: add missing release if devm_clk_hw_register fails
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit f6c992ca7dd4f49042eec61f3fb426c94d901675 ]
+
+In the implementation of bcm2835_register_pll(), the allocated pll is
+leaked if devm_clk_hw_register() fails to register hw. Release pll if
+devm_clk_hw_register() fails.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20200809231202.15811-1-navid.emamdoost@gmail.com
+Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index 45420b514149f..c5486537b9284 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -1336,8 +1336,10 @@ static struct clk_hw *bcm2835_register_pll(struct bcm2835_cprman *cprman,
+ pll->hw.init = &init;
+
+ ret = devm_clk_hw_register(cprman->dev, &pll->hw);
+- if (ret)
++ if (ret) {
++ kfree(pll);
+ return NULL;
++ }
+ return &pll->hw;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b9f9a6160e52ad5b96304beb39f567fe34ce190f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 12:25:44 +0300
+Subject: clk: imx8mq: Fix usdhc parents order
+
+From: Abel Vesa <abel.vesa@nxp.com>
+
+[ Upstream commit b159c63d82ff8ffddc6c6f0eb881b113b36ecad7 ]
+
+According to the latest RM (see Table 5-1. Clock Root Table),
+both usdhc root clocks have the parent order as follows:
+
+000 - 25M_REF_CLK
+001 - SYSTEM_PLL1_DIV2
+010 - SYSTEM_PLL1_CLK
+011 - SYSTEM_PLL2_DIV2
+100 - SYSTEM_PLL3_CLK
+101 - SYSTEM_PLL1_DIV3
+110 - AUDIO_PLL2_CLK
+111 - SYSTEM_PLL1_DIV8
+
+So the audio_pll2_out and sys3_pll_out have to be swapped.
+
+Fixes: b80522040cd3 ("clk: imx: Add clock driver for i.MX8MQ CCM")
+Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
+Reported-by: Cosmin Stefan Stoica <cosmin.stoica@nxp.com>
+Link: https://lore.kernel.org/r/1602753944-30757-1-git-send-email-abel.vesa@nxp.com
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mq.c b/drivers/clk/imx/clk-imx8mq.c
+index 41fc9c63356ea..1846bd879dd71 100644
+--- a/drivers/clk/imx/clk-imx8mq.c
++++ b/drivers/clk/imx/clk-imx8mq.c
+@@ -157,10 +157,10 @@ static const char * const imx8mq_qspi_sels[] = {"osc_25m", "sys1_pll_400m", "sys
+ "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", };
+
+ static const char * const imx8mq_usdhc1_sels[] = {"osc_25m", "sys1_pll_400m", "sys1_pll_800m", "sys2_pll_500m",
+- "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", };
++ "sys3_pll_out", "sys1_pll_266m", "audio_pll2_out", "sys1_pll_100m", };
+
+ static const char * const imx8mq_usdhc2_sels[] = {"osc_25m", "sys1_pll_400m", "sys1_pll_800m", "sys2_pll_500m",
+- "audio_pll2_out", "sys1_pll_266m", "sys3_pll_out", "sys1_pll_100m", };
++ "sys3_pll_out", "sys1_pll_266m", "audio_pll2_out", "sys1_pll_100m", };
+
+ static const char * const imx8mq_i2c1_sels[] = {"osc_25m", "sys1_pll_160m", "sys2_pll_50m", "sys3_pll_out", "audio_pll1_out",
+ "video_pll1_out", "audio_pll2_out", "sys1_pll_133m", };
+--
+2.25.1
+
--- /dev/null
+From 2654c10b33b14b410f64d49c501efd07ee9d53b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 11:57:38 +0300
+Subject: clk: keystone: sci-clk: fix parsing assigned-clock data during probe
+
+From: Tero Kristo <t-kristo@ti.com>
+
+[ Upstream commit 2f05cced7307489faab873367fb20cd212e1d890 ]
+
+The DT clock probe loop incorrectly terminates after processing "clocks"
+only, fix this by re-starting the loop when all entries for current
+DT property have been parsed.
+
+Fixes: 8e48b33f9def ("clk: keystone: sci-clk: probe clocks from DT instead of firmware")
+Reported-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Link: https://lore.kernel.org/r/20200907085740.1083-2-t-kristo@ti.com
+Acked-by: Santosh Shilimkar <ssantosh@kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/keystone/sci-clk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c
+index 7edf8c8432b67..64ea895f1a7df 100644
+--- a/drivers/clk/keystone/sci-clk.c
++++ b/drivers/clk/keystone/sci-clk.c
+@@ -522,7 +522,7 @@ static int ti_sci_scan_clocks_from_dt(struct sci_clk_provider *provider)
+ np = of_find_node_with_property(np, *clk_name);
+ if (!np) {
+ clk_name++;
+- break;
++ continue;
+ }
+
+ if (!of_device_is_available(np))
+--
+2.25.1
+
--- /dev/null
+From fd89685fbb1bca33d22e1ba58162621d9f568158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 21:30:16 +0800
+Subject: clk: mediatek: add UART0 clock support
+
+From: Hanks Chen <hanks.chen@mediatek.com>
+
+[ Upstream commit 804a892456b73604b7ecfb1b00a96a29f3d2aedf ]
+
+Add MT6779 UART0 clock support.
+
+Fixes: 710774e04861 ("clk: mediatek: Add MT6779 clock support")
+Signed-off-by: Wendell Lin <wendell.lin@mediatek.com>
+Signed-off-by: Hanks Chen <hanks.chen@mediatek.com>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mt6779.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/mediatek/clk-mt6779.c b/drivers/clk/mediatek/clk-mt6779.c
+index 608a9a6621a37..00920182bbe63 100644
+--- a/drivers/clk/mediatek/clk-mt6779.c
++++ b/drivers/clk/mediatek/clk-mt6779.c
+@@ -919,6 +919,8 @@ static const struct mtk_gate infra_clks[] = {
+ "pwm_sel", 19),
+ GATE_INFRA0(CLK_INFRA_PWM, "infra_pwm",
+ "pwm_sel", 21),
++ GATE_INFRA0(CLK_INFRA_UART0, "infra_uart0",
++ "uart_sel", 22),
+ GATE_INFRA0(CLK_INFRA_UART1, "infra_uart1",
+ "uart_sel", 23),
+ GATE_INFRA0(CLK_INFRA_UART2, "infra_uart2",
+--
+2.25.1
+
--- /dev/null
+From e5681c2b0fe91b939412974659c18e9f9f2752f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 17:52:05 +0200
+Subject: clk: meson: g12a: mark fclk_div2 as critical
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit 2c4e80e06790cb49ad2603855d30c5aac2209c47 ]
+
+On Amlogic Meson G12b platform, similar to fclk_div3, the fclk_div2
+seems to be necessary for the system to operate correctly as well.
+
+Typically, the clock also gets chosen by the eMMC peripheral. This
+probably masked the problem so far. However, when booting from a SD
+card the clock seems to get disabled which leads to a system freeze.
+
+Let's mark this clock as critical, fixing boot from SD card on G12b
+platforms.
+
+Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Tested-by: Anand Moon <linux.amoon@gmail.com>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/577e0129e8ee93972d92f13187ff4e4286182f67.1598629915.git.stefan@agner.ch
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/g12a.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
+index d2760a021301d..3143e16065de6 100644
+--- a/drivers/clk/meson/g12a.c
++++ b/drivers/clk/meson/g12a.c
+@@ -298,6 +298,17 @@ static struct clk_regmap g12a_fclk_div2 = {
+ &g12a_fclk_div2_div.hw
+ },
+ .num_parents = 1,
++ /*
++ * Similar to fclk_div3, it seems that this clock is used by
++ * the resident firmware and is required by the platform to
++ * operate correctly.
++ * Until the following condition are met, we need this clock to
++ * be marked as critical:
++ * a) Mark the clock used by a firmware resource, if possible
++ * b) CCF has a clock hand-off mechanism to make the sure the
++ * clock stays on until the proper driver comes along
++ */
++ .flags = CLK_IS_CRITICAL,
+ },
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 722368b63c0307a57eae4e7d498577438a3a9fa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 14:09:09 +0200
+Subject: clk: qcom: gcc-sdm660: Fix wrong parent_map
+
+From: Konrad Dybcio <konradybcio@gmail.com>
+
+[ Upstream commit d46e5a39f9be9288f1ce2170c4c7f8098f4e7f68 ]
+
+This was likely overlooked while porting the driver upstream.
+
+Reported-by: Pavel Dubrova <pashadubrova@gmail.com>
+Signed-off-by: Konrad Dybcio <konradybcio@gmail.com>
+Link: https://lore.kernel.org/r/20200922120909.97203-1-konradybcio@gmail.com
+Fixes: f2a76a2955c0 ("clk: qcom: Add Global Clock controller (GCC) driver for SDM660")
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sdm660.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/gcc-sdm660.c b/drivers/clk/qcom/gcc-sdm660.c
+index c6fb57cd576f5..aa5c0c6ead017 100644
+--- a/drivers/clk/qcom/gcc-sdm660.c
++++ b/drivers/clk/qcom/gcc-sdm660.c
+@@ -666,7 +666,7 @@ static struct clk_rcg2 hmss_rbcpr_clk_src = {
+ .cmd_rcgr = 0x48044,
+ .mnd_width = 0,
+ .hid_width = 5,
+- .parent_map = gcc_parent_map_xo_gpll0_gpll0_early_div,
++ .parent_map = gcc_parent_map_xo_gpll0,
+ .freq_tbl = ftbl_hmss_rbcpr_clk_src,
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "hmss_rbcpr_clk_src",
+--
+2.25.1
+
--- /dev/null
+From f9ae763ab8a94ce18e0a6388e23c5483cc5f7b49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 17:41:44 -0700
+Subject: clk: rockchip: Initialize hw to error to avoid undefined behavior
+
+From: Stephen Boyd <sboyd@kernel.org>
+
+[ Upstream commit b608f11d49ec671739604cc763248d8e8fadbbeb ]
+
+We can get down to this return value from ERR_CAST() without
+initializing hw. Set it to -ENOMEM so that we always return something
+sane.
+
+Fixes the following smatch warning:
+
+drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() error: uninitialized symbol 'hw'.
+drivers/clk/rockchip/clk-half-divider.c:228 rockchip_clk_register_halfdiv() warn: passing zero to 'ERR_CAST'
+
+Cc: Elaine Zhang <zhangqing@rock-chips.com>
+Cc: Heiko Stuebner <heiko@sntech.de>
+Fixes: 956060a52795 ("clk: rockchip: add support for half divider")
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-half-divider.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-half-divider.c b/drivers/clk/rockchip/clk-half-divider.c
+index ba9f00dc9740c..7dd2e0b1a5866 100644
+--- a/drivers/clk/rockchip/clk-half-divider.c
++++ b/drivers/clk/rockchip/clk-half-divider.c
+@@ -167,7 +167,7 @@ struct clk *rockchip_clk_register_halfdiv(const char *name,
+ unsigned long flags,
+ spinlock_t *lock)
+ {
+- struct clk *clk;
++ struct clk *clk = ERR_PTR(-ENOMEM);
+ struct clk_mux *mux = NULL;
+ struct clk_gate *gate = NULL;
+ struct clk_divider *div = NULL;
+--
+2.25.1
+
--- /dev/null
+From 6cc98dc027df70fef436465cef665a9caa2b2749 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 10:34:56 -0600
+Subject: coresight: etm: perf: Fix warning caused by etm_setup_aux failure
+
+From: Tingwei Zhang <tingwei@codeaurora.org>
+
+[ Upstream commit 716f5652a13122364a65e694386b9b26f5e98c51 ]
+
+When coresight_build_path() fails on all the cpus, etm_setup_aux
+calls etm_free_aux() to free allocated event_data.
+WARN_ON(cpumask_empty(mask) will be triggered since cpu mask is empty.
+Check event_data->snk_config is not NULL first to avoid this
+warning.
+
+Fixes: f5200aa9831f38 ("coresight: perf: Refactor function free_event_data()")
+Reviewed-by: Mike Leach <mike.leach@linaro.org>
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Tingwei Zhang <tingwei@codeaurora.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20200928163513.70169-9-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-etm-perf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c
+index c4b9898e28418..9b0c5d719232f 100644
+--- a/drivers/hwtracing/coresight/coresight-etm-perf.c
++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c
+@@ -126,10 +126,10 @@ static void free_sink_buffer(struct etm_event_data *event_data)
+ cpumask_t *mask = &event_data->mask;
+ struct coresight_device *sink;
+
+- if (WARN_ON(cpumask_empty(mask)))
++ if (!event_data->snk_config)
+ return;
+
+- if (!event_data->snk_config)
++ if (WARN_ON(cpumask_empty(mask)))
+ return;
+
+ cpu = cpumask_first(mask);
+--
+2.25.1
+
--- /dev/null
+From f0f88735e1bb2658233af03e7372812ae033e799 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 13:17:31 -0600
+Subject: coresight: etm4x: Handle unreachable sink in perf mode
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit 859d510e58dac94f0b204b7b5cccafbc130d2291 ]
+
+If the specified/hinted sink is not reachable from a subset of the CPUs,
+we could end up unable to trace the event on those CPUs. This
+is the best effort we could do until we support 1:1 configurations.
+Fail gracefully in such cases avoiding a WARN_ON, which can be easily
+triggered by the user on certain platforms (Arm N1SDP), with the following
+trace paths :
+
+ CPU0
+ \
+ -- Funnel0 --> ETF0 -->
+ / \
+ CPU1 \
+ MainFunnel
+ CPU2 /
+ \ /
+ -- Funnel1 --> ETF1 -->
+ /
+ CPU1
+
+$ perf record --per-thread -e cs_etm/@ETF0/u -- <app>
+
+could trigger the following WARNING, when the event is scheduled
+on CPU2.
+
+[10919.513250] ------------[ cut here ]------------
+[10919.517861] WARNING: CPU: 2 PID: 24021 at
+drivers/hwtracing/coresight/coresight-etm-perf.c:316 etm_event_start+0xf8/0x100
+...
+
+[10919.564403] CPU: 2 PID: 24021 Comm: perf Not tainted 5.8.0+ #24
+[10919.570308] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--)
+[10919.575865] pc : etm_event_start+0xf8/0x100
+[10919.580034] lr : etm_event_start+0x80/0x100
+[10919.584202] sp : fffffe001932f940
+[10919.587502] x29: fffffe001932f940 x28: fffffc834995f800
+[10919.592799] x27: 0000000000000000 x26: fffffe0011f3ced0
+[10919.598095] x25: fffffc837fce244c x24: fffffc837fce2448
+[10919.603391] x23: 0000000000000002 x22: fffffc8353529c00
+[10919.608688] x21: fffffc835bb31000 x20: 0000000000000000
+[10919.613984] x19: fffffc837fcdcc70 x18: 0000000000000000
+[10919.619281] x17: 0000000000000000 x16: 0000000000000000
+[10919.624577] x15: 0000000000000000 x14: 00000000000009f8
+[10919.629874] x13: 00000000000009f8 x12: 0000000000000018
+[10919.635170] x11: 0000000000000000 x10: 0000000000000000
+[10919.640467] x9 : fffffe00108cd168 x8 : 0000000000000000
+[10919.645763] x7 : 0000000000000020 x6 : 0000000000000001
+[10919.651059] x5 : 0000000000000002 x4 : 0000000000000001
+[10919.656356] x3 : 0000000000000000 x2 : 0000000000000000
+[10919.661652] x1 : fffffe836eb40000 x0 : 0000000000000000
+[10919.666949] Call trace:
+[10919.669382] etm_event_start+0xf8/0x100
+[10919.673203] etm_event_add+0x40/0x60
+[10919.676765] event_sched_in.isra.134+0xcc/0x210
+[10919.681281] merge_sched_in+0xb0/0x2a8
+[10919.685017] visit_groups_merge.constprop.140+0x15c/0x4b8
+[10919.690400] ctx_sched_in+0x15c/0x170
+[10919.694048] perf_event_sched_in+0x6c/0xa0
+[10919.698130] ctx_resched+0x60/0xa0
+[10919.701517] perf_event_exec+0x288/0x2f0
+[10919.705425] begin_new_exec+0x4c8/0xf58
+[10919.709247] load_elf_binary+0x66c/0xf30
+[10919.713155] exec_binprm+0x15c/0x450
+[10919.716716] __do_execve_file+0x508/0x748
+[10919.720711] __arm64_sys_execve+0x40/0x50
+[10919.724707] do_el0_svc+0xf4/0x1b8
+[10919.728095] el0_sync_handler+0xf8/0x124
+[10919.732003] el0_sync+0x140/0x180
+
+Even though we don't support using separate sinks for the ETMs yet (e.g,
+for 1:1 configurations), we should at least honor the user's choice and
+handle the limitations gracefully, by simply skipping the tracing on ETMs
+which can't reach the requested sink.
+
+Fixes: f9d81a657bb8 ("coresight: perf: Allow tracing on hotplugged CPUs")
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Mike Leach <mike.leach@linaro.org>
+Reported-by: Jeremy Linton <jeremy.linton@arm.com>
+Tested-by: Jeremy Linton <jeremy.linton@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20200916191737.4001561-11-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-etm-perf.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hwtracing/coresight/coresight-etm-perf.c b/drivers/hwtracing/coresight/coresight-etm-perf.c
+index 84f1dcb698272..c4b9898e28418 100644
+--- a/drivers/hwtracing/coresight/coresight-etm-perf.c
++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c
+@@ -310,6 +310,16 @@ static void etm_event_start(struct perf_event *event, int flags)
+ if (!event_data)
+ goto fail;
+
++ /*
++ * Check if this ETM is allowed to trace, as decided
++ * at etm_setup_aux(). This could be due to an unreachable
++ * sink from this ETM. We can't do much in this case if
++ * the sink was specified or hinted to the driver. For
++ * now, simply don't record anything on this ETM.
++ */
++ if (!cpumask_test_cpu(cpu, &event_data->mask))
++ goto fail_end_stop;
++
+ path = etm_event_cpu_path(event_data, cpu);
+ /* We need a sink, no need to continue without one */
+ sink = coresight_get_sink(path);
+--
+2.25.1
+
--- /dev/null
+From f063a4270cc3f04cf2145070049c758adafc72fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 15:27:16 +0200
+Subject: cpufreq: armada-37xx: Add missing MODULE_DEVICE_TABLE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit c942d1542f1bc5001216fabce9cb8ffbe515777e ]
+
+CONFIG_ARM_ARMADA_37XX_CPUFREQ is tristate option and therefore this
+cpufreq driver can be compiled as a module. This patch adds missing
+MODULE_DEVICE_TABLE which generates correct modalias for automatic
+loading of this cpufreq driver when is compiled as an external module.
+
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 92ce45fb875d7 ("cpufreq: Add DVFS support for Armada 37xx")
+[ Viresh: Added __maybe_unused ]
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/armada-37xx-cpufreq.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c
+index df1c941260d14..b4af4094309b0 100644
+--- a/drivers/cpufreq/armada-37xx-cpufreq.c
++++ b/drivers/cpufreq/armada-37xx-cpufreq.c
+@@ -484,6 +484,12 @@ static int __init armada37xx_cpufreq_driver_init(void)
+ /* late_initcall, to guarantee the driver is loaded after A37xx clock driver */
+ late_initcall(armada37xx_cpufreq_driver_init);
+
++static const struct of_device_id __maybe_unused armada37xx_cpufreq_of_match[] = {
++ { .compatible = "marvell,armada-3700-nb-pm" },
++ { },
++};
++MODULE_DEVICE_TABLE(of, armada37xx_cpufreq_of_match);
++
+ MODULE_AUTHOR("Gregory CLEMENT <gregory.clement@free-electrons.com>");
+ MODULE_DESCRIPTION("Armada 37xx cpufreq driver");
+ MODULE_LICENSE("GPL");
+--
+2.25.1
+
--- /dev/null
+From 7bf594853081ea196eb8ad57cb0d7929f4530a68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 13:32:54 +0530
+Subject: cpufreq: powernv: Fix frame-size-overflow in
+ powernv_cpufreq_reboot_notifier
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit a2d0230b91f7e23ceb5d8fb6a9799f30517ec33a ]
+
+The patch avoids allocating cpufreq_policy on stack hence fixing frame
+size overflow in 'powernv_cpufreq_reboot_notifier':
+
+ drivers/cpufreq/powernv-cpufreq.c: In function powernv_cpufreq_reboot_notifier:
+ drivers/cpufreq/powernv-cpufreq.c:906:1: error: the frame size of 2064 bytes is larger than 2048 bytes
+
+Fixes: cf30af76 ("cpufreq: powernv: Set the cpus to nominal frequency during reboot/kexec")
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200922080254.41497-1-srikar@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/powernv-cpufreq.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
+index 3a2f022f6bde2..bc6ccf2c7aae0 100644
+--- a/drivers/cpufreq/powernv-cpufreq.c
++++ b/drivers/cpufreq/powernv-cpufreq.c
+@@ -884,12 +884,15 @@ static int powernv_cpufreq_reboot_notifier(struct notifier_block *nb,
+ unsigned long action, void *unused)
+ {
+ int cpu;
+- struct cpufreq_policy cpu_policy;
++ struct cpufreq_policy *cpu_policy;
+
+ rebooting = true;
+ for_each_online_cpu(cpu) {
+- cpufreq_get_policy(&cpu_policy, cpu);
+- powernv_cpufreq_target_index(&cpu_policy, get_nominal_index());
++ cpu_policy = cpufreq_cpu_get(cpu);
++ if (!cpu_policy)
++ continue;
++ powernv_cpufreq_target_index(cpu_policy, get_nominal_index());
++ cpufreq_cpu_put(cpu_policy);
+ }
+
+ return NOTIFY_DONE;
+--
+2.25.1
+
--- /dev/null
+From ae5dd30aaad32950f940bd24d7978f55b9e78174 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 17:03:27 +1000
+Subject: crypto: algif_skcipher - EBUSY on aio should be an error
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 2a05b029c1ee045b886ebf9efef9985ca23450de ]
+
+I removed the MAY_BACKLOG flag on the aio path a while ago but
+the error check still incorrectly interpreted EBUSY as success.
+This may cause the submitter to wait for a request that will never
+complete.
+
+Fixes: dad419970637 ("crypto: algif_skcipher - Do not set...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/algif_skcipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 81c4022285a7c..30069a92a9b22 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -123,7 +123,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
+ crypto_skcipher_decrypt(&areq->cra_u.skcipher_req);
+
+ /* AIO operation in progress */
+- if (err == -EINPROGRESS || err == -EBUSY)
++ if (err == -EINPROGRESS)
+ return -EIOCBQUEUED;
+
+ sock_put(sk);
+--
+2.25.1
+
--- /dev/null
+From c80fb227d17347cee07fde6c07d802e0fd54ccb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 13:34:35 +0200
+Subject: crypto: ccp - fix error handling
+
+From: Pavel Machek <pavel@denx.de>
+
+[ Upstream commit e356c49c6cf0db3f00e1558749170bd56e47652d ]
+
+Fix resource leak in error handling.
+
+Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
+Acked-by: John Allen <john.allen@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
+index 64112c736810e..7234b95241e91 100644
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -1746,7 +1746,7 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
+ break;
+ default:
+ ret = -EINVAL;
+- goto e_ctx;
++ goto e_data;
+ }
+ } else {
+ /* Stash the context */
+--
+2.25.1
+
--- /dev/null
+From e550764889334060c7bc407c03ece97bfa8f06ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 16:56:48 +0200
+Subject: crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit f7ade9aaf66bd5599690acf0597df2c0f6cd825a ]
+
+Update the size used in 'dma_free_coherent()' in order to match the one
+used in the corresponding 'dma_alloc_coherent()', in 'setup_crypt_desc()'.
+
+Fixes: 81bef0150074 ("crypto: ixp4xx - Hardware crypto support for IXP4xx CPUs")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ixp4xx_crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
+index 9181523ba7607..acaa504d5a798 100644
+--- a/drivers/crypto/ixp4xx_crypto.c
++++ b/drivers/crypto/ixp4xx_crypto.c
+@@ -527,7 +527,7 @@ static void release_ixp_crypto(struct device *dev)
+
+ if (crypt_virt) {
+ dma_free_coherent(dev,
+- NPE_QLEN_TOTAL * sizeof( struct crypt_ctl),
++ NPE_QLEN * sizeof(struct crypt_ctl),
+ crypt_virt, crypt_phys);
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From e57f0a962765b7ab8ea20b5e77163c32d09d08a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:32 +0800
+Subject: crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 8cbde6c6a6d2b1599ff90f932304aab7e32fce89 ]
+
+In case of memory allocation failure, a negative error code should
+be returned.
+
+Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips")
+Cc: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mediatek/mtk-platform.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c
+index 7e3ad085b5bdd..ef4339e84d034 100644
+--- a/drivers/crypto/mediatek/mtk-platform.c
++++ b/drivers/crypto/mediatek/mtk-platform.c
+@@ -442,7 +442,7 @@ static void mtk_desc_dma_free(struct mtk_cryp *cryp)
+ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp)
+ {
+ struct mtk_ring **ring = cryp->ring;
+- int i, err = ENOMEM;
++ int i;
+
+ for (i = 0; i < MTK_RING_MAX; i++) {
+ ring[i] = kzalloc(sizeof(**ring), GFP_KERNEL);
+@@ -476,7 +476,7 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp)
+ ring[i]->cmd_base, ring[i]->cmd_dma);
+ kfree(ring[i]);
+ }
+- return err;
++ return -ENOMEM;
+ }
+
+ static int mtk_crypto_probe(struct platform_device *pdev)
+--
+2.25.1
+
--- /dev/null
+From a855ece137c39a1aa66fa786f3a19fff1b1b8713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 10:56:24 +0300
+Subject: crypto: omap-sham - fix digcnt register handling with export/import
+
+From: Tero Kristo <t-kristo@ti.com>
+
+[ Upstream commit 3faf757bad75f3fc1b2736f0431e295a073a7423 ]
+
+Running export/import for hashes in peculiar order (mostly done by
+openssl) can mess up the internal book keeping of the OMAP SHA core.
+Fix by forcibly writing the correct DIGCNT back to hardware. This issue
+was noticed while transitioning to openssl 1.1 support.
+
+Fixes: 0d373d603202 ("crypto: omap-sham - Add OMAP4/AM33XX SHAM Support")
+Signed-off-by: Tero Kristo <t-kristo@ti.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-sham.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
+index aba5db3c0588f..d7c0c982ba433 100644
+--- a/drivers/crypto/omap-sham.c
++++ b/drivers/crypto/omap-sham.c
+@@ -453,6 +453,9 @@ static void omap_sham_write_ctrl_omap4(struct omap_sham_dev *dd, size_t length,
+ struct omap_sham_reqctx *ctx = ahash_request_ctx(dd->req);
+ u32 val, mask;
+
++ if (likely(ctx->digcnt))
++ omap_sham_write(dd, SHA_REG_DIGCNT(dd), ctx->digcnt);
++
+ /*
+ * Setting ALGO_CONST only for the first iteration and
+ * CLOSE_HASH only for the last one. Note that flags mode bits
+--
+2.25.1
+
--- /dev/null
+From 1d0b9bf0437ed2476d828142c56312b909ad320c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 18:00:24 +0530
+Subject: crypto: picoxcell - Fix potential race condition bug
+
+From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+
+[ Upstream commit 64f4a62e3b17f1e473f971127c2924cae42afc82 ]
+
+engine->stat_irq_thresh was initialized after device_create_file() in
+the probe function, the initialization may race with call to
+spacc_stat_irq_thresh_store() which updates engine->stat_irq_thresh,
+therefore initialize it before creating the file in probe function.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: ce92136843cb ("crypto: picoxcell - add support for the...")
+Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Acked-by: Jamie Iles <jamie@jamieiles.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/picoxcell_crypto.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/crypto/picoxcell_crypto.c b/drivers/crypto/picoxcell_crypto.c
+index 2680e1525db58..13ecbb0e58528 100644
+--- a/drivers/crypto/picoxcell_crypto.c
++++ b/drivers/crypto/picoxcell_crypto.c
+@@ -1697,11 +1697,6 @@ static int spacc_probe(struct platform_device *pdev)
+ goto err_clk_put;
+ }
+
+- ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh);
+- if (ret)
+- goto err_clk_disable;
+-
+-
+ /*
+ * Use an IRQ threshold of 50% as a default. This seems to be a
+ * reasonable trade off of latency against throughput but can be
+@@ -1709,6 +1704,10 @@ static int spacc_probe(struct platform_device *pdev)
+ */
+ engine->stat_irq_thresh = (engine->fifo_sz / 2);
+
++ ret = device_create_file(&pdev->dev, &dev_attr_stat_irq_thresh);
++ if (ret)
++ goto err_clk_disable;
++
+ /*
+ * Configure the interrupts. We only use the STAT_CNT interrupt as we
+ * only submit a new packet for processing when we complete another in
+--
+2.25.1
+
--- /dev/null
+From a8ca48606ed9f842a1acf7e827741bd027e47e01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 11:00:51 +0800
+Subject: cypto: mediatek - fix leaks in mtk_desc_ring_alloc
+
+From: Xiaoliang Pang <dawning.pang@gmail.com>
+
+[ Upstream commit 228d284aac61283cde508a925d666f854b57af63 ]
+
+In the init loop, if an error occurs in function 'dma_alloc_coherent',
+then goto the err_cleanup section, after run i--,
+in the array ring, the struct mtk_ring with index i will not be released,
+causing memory leaks
+
+Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips")
+Cc: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Xiaoliang Pang <dawning.pang@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/mediatek/mtk-platform.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/mediatek/mtk-platform.c b/drivers/crypto/mediatek/mtk-platform.c
+index ef4339e84d034..efce3a83b35a8 100644
+--- a/drivers/crypto/mediatek/mtk-platform.c
++++ b/drivers/crypto/mediatek/mtk-platform.c
+@@ -469,13 +469,13 @@ static int mtk_desc_ring_alloc(struct mtk_cryp *cryp)
+ return 0;
+
+ err_cleanup:
+- for (; i--; ) {
++ do {
+ dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ,
+ ring[i]->res_base, ring[i]->res_dma);
+ dma_free_coherent(cryp->dev, MTK_DESC_RING_SZ,
+ ring[i]->cmd_base, ring[i]->cmd_dma);
+ kfree(ring[i]);
+- }
++ } while (i--);
+ return -ENOMEM;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From e69eb9692117d898a2215bf17f83863ab0f27000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 14:58:46 +0300
+Subject: dmaengine: dmatest: Check list for emptiness before access its last
+ entry
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit b28de385b71abf31ce68ec0387638bee26ae9024 ]
+
+After writing a garbage to the channel we get an Oops in dmatest_chan_set()
+due to access to last entry in the empty list.
+
+[ 212.670672] BUG: unable to handle page fault for address: fffffff000000020
+[ 212.677562] #PF: supervisor read access in kernel mode
+[ 212.682702] #PF: error_code(0x0000) - not-present page
+...
+[ 212.710074] RIP: 0010:dmatest_chan_set+0x149/0x2d0 [dmatest]
+[ 212.715739] Code: e8 cc f9 ff ff 48 8b 1d 0d 55 00 00 48 83 7b 10 00 0f 84 63 01 00 00 48 c7 c7 d0 65 4d c0 e8 ee 4a f5 e1 48 89 c6 48 8b 43 10 <48> 8b 40 20 48 8b 78 58 48 85 ff 0f 84 f5 00 00 00 e8 b1 41 f5 e1
+
+Fix this by checking list for emptiness before accessing its last entry.
+
+Fixes: d53513d5dc28 ("dmaengine: dmatest: Add support for multi channel testing")
+Cc: Vladimir Murzin <vladimir.murzin@arm.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Link: https://lore.kernel.org/r/20200922115847.30100-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmatest.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
+index 62d9825a49e9d..238936e2dfe2d 100644
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -1218,15 +1218,14 @@ static int dmatest_chan_set(const char *val, const struct kernel_param *kp)
+ add_threaded_test(info);
+
+ /* Check if channel was added successfully */
+- dtc = list_last_entry(&info->channels, struct dmatest_chan, node);
+-
+- if (dtc->chan) {
++ if (!list_empty(&info->channels)) {
+ /*
+ * if new channel was not successfully added, revert the
+ * "test_channel" string to the name of the last successfully
+ * added channel. exception for when users issues empty string
+ * to channel parameter.
+ */
++ dtc = list_last_entry(&info->channels, struct dmatest_chan, node);
+ if ((strcmp(dma_chan_name(dtc->chan), strim(test_channel)) != 0)
+ && (strcmp("", strim(test_channel)) != 0)) {
+ ret = -EINVAL;
+--
+2.25.1
+
--- /dev/null
+From 3b388e8dc97ffa07880657e5172b9ab332a02ac5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 23:08:23 +0300
+Subject: dmaengine: dw: Activate FIFO-mode for memory peripherals only
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 6d9459d04081c796fc67c2bb771f4e4ebb5744c4 ]
+
+CFGx.FIFO_MODE field controls a DMA-controller "FIFO readiness" criterion.
+In other words it determines when to start pushing data out of a DW
+DMAC channel FIFO to a destination peripheral or from a source
+peripheral to the DW DMAC channel FIFO. Currently FIFO-mode is set to one
+for all DW DMAC channels. It means they are tuned to flush data out of
+FIFO (to a memory peripheral or by accepting the burst transaction
+requests) when FIFO is at least half-full (except at the end of the block
+transfer, when FIFO-flush mode is activated) and are configured to get
+data to the FIFO when it's at least half-empty.
+
+Such configuration is a good choice when there is no slave device involved
+in the DMA transfers. In that case the number of bursts per block is less
+than when CFGx.FIFO_MODE = 0 and, hence, the bus utilization will improve.
+But the latency of DMA transfers may increase when CFGx.FIFO_MODE = 1,
+since DW DMAC will wait for the channel FIFO contents to be either
+half-full or half-empty depending on having the destination or the source
+transfers. Such latencies might be dangerous in case if the DMA transfers
+are expected to be performed from/to a slave device. Since normally
+peripheral devices keep data in internal FIFOs, any latency at some
+critical moment may cause one being overflown and consequently losing
+data. This especially concerns a case when either a peripheral device is
+relatively fast or the DW DMAC engine is relatively slow with respect to
+the incoming data pace.
+
+In order to solve problems, which might be caused by the latencies
+described above, let's enable the FIFO half-full/half-empty "FIFO
+readiness" criterion only for DMA transfers with no slave device involved.
+Thanks to the commit 99ba8b9b0d97 ("dmaengine: dw: Initialize channel
+before each transfer") we can freely do that in the generic
+dw_dma_initialize_chan() method.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20200731200826.9292-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dw/dw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/dw/dw.c b/drivers/dma/dw/dw.c
+index 7a085b3c1854c..d9810980920a1 100644
+--- a/drivers/dma/dw/dw.c
++++ b/drivers/dma/dw/dw.c
+@@ -14,7 +14,7 @@
+ static void dw_dma_initialize_chan(struct dw_dma_chan *dwc)
+ {
+ struct dw_dma *dw = to_dw_dma(dwc->chan.device);
+- u32 cfghi = DWC_CFGH_FIFO_MODE;
++ u32 cfghi = is_slave_direction(dwc->direction) ? 0 : DWC_CFGH_FIFO_MODE;
+ u32 cfglo = DWC_CFGL_CH_PRIOR(dwc->priority);
+ bool hs_polarity = dwc->dws.hs_polarity;
+
+--
+2.25.1
+
--- /dev/null
+From 90f6649d40d3dd2b016e8a1d13044f172b018801 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 23:08:26 +0300
+Subject: dmaengine: dw: Add DMA-channels mask cell support
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit e8ee6c8cb61b676f1a2d6b942329e98224bd8ee9 ]
+
+DW DMA IP-core provides a way to synthesize the DMA controller with
+channels having different parameters like maximum burst-length,
+multi-block support, maximum data width, etc. Those parameters both
+explicitly and implicitly affect the channels performance. Since DMA slave
+devices might be very demanding to the DMA performance, let's provide a
+functionality for the slaves to be assigned with DW DMA channels, which
+performance according to the platform engineer fulfill their requirements.
+After this patch is applied it can be done by passing the mask of suitable
+DMA-channels either directly in the dw_dma_slave structure instance or as
+a fifth cell of the DMA DT-property. If mask is zero or not provided, then
+there is no limitation on the channels allocation.
+
+For instance Baikal-T1 SoC is equipped with a DW DMAC engine, which first
+two channels are synthesized with max burst length of 16, while the rest
+of the channels have been created with max-burst-len=4. It would seem that
+the first two channels must be faster than the others and should be more
+preferable for the time-critical DMA slave devices. In practice it turned
+out that the situation is quite the opposite. The channels with
+max-burst-len=4 demonstrated a better performance than the channels with
+max-burst-len=16 even when they both had been initialized with the same
+settings. The performance drop of the first two DMA-channels made them
+unsuitable for the DW APB SSI slave device. No matter what settings they
+are configured with, full-duplex SPI transfers occasionally experience the
+Rx FIFO overflow. It means that the DMA-engine doesn't keep up with
+incoming data pace even though the SPI-bus is enabled with speed of 25MHz
+while the DW DMA controller is clocked with 50MHz signal. There is no such
+problem has been noticed for the channels synthesized with
+max-burst-len=4.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Link: https://lore.kernel.org/r/20200731200826.9292-6-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dw/core.c | 4 ++++
+ drivers/dma/dw/of.c | 7 +++++--
+ include/linux/platform_data/dma-dw.h | 2 ++
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c
+index a1b56f52db2f2..5e7fdc0b6e3db 100644
+--- a/drivers/dma/dw/core.c
++++ b/drivers/dma/dw/core.c
+@@ -772,6 +772,10 @@ bool dw_dma_filter(struct dma_chan *chan, void *param)
+ if (dws->dma_dev != chan->device->dev)
+ return false;
+
++ /* permit channels in accordance with the channels mask */
++ if (dws->channels && !(dws->channels & dwc->mask))
++ return false;
++
+ /* We have to copy data since dws can be temporary storage */
+ memcpy(&dwc->dws, dws, sizeof(struct dw_dma_slave));
+
+diff --git a/drivers/dma/dw/of.c b/drivers/dma/dw/of.c
+index 9e27831dee324..43e975fb67142 100644
+--- a/drivers/dma/dw/of.c
++++ b/drivers/dma/dw/of.c
+@@ -22,18 +22,21 @@ static struct dma_chan *dw_dma_of_xlate(struct of_phandle_args *dma_spec,
+ };
+ dma_cap_mask_t cap;
+
+- if (dma_spec->args_count != 3)
++ if (dma_spec->args_count < 3 || dma_spec->args_count > 4)
+ return NULL;
+
+ slave.src_id = dma_spec->args[0];
+ slave.dst_id = dma_spec->args[0];
+ slave.m_master = dma_spec->args[1];
+ slave.p_master = dma_spec->args[2];
++ if (dma_spec->args_count >= 4)
++ slave.channels = dma_spec->args[3];
+
+ if (WARN_ON(slave.src_id >= DW_DMA_MAX_NR_REQUESTS ||
+ slave.dst_id >= DW_DMA_MAX_NR_REQUESTS ||
+ slave.m_master >= dw->pdata->nr_masters ||
+- slave.p_master >= dw->pdata->nr_masters))
++ slave.p_master >= dw->pdata->nr_masters ||
++ slave.channels >= BIT(dw->pdata->nr_channels)))
+ return NULL;
+
+ dma_cap_zero(cap);
+diff --git a/include/linux/platform_data/dma-dw.h b/include/linux/platform_data/dma-dw.h
+index f3eaf9ec00a1b..70078be166e3c 100644
+--- a/include/linux/platform_data/dma-dw.h
++++ b/include/linux/platform_data/dma-dw.h
+@@ -21,6 +21,7 @@
+ * @dst_id: dst request line
+ * @m_master: memory master for transfers on allocated channel
+ * @p_master: peripheral master for transfers on allocated channel
++ * @channels: mask of the channels permitted for allocation (zero value means any)
+ * @hs_polarity:set active low polarity of handshake interface
+ */
+ struct dw_dma_slave {
+@@ -29,6 +30,7 @@ struct dw_dma_slave {
+ u8 dst_id;
+ u8 m_master;
+ u8 p_master;
++ u8 channels;
+ bool hs_polarity;
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 993c06745f0508c17f68a3c77f3afc704e6c399a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 16:41:10 -0400
+Subject: drivers/perf: thunderx2_pmu: Fix memory resource error handling
+
+From: Mark Salter <msalter@redhat.com>
+
+[ Upstream commit 688494a407d1419a6b158c644b262c61cde39f48 ]
+
+In tx2_uncore_pmu_init_dev(), a call to acpi_dev_get_resources() is used
+to create a list _CRS resources which is searched for the device base
+address. There is an error check following this:
+
+ if (!rentry->res)
+ return NULL
+
+In no case, will rentry->res be NULL, so the test is useless. Even
+if the test worked, it comes before the resource list memory is
+freed. None of this really matters as long as the ACPI table has
+the memory resource. Let's clean it up so that it makes sense and
+will give a meaningful error should firmware leave out the memory
+resource.
+
+Fixes: 69c32972d593 ("drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver")
+Signed-off-by: Mark Salter <msalter@redhat.com>
+Link: https://lore.kernel.org/r/20200915204110.326138-2-msalter@redhat.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/thunderx2_pmu.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/perf/thunderx2_pmu.c b/drivers/perf/thunderx2_pmu.c
+index 9e1c3c7eeba9b..170ccb164c604 100644
+--- a/drivers/perf/thunderx2_pmu.c
++++ b/drivers/perf/thunderx2_pmu.c
+@@ -627,14 +627,17 @@ static struct tx2_uncore_pmu *tx2_uncore_pmu_init_dev(struct device *dev,
+ list_for_each_entry(rentry, &list, node) {
+ if (resource_type(rentry->res) == IORESOURCE_MEM) {
+ res = *rentry->res;
++ rentry = NULL;
+ break;
+ }
+ }
++ acpi_dev_free_resource_list(&list);
+
+- if (!rentry->res)
++ if (rentry) {
++ dev_err(dev, "PMU type %d: Fail to find resource\n", type);
+ return NULL;
++ }
+
+- acpi_dev_free_resource_list(&list);
+ base = devm_ioremap_resource(dev, &res);
+ if (IS_ERR(base)) {
+ dev_err(dev, "PMU type %d: Fail to map resource\n", type);
+--
+2.25.1
+
--- /dev/null
+From 98a4d8958f88db248c9b4d01a288530c886afde2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 16:41:09 -0400
+Subject: drivers/perf: xgene_pmu: Fix uninitialized resource struct
+
+From: Mark Salter <msalter@redhat.com>
+
+[ Upstream commit a76b8236edcf5b785d044b930f9e14ad02b4a484 ]
+
+This splat was reported on newer Fedora kernels booting on certain
+X-gene based machines:
+
+ xgene-pmu APMC0D83:00: X-Gene PMU version 3
+ Unable to handle kernel read from unreadable memory at virtual \
+ address 0000000000004006
+ ...
+ Call trace:
+ string+0x50/0x100
+ vsnprintf+0x160/0x750
+ devm_kvasprintf+0x5c/0xb4
+ devm_kasprintf+0x54/0x60
+ __devm_ioremap_resource+0xdc/0x1a0
+ devm_ioremap_resource+0x14/0x20
+ acpi_get_pmu_hw_inf.isra.0+0x84/0x15c
+ acpi_pmu_dev_add+0xbc/0x21c
+ acpi_ns_walk_namespace+0x16c/0x1e4
+ acpi_walk_namespace+0xb4/0xfc
+ xgene_pmu_probe_pmu_dev+0x7c/0xe0
+ xgene_pmu_probe.part.0+0x2c0/0x310
+ xgene_pmu_probe+0x54/0x64
+ platform_drv_probe+0x60/0xb4
+ really_probe+0xe8/0x4a0
+ driver_probe_device+0xe4/0x100
+ device_driver_attach+0xcc/0xd4
+ __driver_attach+0xb0/0x17c
+ bus_for_each_dev+0x6c/0xb0
+ driver_attach+0x30/0x40
+ bus_add_driver+0x154/0x250
+ driver_register+0x84/0x140
+ __platform_driver_register+0x54/0x60
+ xgene_pmu_driver_init+0x28/0x34
+ do_one_initcall+0x40/0x204
+ do_initcalls+0x104/0x144
+ kernel_init_freeable+0x198/0x210
+ kernel_init+0x20/0x12c
+ ret_from_fork+0x10/0x18
+ Code: 91000400 110004e1 eb08009f 540000c0 (38646846)
+ ---[ end trace f08c10566496a703 ]---
+
+This is due to use of an uninitialized local resource struct in the xgene
+pmu driver. The thunderx2_pmu driver avoids this by using the resource list
+constructed by acpi_dev_get_resources() rather than using a callback from
+that function. The callback in the xgene driver didn't fully initialize
+the resource. So get rid of the callback and search the resource list as
+done by thunderx2.
+
+Fixes: 832c927d119b ("perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver")
+Signed-off-by: Mark Salter <msalter@redhat.com>
+Link: https://lore.kernel.org/r/20200915204110.326138-1-msalter@redhat.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/xgene_pmu.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/perf/xgene_pmu.c b/drivers/perf/xgene_pmu.c
+index 328aea9f6be32..50b37f8f5c7ff 100644
+--- a/drivers/perf/xgene_pmu.c
++++ b/drivers/perf/xgene_pmu.c
+@@ -1459,17 +1459,6 @@ static char *xgene_pmu_dev_name(struct device *dev, u32 type, int id)
+ }
+
+ #if defined(CONFIG_ACPI)
+-static int acpi_pmu_dev_add_resource(struct acpi_resource *ares, void *data)
+-{
+- struct resource *res = data;
+-
+- if (ares->type == ACPI_RESOURCE_TYPE_FIXED_MEMORY32)
+- acpi_dev_resource_memory(ares, res);
+-
+- /* Always tell the ACPI core to skip this resource */
+- return 1;
+-}
+-
+ static struct
+ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu,
+ struct acpi_device *adev, u32 type)
+@@ -1481,6 +1470,7 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu,
+ struct hw_pmu_info *inf;
+ void __iomem *dev_csr;
+ struct resource res;
++ struct resource_entry *rentry;
+ int enable_bit;
+ int rc;
+
+@@ -1489,11 +1479,23 @@ xgene_pmu_dev_ctx *acpi_get_pmu_hw_inf(struct xgene_pmu *xgene_pmu,
+ return NULL;
+
+ INIT_LIST_HEAD(&resource_list);
+- rc = acpi_dev_get_resources(adev, &resource_list,
+- acpi_pmu_dev_add_resource, &res);
++ rc = acpi_dev_get_resources(adev, &resource_list, NULL, NULL);
++ if (rc <= 0) {
++ dev_err(dev, "PMU type %d: No resources found\n", type);
++ return NULL;
++ }
++
++ list_for_each_entry(rentry, &resource_list, node) {
++ if (resource_type(rentry->res) == IORESOURCE_MEM) {
++ res = *rentry->res;
++ rentry = NULL;
++ break;
++ }
++ }
+ acpi_dev_free_resource_list(&resource_list);
+- if (rc < 0) {
+- dev_err(dev, "PMU type %d: No resource address found\n", type);
++
++ if (rentry) {
++ dev_err(dev, "PMU type %d: No memory resource found\n", type);
+ return NULL;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b72dfdcf3290a78d41fec0897d3c50964b82d711 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 02:51:11 +0530
+Subject: drivers/virt/fsl_hypervisor: Fix error handling path
+
+From: Souptick Joarder <jrdr.linux@gmail.com>
+
+[ Upstream commit 7f360bec37857bfd5a48cef21d86f58a09a3df63 ]
+
+First, when memory allocation for sg_list_unaligned failed, there
+is a bug of calling put_pages() as we haven't pinned any pages.
+
+Second, if get_user_pages_fast() failed we should unpin num_pinned
+pages.
+
+This will address both.
+
+As part of these changes, minor update in documentation.
+
+Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
+Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Link: https://lore.kernel.org/r/1598995271-6755-1-git-send-email-jrdr.linux@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virt/fsl_hypervisor.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c
+index 93d5bebf9572a..fb292f9cf29df 100644
+--- a/drivers/virt/fsl_hypervisor.c
++++ b/drivers/virt/fsl_hypervisor.c
+@@ -157,7 +157,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+
+ unsigned int i;
+ long ret = 0;
+- int num_pinned; /* return value from get_user_pages() */
++ int num_pinned = 0; /* return value from get_user_pages_fast() */
+ phys_addr_t remote_paddr; /* The next address in the remote buffer */
+ uint32_t count; /* The number of bytes left to copy */
+
+@@ -174,7 +174,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ return -EINVAL;
+
+ /*
+- * The array of pages returned by get_user_pages() covers only
++ * The array of pages returned by get_user_pages_fast() covers only
+ * page-aligned memory. Since the user buffer is probably not
+ * page-aligned, we need to handle the discrepancy.
+ *
+@@ -224,7 +224,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+
+ /*
+ * 'pages' is an array of struct page pointers that's initialized by
+- * get_user_pages().
++ * get_user_pages_fast().
+ */
+ pages = kcalloc(num_pages, sizeof(struct page *), GFP_KERNEL);
+ if (!pages) {
+@@ -241,7 +241,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ if (!sg_list_unaligned) {
+ pr_debug("fsl-hv: could not allocate S/G list\n");
+ ret = -ENOMEM;
+- goto exit;
++ goto free_pages;
+ }
+ sg_list = PTR_ALIGN(sg_list_unaligned, sizeof(struct fh_sg_list));
+
+@@ -250,7 +250,6 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ num_pages, param.source != -1 ? FOLL_WRITE : 0, pages);
+
+ if (num_pinned != num_pages) {
+- /* get_user_pages() failed */
+ pr_debug("fsl-hv: could not lock source buffer\n");
+ ret = (num_pinned < 0) ? num_pinned : -EFAULT;
+ goto exit;
+@@ -292,13 +291,13 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p)
+ virt_to_phys(sg_list), num_pages);
+
+ exit:
+- if (pages) {
+- for (i = 0; i < num_pages; i++)
+- if (pages[i])
+- put_page(pages[i]);
++ if (pages && (num_pinned > 0)) {
++ for (i = 0; i < num_pinned; i++)
++ put_page(pages[i]);
+ }
+
+ kfree(sg_list_unaligned);
++free_pages:
+ kfree(pages);
+
+ if (!ret)
+--
+2.25.1
+
--- /dev/null
+From 348d189939496e524eb886e5868f1c6f628b3992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:36 +0800
+Subject: drm/amd/display: Fix wrong return value in dm_update_plane_state()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit c35376137e940c3389df2726a92649c01a9844b4 ]
+
+On an error exit path, a negative error code should be returned
+instead of a positive return value.
+
+Fixes: 9e869063b0021 ("drm/amd/display: Move iteration out of dm_update_planes")
+Cc: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 2384aa018993d..7c58085031732 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -6984,8 +6984,7 @@ static int dm_update_plane_state(struct dc *dc,
+ dm_old_plane_state->dc_state,
+ dm_state->context)) {
+
+- ret = EINVAL;
+- return ret;
++ return -EINVAL;
+ }
+
+
+--
+2.25.1
+
--- /dev/null
+From 34efab5e34f00c5ebd1a7662e5545c0a890a8ddc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 16:22:28 +0800
+Subject: drm/crc-debugfs: Fix memleak in crc_control_write
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit f7ec68b341dbd5da13d4c65ce444dcd605f1c42e ]
+
+When verify_crc_source() fails, source needs to be freed.
+However, current code is returning directly and ends up
+leaking memory.
+
+Fixes: d5cc15a0c66e ("drm: crc: Introduce verify_crc_source callback")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+[danvet: change Fixes: tag per Laurent's review]
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200819082228.26847-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_debugfs_crc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_debugfs_crc.c b/drivers/gpu/drm/drm_debugfs_crc.c
+index 6a626c82e264b..f6598c5a9a879 100644
+--- a/drivers/gpu/drm/drm_debugfs_crc.c
++++ b/drivers/gpu/drm/drm_debugfs_crc.c
+@@ -144,8 +144,10 @@ static ssize_t crc_control_write(struct file *file, const char __user *ubuf,
+ source[len - 1] = '\0';
+
+ ret = crtc->funcs->verify_crc_source(crtc, source, &values_cnt);
+- if (ret)
++ if (ret) {
++ kfree(source);
+ return ret;
++ }
+
+ spin_lock_irq(&crc->lock);
+
+--
+2.25.1
+
--- /dev/null
+From c614a78645af04e5991940bf651b64ad361c24d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 13:59:11 -0700
+Subject: drm/gma500: fix error check
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit cdd296cdae1af2d27dae3fcfbdf12c5252ab78cf ]
+
+Reviewing this block of code in cdv_intel_dp_init()
+
+ret = cdv_intel_dp_aux_native_read(gma_encoder, DP_DPCD_REV, ...
+
+cdv_intel_edp_panel_vdd_off(gma_encoder);
+if (ret == 0) {
+ /* if this fails, presume the device is a ghost */
+ DRM_INFO("failed to retrieve link info, disabling eDP\n");
+ drm_encoder_cleanup(encoder);
+ cdv_intel_dp_destroy(connector);
+ goto err_priv;
+} else {
+
+The (ret == 0) is not strict enough.
+cdv_intel_dp_aux_native_read() returns > 0 on success
+otherwise it is failure.
+
+So change to <=
+
+Fixes: d112a8163f83 ("gma500/cdv: Add eDP support")
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200805205911.20927-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c
+index 570b59520fd13..2ff4b35151bf8 100644
+--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
+@@ -2120,7 +2120,7 @@ cdv_intel_dp_init(struct drm_device *dev, struct psb_intel_mode_device *mode_dev
+ intel_dp->dpcd,
+ sizeof(intel_dp->dpcd));
+ cdv_intel_edp_panel_vdd_off(gma_encoder);
+- if (ret == 0) {
++ if (ret <= 0) {
+ /* if this fails, presume the device is a ghost */
+ DRM_INFO("failed to retrieve link info, disabling eDP\n");
+ cdv_intel_dp_encoder_destroy(encoder);
+--
+2.25.1
+
--- /dev/null
+From 819087bde0cfb74a134e73116ff8046418874e30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Sep 2020 18:25:58 +0800
+Subject: drm/msm/a6xx: fix a potential overflow issue
+
+From: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+
+[ Upstream commit 08d3ab4b46339bc6f97e83b54a3fb4f8bf8f4cd9 ]
+
+It's allocating an array of a6xx_gpu_state_obj structure rathor than
+its pointers.
+
+This patch fix it.
+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+index 691c1a277d91b..dfcbb2b7cdda3 100644
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+@@ -834,7 +834,7 @@ static void a6xx_get_indexed_registers(struct msm_gpu *gpu,
+ int i;
+
+ a6xx_state->indexed_regs = state_kcalloc(a6xx_state, count,
+- sizeof(a6xx_state->indexed_regs));
++ sizeof(*a6xx_state->indexed_regs));
+ if (!a6xx_state->indexed_regs)
+ return;
+
+--
+2.25.1
+
--- /dev/null
+From 2e8776003fccbdb8d20156a791e5c40264526c58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 14:59:41 -0700
+Subject: drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check()
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 22f760941844dbcee6ee446e1896532f6dff01ef ]
+
+The cstate->num_mixers member is only set to a non-zero value once
+dpu_encoder_virt_mode_set() is called, but the atomic check function can
+be called by userspace before that. Let's avoid the div-by-zero here and
+inside _dpu_crtc_setup_lm_bounds() by skipping this part of the atomic
+check if dpu_encoder_virt_mode_set() hasn't been called yet. This fixes
+an UBSAN warning:
+
+ UBSAN: Undefined behaviour in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c:860:31
+ division by zero
+ CPU: 7 PID: 409 Comm: frecon Tainted: G S 5.4.31 #128
+ Hardware name: Google Trogdor (rev0) (DT)
+ Call trace:
+ dump_backtrace+0x0/0x14c
+ show_stack+0x20/0x2c
+ dump_stack+0xa0/0xd8
+ __ubsan_handle_divrem_overflow+0xec/0x110
+ dpu_crtc_atomic_check+0x97c/0x9d4
+ drm_atomic_helper_check_planes+0x160/0x1c8
+ drm_atomic_helper_check+0x54/0xbc
+ drm_atomic_check_only+0x6a8/0x880
+ drm_atomic_commit+0x20/0x5c
+ drm_atomic_helper_set_config+0x98/0xa0
+ drm_mode_setcrtc+0x308/0x5dc
+ drm_ioctl_kernel+0x9c/0x114
+ drm_ioctl+0x2ac/0x4b0
+ drm_compat_ioctl+0xe8/0x13c
+ __arm64_compat_sys_ioctl+0x184/0x324
+ el0_svc_common+0xa4/0x154
+ el0_svc_compat_handler+0x
+
+Cc: Abhinav Kumar <abhinavk@codeaurora.org>
+Cc: Jeykumar Sankaran <jsanka@codeaurora.org>
+Cc: Jordan Crouse <jcrouse@codeaurora.org>
+Cc: Sean Paul <seanpaul@chromium.org>
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
+Tested-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+index 36c85c05b7cf7..4aed5e9a84a45 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
+@@ -819,7 +819,7 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc,
+ struct drm_plane *plane;
+ struct drm_display_mode *mode;
+
+- int cnt = 0, rc = 0, mixer_width, i, z_pos;
++ int cnt = 0, rc = 0, mixer_width = 0, i, z_pos;
+
+ struct dpu_multirect_plane_states multirect_plane[DPU_STAGE_MAX * 2];
+ int multirect_count = 0;
+@@ -852,9 +852,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc,
+
+ memset(pipe_staged, 0, sizeof(pipe_staged));
+
+- mixer_width = mode->hdisplay / cstate->num_mixers;
++ if (cstate->num_mixers) {
++ mixer_width = mode->hdisplay / cstate->num_mixers;
+
+- _dpu_crtc_setup_lm_bounds(crtc, state);
++ _dpu_crtc_setup_lm_bounds(crtc, state);
++ }
+
+ crtc_rect.x2 = mode->hdisplay;
+ crtc_rect.y2 = mode->vdisplay;
+--
+2.25.1
+
--- /dev/null
+From 04e699c822597457b03ce66891618aa8fe93febc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 16:16:54 +0200
+Subject: drm: mxsfb: check framebuffer pitch
+
+From: Stefan Agner <stefan@agner.ch>
+
+[ Upstream commit d5a0c816900419105a12e7471bf074319dfa34be ]
+
+The lcdif IP does not support a framebuffer pitch (stride) other than
+framebuffer width. Check for equality and reject the framebuffer
+otherwise.
+
+This prevents a distorted picture when using 640x800 and running the
+Mesa graphics stack. Mesa tries to use a cache aligned stride, which
+leads at that particular resolution to width != stride. Currently
+Mesa has no fallback behavior, but rejecting this configuration allows
+userspace to handle the issue correctly.
+
+Fixes: 45d59d704080 ("drm: Add new driver for MXSFB controller")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200908141654.266836-1-stefan@agner.ch
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mxsfb/mxsfb_drv.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mxsfb/mxsfb_drv.c b/drivers/gpu/drm/mxsfb/mxsfb_drv.c
+index e8506335cd155..1694a7deb9133 100644
+--- a/drivers/gpu/drm/mxsfb/mxsfb_drv.c
++++ b/drivers/gpu/drm/mxsfb/mxsfb_drv.c
+@@ -26,6 +26,7 @@
+ #include <drm/drm_drv.h>
+ #include <drm/drm_fb_cma_helper.h>
+ #include <drm/drm_fb_helper.h>
++#include <drm/drm_fourcc.h>
+ #include <drm/drm_gem_cma_helper.h>
+ #include <drm/drm_gem_framebuffer_helper.h>
+ #include <drm/drm_irq.h>
+@@ -87,8 +88,26 @@ void mxsfb_disable_axi_clk(struct mxsfb_drm_private *mxsfb)
+ clk_disable_unprepare(mxsfb->clk_axi);
+ }
+
++static struct drm_framebuffer *
++mxsfb_fb_create(struct drm_device *dev, struct drm_file *file_priv,
++ const struct drm_mode_fb_cmd2 *mode_cmd)
++{
++ const struct drm_format_info *info;
++
++ info = drm_get_format_info(dev, mode_cmd);
++ if (!info)
++ return ERR_PTR(-EINVAL);
++
++ if (mode_cmd->width * info->cpp[0] != mode_cmd->pitches[0]) {
++ dev_dbg(dev->dev, "Invalid pitch: fb width must match pitch\n");
++ return ERR_PTR(-EINVAL);
++ }
++
++ return drm_gem_fb_create(dev, file_priv, mode_cmd);
++}
++
+ static const struct drm_mode_config_funcs mxsfb_mode_config_funcs = {
+- .fb_create = drm_gem_fb_create,
++ .fb_create = mxsfb_fb_create,
+ .atomic_check = drm_atomic_helper_check,
+ .atomic_commit = drm_atomic_helper_commit,
+ };
+--
+2.25.1
+
--- /dev/null
+From 25837147d4f33f0e0e7a7408a1c82061dbb6edaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 03:32:54 +0300
+Subject: drm: panel: Fix bpc for OrtusTech COM43H4M85ULC panel
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 3b8095169982ff4ec2a1b4be61b7224bbef23b48 ]
+
+The OrtusTech COM43H4M85ULC panel is a 18-bit RGB panel. Commit
+f098f168e91c ("drm: panel: Fix bus format for OrtusTech COM43H4M85ULC
+panel") has fixed the bus formats, but forgot to address the bpc value.
+Set it to 6.
+
+Fixes: f098f168e91c ("drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200824003254.21904-1-laurent.pinchart@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 14f5c79299cc0..f0ea782df836d 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2382,7 +2382,7 @@ static const struct drm_display_mode ortustech_com43h4m85ulc_mode = {
+ static const struct panel_desc ortustech_com43h4m85ulc = {
+ .modes = &ortustech_com43h4m85ulc_mode,
+ .num_modes = 1,
+- .bpc = 8,
++ .bpc = 6,
+ .size = {
+ .width = 56,
+ .height = 93,
+--
+2.25.1
+
--- /dev/null
+From bc9cfe1438fdfd073634a256c782dcf7c4ba5e2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 01:02:44 +0300
+Subject: drm: panel: Fix bus format for OrtusTech COM43H4M85ULC panel
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit f098f168e91ca915c6cf8aa316136af647792f2f ]
+
+The OrtusTech COM43H4M85ULC panel is a 18-bit RGB panel, set the bus
+format to MEDIA_BUS_FMT_RGB666_1X18.
+
+Fixes: 725c9d40f3fe ("drm/panel: Add support for OrtusTech COM43H4M85ULC panel")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sam Ravnborg <sam.ravnborg@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200812220244.24500-1-laurent.pinchart@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 6d9656323a3f4..14f5c79299cc0 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2387,7 +2387,7 @@ static const struct panel_desc ortustech_com43h4m85ulc = {
+ .width = 56,
+ .height = 93,
+ },
+- .bus_format = MEDIA_BUS_FMT_RGB888_1X24,
++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18,
+ .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE,
+ };
+
+--
+2.25.1
+
--- /dev/null
+From a41008b54a47c18f69adae37a5ec0c16566cf889 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 17:01:46 +0200
+Subject: drm/panfrost: add amlogic reset quirk callback
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+[ Upstream commit 110003002291525bb209f47e6dbf121a63249a97 ]
+
+The T820, G31 & G52 GPUs integrated by Amlogic in the respective GXM,
+G12A/SM1 & G12B SoCs needs a quirk in the PWR registers at the GPU reset
+time.
+
+Since the Amlogic's integration of the GPU cores with the SoC is not
+publicly documented we do not know what does these values, but they
+permit having a fully functional GPU running with Panfrost.
+
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+[Steven: Fix typo in commit log]
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200916150147.25753-3-narmstrong@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_gpu.c | 11 +++++++++++
+ drivers/gpu/drm/panfrost/panfrost_gpu.h | 2 ++
+ drivers/gpu/drm/panfrost/panfrost_regs.h | 4 ++++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c
+index 1431db13ec788..0d39a201c7591 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c
+@@ -75,6 +75,17 @@ int panfrost_gpu_soft_reset(struct panfrost_device *pfdev)
+ return 0;
+ }
+
++void panfrost_gpu_amlogic_quirk(struct panfrost_device *pfdev)
++{
++ /*
++ * The Amlogic integrated Mali-T820, Mali-G31 & Mali-G52 needs
++ * these undocumented bits in GPU_PWR_OVERRIDE1 to be set in order
++ * to operate correctly.
++ */
++ gpu_write(pfdev, GPU_PWR_KEY, GPU_PWR_KEY_UNLOCK);
++ gpu_write(pfdev, GPU_PWR_OVERRIDE1, 0xfff | (0x20 << 16));
++}
++
+ static void panfrost_gpu_init_quirks(struct panfrost_device *pfdev)
+ {
+ u32 quirks = 0;
+diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.h b/drivers/gpu/drm/panfrost/panfrost_gpu.h
+index 4112412087b27..468c51e7e46db 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_gpu.h
++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.h
+@@ -16,4 +16,6 @@ int panfrost_gpu_soft_reset(struct panfrost_device *pfdev);
+ void panfrost_gpu_power_on(struct panfrost_device *pfdev);
+ void panfrost_gpu_power_off(struct panfrost_device *pfdev);
+
++void panfrost_gpu_amlogic_quirk(struct panfrost_device *pfdev);
++
+ #endif
+diff --git a/drivers/gpu/drm/panfrost/panfrost_regs.h b/drivers/gpu/drm/panfrost/panfrost_regs.h
+index ea38ac60581c6..eddaa62ad8b0e 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_regs.h
++++ b/drivers/gpu/drm/panfrost/panfrost_regs.h
+@@ -51,6 +51,10 @@
+ #define GPU_STATUS 0x34
+ #define GPU_STATUS_PRFCNT_ACTIVE BIT(2)
+ #define GPU_LATEST_FLUSH_ID 0x38
++#define GPU_PWR_KEY 0x50 /* (WO) Power manager key register */
++#define GPU_PWR_KEY_UNLOCK 0x2968A819
++#define GPU_PWR_OVERRIDE0 0x54 /* (RW) Power manager override settings */
++#define GPU_PWR_OVERRIDE1 0x58 /* (RW) Power manager override settings */
+ #define GPU_FAULT_STATUS 0x3C
+ #define GPU_FAULT_ADDRESS_LO 0x40
+ #define GPU_FAULT_ADDRESS_HI 0x44
+--
+2.25.1
+
--- /dev/null
+From 668f6598b15b2b999e58bc98ce1d3530b47036b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 13:29:57 +0100
+Subject: drm/panfrost: Ensure GPU quirks are always initialised
+
+From: Steven Price <steven.price@arm.com>
+
+[ Upstream commit 8c3c818c23a5bbce6ff180dd2ee04415241df77c ]
+
+The GPU 'CONFIG' registers used to work around hardware issues are
+cleared on reset so need to be programmed every time the GPU is reset.
+However panfrost_device_reset() failed to do this.
+
+To avoid this in future instead move the call to
+panfrost_gpu_init_quirks() to panfrost_gpu_power_on() so that the
+regsiters are always programmed just before the cores are powered.
+
+Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
+Signed-off-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200909122957.51667-1-steven.price@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_gpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_gpu.c b/drivers/gpu/drm/panfrost/panfrost_gpu.c
+index 8822ec13a0d61..1431db13ec788 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_gpu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_gpu.c
+@@ -304,6 +304,8 @@ void panfrost_gpu_power_on(struct panfrost_device *pfdev)
+ int ret;
+ u32 val;
+
++ panfrost_gpu_init_quirks(pfdev);
++
+ /* Just turn on everything for now */
+ gpu_write(pfdev, L2_PWRON_LO, pfdev->features.l2_present);
+ ret = readl_relaxed_poll_timeout(pfdev->iomem + L2_READY_LO,
+@@ -357,7 +359,6 @@ int panfrost_gpu_init(struct panfrost_device *pfdev)
+ return err;
+ }
+
+- panfrost_gpu_init_quirks(pfdev);
+ panfrost_gpu_power_on(pfdev);
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 1ce0faed7f388cf195457e3675d17444563d11db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 01:33:48 +0800
+Subject: drm/radeon: Prefer lower feedback dividers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 5150dd85bdfa08143cacf1b4249121651bed3c35 ]
+
+Commit 2e26ccb119bd ("drm/radeon: prefer lower reference dividers")
+fixed screen flicker for HP Compaq nx9420 but breaks other laptops like
+Asus X50SL.
+
+Turns out we also need to favor lower feedback dividers.
+
+Users confirmed this change fixes the regression and doesn't regress the
+original fix.
+
+Fixes: 2e26ccb119bd ("drm/radeon: prefer lower reference dividers")
+BugLink: https://bugs.launchpad.net/bugs/1791312
+BugLink: https://bugs.launchpad.net/bugs/1861554
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_display.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index f9f74150d0d73..e7c4e06bc7d4f 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -932,7 +932,7 @@ static void avivo_get_fb_ref_div(unsigned nom, unsigned den, unsigned post_div,
+
+ /* get matching reference and feedback divider */
+ *ref_div = min(max(den/post_div, 1u), ref_div_max);
+- *fb_div = DIV_ROUND_CLOSEST(nom * *ref_div * post_div, den);
++ *fb_div = max(nom * *ref_div * post_div / den, 1u);
+
+ /* limit fb divider to its maximum */
+ if (*fb_div > fb_div_max) {
+--
+2.25.1
+
--- /dev/null
+From e7bd5106fb33a9705ce293d6e1126c966e88c74c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 17:25:24 -0300
+Subject: drm/vkms: fix xrgb on compute crc
+
+From: Melissa Wen <melissa.srw@gmail.com>
+
+[ Upstream commit 0986191186128b10b6bbfa5220fc587ed5725e49 ]
+
+The previous memset operation was not correctly zeroing the alpha
+channel to compute the crc, and as a result, the IGT subtest
+kms_cursor_crc/pipe-A-cursor-alpha-transparent fails.
+
+Fixes: db7f419c06d7c ("drm/vkms: Compute CRC with Cursor Plane")
+
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200730202524.5upzuh4irboru7my@smtp.gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vkms/vkms_composer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vkms/vkms_composer.c b/drivers/gpu/drm/vkms/vkms_composer.c
+index d5585695c64d1..45d6ebbdbdb22 100644
+--- a/drivers/gpu/drm/vkms/vkms_composer.c
++++ b/drivers/gpu/drm/vkms/vkms_composer.c
+@@ -33,7 +33,7 @@ static uint32_t compute_crc(void *vaddr_out, struct vkms_composer *composer)
+ + (i * composer->pitch)
+ + (j * composer->cpp);
+ /* XRGB format ignores Alpha channel */
+- memset(vaddr_out + src_offset + 24, 0, 8);
++ bitmap_clear(vaddr_out + src_offset, 24, 8);
+ crc = crc32_le(crc, vaddr_out + src_offset,
+ sizeof(u32));
+ }
+--
+2.25.1
+
--- /dev/null
+From 83738e6a06bbc9ef998253964b95b90c5d3767dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 09:07:42 +0200
+Subject: EDAC/aspeed: Fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit afce6996943be265fa39240b67025cfcb1bcdfb1 ]
+
+platform_get_irq() returns a negative error number on error. In such a
+case, comparison to 0 would pass the check therefore check the return
+value properly, whether it is negative.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 9b7e6242ee4e ("EDAC, aspeed: Add an Aspeed AST2500 EDAC driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Stefan Schaeckeler <schaecsn@gmx.net>
+Link: https://lkml.kernel.org/r/20200827070743.26628-1-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/aspeed_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/aspeed_edac.c b/drivers/edac/aspeed_edac.c
+index 5634437bb39d2..66669f9d690be 100644
+--- a/drivers/edac/aspeed_edac.c
++++ b/drivers/edac/aspeed_edac.c
+@@ -209,8 +209,8 @@ static int config_irq(void *ctx, struct platform_device *pdev)
+ /* register interrupt handler */
+ irq = platform_get_irq(pdev, 0);
+ dev_dbg(&pdev->dev, "got irq %d\n", irq);
+- if (!irq)
+- return -ENODEV;
++ if (irq < 0)
++ return irq;
+
+ rc = devm_request_irq(&pdev->dev, irq, mcr_isr, IRQF_TRIGGER_HIGH,
+ DRV_NAME, ctx);
+--
+2.25.1
+
--- /dev/null
+From c9b2547db6e33832a084e942380c1adc5553231e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 20:14:37 +0800
+Subject: EDAC/i5100: Fix error handling order in i5100_init_one()
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 857a3139bd8be4f702c030c8ca06f3fd69c1741a ]
+
+When pci_get_device_func() fails, the driver doesn't need to execute
+pci_dev_put(). mci should still be freed, though, to prevent a memory
+leak. When pci_enable_device() fails, the error injection PCI device
+"einj" doesn't need to be disabled either.
+
+ [ bp: Massage commit message, rename label to "bail_mc_free". ]
+
+Fixes: 52608ba205461 ("i5100_edac: probe for device 19 function 0")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200826121437.31606-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/i5100_edac.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c
+index 251f2b692785d..0c72daa519ffa 100644
+--- a/drivers/edac/i5100_edac.c
++++ b/drivers/edac/i5100_edac.c
+@@ -1074,16 +1074,15 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ PCI_DEVICE_ID_INTEL_5100_19, 0);
+ if (!einj) {
+ ret = -ENODEV;
+- goto bail_einj;
++ goto bail_mc_free;
+ }
+
+ rc = pci_enable_device(einj);
+ if (rc < 0) {
+ ret = rc;
+- goto bail_disable_einj;
++ goto bail_einj;
+ }
+
+-
+ mci->pdev = &pdev->dev;
+
+ priv = mci->pvt_info;
+@@ -1149,14 +1148,14 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ bail_scrub:
+ priv->scrub_enable = 0;
+ cancel_delayed_work_sync(&(priv->i5100_scrubbing));
+- edac_mc_free(mci);
+-
+-bail_disable_einj:
+ pci_disable_device(einj);
+
+ bail_einj:
+ pci_dev_put(einj);
+
++bail_mc_free:
++ edac_mc_free(mci);
++
+ bail_disable_ch1:
+ pci_disable_device(ch1mm);
+
+--
+2.25.1
+
--- /dev/null
+From 19ff9080051b877c47b055bea8d8b76a7845d95f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 09:07:43 +0200
+Subject: EDAC/ti: Fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 66077adb70a2a9e92540155b2ace33ec98299c90 ]
+
+platform_get_irq() returns a negative error number on error. In such a
+case, comparison to 0 would pass the check therefore check the return
+value properly, whether it is negative.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 86a18ee21e5e ("EDAC, ti: Add support for TI keystone and DRA7xx EDAC")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tero Kristo <t-kristo@ti.com>
+Link: https://lkml.kernel.org/r/20200827070743.26628-2-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ti_edac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c
+index 6ac26d1b929f0..3247689467435 100644
+--- a/drivers/edac/ti_edac.c
++++ b/drivers/edac/ti_edac.c
+@@ -278,7 +278,8 @@ static int ti_edac_probe(struct platform_device *pdev)
+
+ /* add EMIF ECC error handler */
+ error_irq = platform_get_irq(pdev, 0);
+- if (!error_irq) {
++ if (error_irq < 0) {
++ ret = error_irq;
+ edac_printk(KERN_ERR, EDAC_MOD_NAME,
+ "EMIF irq number not defined.\n");
+ goto err;
+--
+2.25.1
+
--- /dev/null
+From 893fe883412bd54d798157c2be820d8b8126a5ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 15:21:48 -0700
+Subject: ext4: limit entries returned when counting fsmap records
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit af8c53c8bc087459b1aadd4c94805d8272358d79 ]
+
+If userspace asked fsmap to try to count the number of entries, we cannot
+return more than UINT_MAX entries because fmh_entries is u32.
+Therefore, stop counting if we hit this limit or else we will waste time
+to return truncated results.
+
+Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Link: https://lore.kernel.org/r/20201001222148.GA49520@magnolia
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/fsmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ext4/fsmap.c b/fs/ext4/fsmap.c
+index dbccf46f17709..37347ba868b70 100644
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -108,6 +108,9 @@ static int ext4_getfsmap_helper(struct super_block *sb,
+
+ /* Are we just counting mappings? */
+ if (info->gfi_head->fmh_count == 0) {
++ if (info->gfi_head->fmh_entries == UINT_MAX)
++ return EXT4_QUERY_RANGE_ABORT;
++
+ if (rec_fsblk > info->gfi_next_fsblk)
+ info->gfi_head->fmh_entries++;
+
+--
+2.25.1
+
--- /dev/null
+From fef39b35ac609a2cfddaee940ee231e8559dcd72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 14:09:48 +0100
+Subject: f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info
+
+From: Jamie Iles <jamie@nuviainc.com>
+
+[ Upstream commit ae284d87abade58c8db7760c808f311ef1ce693c ]
+
+syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an
+f2fs filesystem could result in the following splat:
+
+ kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250)
+ kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750)
+ ------------[ cut here ]------------
+ ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98
+ WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240
+ Kernel panic - not syncing: panic_on_warn set ...
+ CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101
+ Hardware name: linux,dummy-virt (DT)
+ Call trace:
+ dump_backtrace+0x0/0x4d8
+ show_stack+0x34/0x48
+ dump_stack+0x174/0x1f8
+ panic+0x360/0x7a0
+ __warn+0x244/0x2ec
+ report_bug+0x240/0x398
+ bug_handler+0x50/0xc0
+ call_break_hook+0x160/0x1d8
+ brk_handler+0x30/0xc0
+ do_debug_exception+0x184/0x340
+ el1_dbg+0x48/0xb0
+ el1_sync_handler+0x170/0x1c8
+ el1_sync+0x80/0x100
+ debug_print_object+0x180/0x240
+ debug_check_no_obj_freed+0x200/0x430
+ slab_free_freelist_hook+0x190/0x210
+ kfree+0x13c/0x460
+ f2fs_put_super+0x624/0xa58
+ generic_shutdown_super+0x120/0x300
+ kill_block_super+0x94/0xf8
+ kill_f2fs_super+0x244/0x308
+ deactivate_locked_super+0x104/0x150
+ deactivate_super+0x118/0x148
+ cleanup_mnt+0x27c/0x3c0
+ __cleanup_mnt+0x28/0x38
+ task_work_run+0x10c/0x248
+ do_notify_resume+0x9d4/0x1188
+ work_pending+0x8/0x34c
+
+Like the error handling for f2fs_register_sysfs(), we need to wait for
+the kobject to be destroyed before returning to prevent a potential
+use-after-free.
+
+Fixes: bf9e697ecd42 ("f2fs: expose features to sysfs entry")
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Chao Yu <chao@kernel.org>
+Signed-off-by: Jamie Iles <jamie@nuviainc.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/sysfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
+index 170934430d7d7..029e693e201cf 100644
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -788,4 +788,5 @@ void f2fs_unregister_sysfs(struct f2fs_sb_info *sbi)
+ }
+ kobject_del(&sbi->s_kobj);
+ kobject_put(&sbi->s_kobj);
++ wait_for_completion(&sbi->s_kobj_unregister);
+ }
+--
+2.25.1
+
--- /dev/null
+From 982cacb7f7bc947ac3345727057adb03d7b92ec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 15:26:03 -0400
+Subject: fbmem: add margin check to fb_check_caps()
+
+From: George Kennedy <george.kennedy@oracle.com>
+
+[ Upstream commit a49145acfb975d921464b84fe00279f99827d816 ]
+
+A fb_ioctl() FBIOPUT_VSCREENINFO call with invalid xres setting
+or yres setting in struct fb_var_screeninfo will result in a
+KASAN: vmalloc-out-of-bounds failure in bitfill_aligned() as
+the margins are being cleared. The margins are cleared in
+chunks and if the xres setting or yres setting is a value of
+zero upto the chunk size, the failure will occur.
+
+Add a margin check to validate xres and yres settings.
+
+Signed-off-by: George Kennedy <george.kennedy@oracle.com>
+Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Dhaval Giani <dhaval.giani@oracle.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1594149963-13801-1-git-send-email-george.kennedy@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbmem.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
+index 97abcd497c7e0..bf76dadbed87f 100644
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -1001,6 +1001,10 @@ fb_set_var(struct fb_info *info, struct fb_var_screeninfo *var)
+ return 0;
+ }
+
++ /* bitfill_aligned() assumes that it's at least 8x8 */
++ if (var->xres < 8 || var->yres < 8)
++ return -EINVAL;
++
+ ret = info->fbops->fb_check_var(var, info);
+
+ if (ret)
+--
+2.25.1
+
--- /dev/null
+From 2d4dd4f9f560288fee0adec2327161e2b80ec3dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 14:08:25 -0700
+Subject: Fix use after free in get_capset_info callback.
+
+From: Doug Horn <doughorn@google.com>
+
+[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ]
+
+If a response to virtio_gpu_cmd_get_capset_info takes longer than
+five seconds to return, the callback will access freed kernel memory
+in vg->capsets.
+
+Signed-off-by: Doug Horn <doughorn@google.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_kms.c | 2 ++
+ drivers/gpu/drm/virtio/virtgpu_vq.c | 10 +++++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
+index c190702fab726..6dcc05ab31eba 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
+@@ -96,8 +96,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev,
+ vgdev->capsets[i].id > 0, 5 * HZ);
+ if (ret == 0) {
+ DRM_ERROR("timed out waiting for cap set %d\n", i);
++ spin_lock(&vgdev->display_info_lock);
+ kfree(vgdev->capsets);
+ vgdev->capsets = NULL;
++ spin_unlock(&vgdev->display_info_lock);
+ return;
+ }
+ DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n",
+diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c
+index 7ac20490e1b4c..92022a83bbd5e 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
+@@ -572,9 +572,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev,
+ int i = le32_to_cpu(cmd->capset_index);
+
+ spin_lock(&vgdev->display_info_lock);
+- vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
+- vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
+- vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
++ if (vgdev->capsets) {
++ vgdev->capsets[i].id = le32_to_cpu(resp->capset_id);
++ vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version);
++ vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size);
++ } else {
++ DRM_ERROR("invalid capset memory.");
++ }
+ spin_unlock(&vgdev->display_info_lock);
+ wake_up(&vgdev->resp_wq);
+ }
+--
+2.25.1
+
--- /dev/null
+From 33ce48ec4faae7947fe7088d73789ae9d495ca14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 15:02:51 -0400
+Subject: fs: dlm: fix configfs memory leak
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 3d2825c8c6105b0f36f3ff72760799fa2e71420e ]
+
+This patch fixes the following memory detected by kmemleak and umount
+gfs2 filesystem which removed the last lockspace:
+
+unreferenced object 0xffff9264f482f600 (size 192):
+ comm "dlm_controld", pid 325, jiffies 4294690276 (age 48.136s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 6e 6f 64 65 73 00 00 00 ........nodes...
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000060481d7>] make_space+0x41/0x130
+ [<000000008d905d46>] configfs_mkdir+0x1a2/0x5f0
+ [<00000000729502cf>] vfs_mkdir+0x155/0x210
+ [<000000000369bcf1>] do_mkdirat+0x6d/0x110
+ [<00000000cc478a33>] do_syscall_64+0x33/0x40
+ [<00000000ce9ccf01>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The patch just remembers the "nodes" entry pointer in space as I think
+it's created as subdirectory when parent "spaces" is created. In
+function drop_space() we will lost the pointer reference to nds because
+configfs_remove_default_groups(). However as this subdirectory is always
+available when "spaces" exists it will just be freed when "spaces" will be
+freed.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/config.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/dlm/config.c b/fs/dlm/config.c
+index 3b21082e1b550..3b1012a3c4396 100644
+--- a/fs/dlm/config.c
++++ b/fs/dlm/config.c
+@@ -216,6 +216,7 @@ struct dlm_space {
+ struct list_head members;
+ struct mutex members_lock;
+ int members_count;
++ struct dlm_nodes *nds;
+ };
+
+ struct dlm_comms {
+@@ -424,6 +425,7 @@ static struct config_group *make_space(struct config_group *g, const char *name)
+ INIT_LIST_HEAD(&sp->members);
+ mutex_init(&sp->members_lock);
+ sp->members_count = 0;
++ sp->nds = nds;
+ return &sp->group;
+
+ fail:
+@@ -445,6 +447,7 @@ static void drop_space(struct config_group *g, struct config_item *i)
+ static void release_space(struct config_item *i)
+ {
+ struct dlm_space *sp = config_item_to_space(i);
++ kfree(sp->nds);
+ kfree(sp);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 1cb60beb7d6940a95e6c62af13ab9c95053e9e5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 13:45:28 -0700
+Subject: fs: fix NULL dereference due to data race in prepend_path()
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 09cad07547445bf3a41683e4d3abcd154c123ef5 ]
+
+Fix data race in prepend_path() with re-reading mnt->mnt_ns twice
+without holding the lock.
+
+is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns) might
+re-read the pointer again which could be NULL already, if in between
+reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets
+mnt->mnt_ns to NULL.
+
+This is seen in production with the following stack trace:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000048
+ ...
+ RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0
+ Call Trace:
+ d_path+0xe6/0x150
+ proc_pid_readlink+0x8f/0x100
+ vfs_readlink+0xf8/0x110
+ do_readlinkat+0xfd/0x120
+ __x64_sys_readlinkat+0x1a/0x20
+ do_syscall_64+0x42/0x110
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: f2683bd8d5bd ("[PATCH] fix d_absolute_path() interplay with fsmount()")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/d_path.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/d_path.c b/fs/d_path.c
+index 0f1fc1743302f..a69e2cd36e6e3 100644
+--- a/fs/d_path.c
++++ b/fs/d_path.c
+@@ -102,6 +102,8 @@ static int prepend_path(const struct path *path,
+
+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+ struct mount *parent = READ_ONCE(mnt->mnt_parent);
++ struct mnt_namespace *mnt_ns;
++
+ /* Escaped? */
+ if (dentry != vfsmnt->mnt_root) {
+ bptr = *buffer;
+@@ -116,7 +118,9 @@ static int prepend_path(const struct path *path,
+ vfsmnt = &mnt->mnt;
+ continue;
+ }
+- if (is_mounted(vfsmnt) && !is_anon_ns(mnt->mnt_ns))
++ mnt_ns = READ_ONCE(mnt->mnt_ns);
++ /* open-coded is_mounted() to use local mnt_ns */
++ if (!IS_ERR_OR_NULL(mnt_ns) && !is_anon_ns(mnt_ns))
+ error = 1; // absolute root
+ else
+ error = 2; // detached or not attached yet
+--
+2.25.1
+
--- /dev/null
+From 453ef0674840c48b9cc05b0626482e698aa80dad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 16:35:52 -0700
+Subject: HID: hid-input: fix stylus battery reporting
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 505f394fa239cecb76d916aa858f87ed7ea7fde4 ]
+
+With commit 4f3882177240 hid-input started clearing of "ignored" usages
+to avoid using garbage that might have been left in them. However
+"battery strength" usages should not be ignored, as we do want to
+use them.
+
+Fixes: 4f3882177240 ("HID: hid-input: clear unmapped usages")
+Reported-by: Kenneth Albanowski <kenalba@google.com>
+Tested-by: Kenneth Albanowski <kenalba@google.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-input.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index e3d475f4baf66..b2bff932c524f 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -797,7 +797,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case 0x3b: /* Battery Strength */
+ hidinput_setup_battery(device, HID_INPUT_REPORT, field);
+ usage->type = EV_PWR;
+- goto ignore;
++ return;
+
+ case 0x3c: /* Invert */
+ map_key_clear(BTN_TOOL_RUBBER);
+@@ -1059,7 +1059,7 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel
+ case HID_DC_BATTERYSTRENGTH:
+ hidinput_setup_battery(device, HID_INPUT_REPORT, field);
+ usage->type = EV_PWR;
+- goto ignore;
++ return;
+ }
+ goto unknown;
+
+--
+2.25.1
+
--- /dev/null
+From d37f1f231f8d9bc55de3bd23aae6a49e66793703 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 09:56:42 +0200
+Subject: HID: ite: Add USB id match for Acer One S1003 keyboard dock
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5bf2f2f331ad812c9b7eea6e14a3ea328acbffc0 ]
+
+The Acer One S1003 2-in-1 keyboard dock uses a Synaptics S910xx touchpad
+which is connected to an ITE 8910 USB keyboard controller chip.
+
+This keyboard has the same quirk for its rfkill / airplane mode hotkey as
+other keyboards with ITE keyboard chips, it only sends a single release
+event when pressed and released, it never sends a press event.
+
+This commit adds this keyboards USB id to the hid-ite id-table, fixing
+the rfkill key not working on this keyboard. Note that like for the
+Acer Aspire Switch 10 (SW5-012) the id-table entry matches on the
+HID_GROUP_GENERIC generic group so that hid-ite only binds to the
+keyboard interface and the mouse/touchpad interface is left untouched
+so that hid-multitouch can bind to it.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-ite.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index e03a4d794240c..7363d0b488bd8 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1119,6 +1119,7 @@
+ #define USB_DEVICE_ID_SYNAPTICS_DELL_K12A 0x2819
+ #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012 0x2968
+ #define USB_DEVICE_ID_SYNAPTICS_TP_V103 0x5710
++#define USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003 0x73f5
+ #define USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5 0x81a7
+
+ #define USB_VENDOR_ID_TEXAS_INSTRUMENTS 0x2047
+diff --git a/drivers/hid/hid-ite.c b/drivers/hid/hid-ite.c
+index 6c55682c59740..044a93f3c1178 100644
+--- a/drivers/hid/hid-ite.c
++++ b/drivers/hid/hid-ite.c
+@@ -44,6 +44,10 @@ static const struct hid_device_id ite_devices[] = {
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ USB_VENDOR_ID_SYNAPTICS,
+ USB_DEVICE_ID_SYNAPTICS_ACER_SWITCH5_012) },
++ /* ITE8910 USB kbd ctlr, with Synaptics touchpad connected to it. */
++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++ USB_VENDOR_ID_SYNAPTICS,
++ USB_DEVICE_ID_SYNAPTICS_ACER_ONE_S1003) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, ite_devices);
+--
+2.25.1
+
--- /dev/null
+From 5facf14f82507179b1b0e280c044eabdca10ee55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 11:57:35 +0300
+Subject: HID: roccat: add bounds checking in kone_sysfs_write_settings()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d4f98dbfe717490e771b6e701904bfcf4b4557f0 ]
+
+This code doesn't check if "settings->startup_profile" is within bounds
+and that could result in an out of bounds array access. What the code
+does do is it checks if the settings can be written to the firmware, so
+it's possible that the firmware has a bounds check? It's safer and
+easier to verify when the bounds checking is done in the kernel.
+
+Fixes: 14bf62cde794 ("HID: add driver for Roccat Kone gaming mouse")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat-kone.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c
+index 1a6e600197d0b..509b9bb1362cb 100644
+--- a/drivers/hid/hid-roccat-kone.c
++++ b/drivers/hid/hid-roccat-kone.c
+@@ -294,31 +294,40 @@ static ssize_t kone_sysfs_write_settings(struct file *fp, struct kobject *kobj,
+ struct kone_device *kone = hid_get_drvdata(dev_get_drvdata(dev));
+ struct usb_device *usb_dev = interface_to_usbdev(to_usb_interface(dev));
+ int retval = 0, difference, old_profile;
++ struct kone_settings *settings = (struct kone_settings *)buf;
+
+ /* I need to get my data in one piece */
+ if (off != 0 || count != sizeof(struct kone_settings))
+ return -EINVAL;
+
+ mutex_lock(&kone->kone_lock);
+- difference = memcmp(buf, &kone->settings, sizeof(struct kone_settings));
++ difference = memcmp(settings, &kone->settings,
++ sizeof(struct kone_settings));
+ if (difference) {
+- retval = kone_set_settings(usb_dev,
+- (struct kone_settings const *)buf);
+- if (retval) {
+- mutex_unlock(&kone->kone_lock);
+- return retval;
++ if (settings->startup_profile < 1 ||
++ settings->startup_profile > 5) {
++ retval = -EINVAL;
++ goto unlock;
+ }
+
++ retval = kone_set_settings(usb_dev, settings);
++ if (retval)
++ goto unlock;
++
+ old_profile = kone->settings.startup_profile;
+- memcpy(&kone->settings, buf, sizeof(struct kone_settings));
++ memcpy(&kone->settings, settings, sizeof(struct kone_settings));
+
+ kone_profile_activated(kone, kone->settings.startup_profile);
+
+ if (kone->settings.startup_profile != old_profile)
+ kone_profile_report(kone, kone->settings.startup_profile);
+ }
++unlock:
+ mutex_unlock(&kone->kone_lock);
+
++ if (retval)
++ return retval;
++
+ return sizeof(struct kone_settings);
+ }
+ static BIN_ATTR(settings, 0660, kone_sysfs_read_settings,
+--
+2.25.1
+
--- /dev/null
+From 96614bee47888d147744d06a3c19c63238c78836 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 14:39:29 -0700
+Subject: hwmon: (pmbus/max34440) Fix status register reads for
+ MAX344{51,60,61}
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 6c094b31ea2ad773824362ba0fccb88d36f8d32d ]
+
+Starting with MAX34451, the chips of this series support STATUS_IOUT and
+STATUS_TEMPERATURE commands, and no longer report over-current and
+over-temperature status with STATUS_MFR_SPECIFIC.
+
+Fixes: 7a001dbab4ade ("hwmon: (pmbus/max34440) Add support for MAX34451.")
+Fixes: 50115ac9b6f35 ("hwmon: (pmbus/max34440) Add support for MAX34460 and MAX34461")
+Reported-by: Steve Foreman <foremans@google.com>
+Cc: Steve Foreman <foremans@google.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pmbus/max34440.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/hwmon/pmbus/max34440.c b/drivers/hwmon/pmbus/max34440.c
+index 5c63a66007293..e22617def70bf 100644
+--- a/drivers/hwmon/pmbus/max34440.c
++++ b/drivers/hwmon/pmbus/max34440.c
+@@ -387,7 +387,6 @@ static struct pmbus_driver_info max34440_info[] = {
+ .func[18] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+ .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+ .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+- .read_byte_data = max34440_read_byte_data,
+ .read_word_data = max34440_read_word_data,
+ .write_word_data = max34440_write_word_data,
+ },
+@@ -418,7 +417,6 @@ static struct pmbus_driver_info max34440_info[] = {
+ .func[15] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+ .func[16] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+ .func[17] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+- .read_byte_data = max34440_read_byte_data,
+ .read_word_data = max34440_read_word_data,
+ .write_word_data = max34440_write_word_data,
+ },
+@@ -454,7 +452,6 @@ static struct pmbus_driver_info max34440_info[] = {
+ .func[19] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+ .func[20] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+ .func[21] = PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP,
+- .read_byte_data = max34440_read_byte_data,
+ .read_word_data = max34440_read_word_data,
+ .write_word_data = max34440_write_word_data,
+ },
+--
+2.25.1
+
--- /dev/null
+From 72f9ec08b64da1b9d4311105af1098032e95c790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 16:41:58 +0200
+Subject: i2c: core: Restore acpi_walk_dep_device_list() getting called after
+ registering the ACPI i2c devs
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 8058d69905058ec8f467a120b5ec5bb831ea67f3 ]
+
+Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler()
+before i2c_acpi_register_devices()")'s intention was to only move the
+acpi_install_address_space_handler() call to the point before where
+the ACPI declared i2c-children of the adapter where instantiated by
+i2c_acpi_register_devices().
+
+But i2c_acpi_install_space_handler() had a call to
+acpi_walk_dep_device_list() hidden (that is I missed it) at the end
+of it, so as an unwanted side-effect now acpi_walk_dep_device_list()
+was also being called before i2c_acpi_register_devices().
+
+Move the acpi_walk_dep_device_list() call to the end of
+i2c_acpi_register_devices(), so that it is once again called *after*
+the i2c_client-s hanging of the adapter have been created.
+
+This fixes the Microsoft Surface Go 2 hanging at boot.
+
+Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209627
+Reported-by: Rainer Finke <rainer@finke.cc>
+Reported-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Suggested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index ce70b5288472c..c70983780ae79 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -264,6 +264,7 @@ static acpi_status i2c_acpi_add_device(acpi_handle handle, u32 level,
+ void i2c_acpi_register_devices(struct i2c_adapter *adap)
+ {
+ acpi_status status;
++ acpi_handle handle;
+
+ if (!has_acpi_companion(&adap->dev))
+ return;
+@@ -274,6 +275,15 @@ void i2c_acpi_register_devices(struct i2c_adapter *adap)
+ adap, NULL);
+ if (ACPI_FAILURE(status))
+ dev_warn(&adap->dev, "failed to enumerate I2C slaves\n");
++
++ if (!adap->dev.parent)
++ return;
++
++ handle = ACPI_HANDLE(adap->dev.parent);
++ if (!handle)
++ return;
++
++ acpi_walk_dep_device_list(handle);
+ }
+
+ const struct acpi_device_id *
+@@ -737,7 +747,6 @@ int i2c_acpi_install_space_handler(struct i2c_adapter *adapter)
+ return -ENOMEM;
+ }
+
+- acpi_walk_dep_device_list(handle);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From e86f94c1c4e161779ffe1724a3549de7f5e3b373 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 11:23:30 +0200
+Subject: i2c: rcar: Auto select RESET_CONTROLLER
+
+From: Dirk Behme <dirk.behme@de.bosch.com>
+
+[ Upstream commit 5b9bacf28a973a6b16510493416baeefa2c06289 ]
+
+The i2c-rcar driver utilizes the Generic Reset Controller kernel
+feature, so select the RESET_CONTROLLER option when the I2C_RCAR
+option is selected with a Gen3 SoC.
+
+Fixes: 2b16fd63059ab9 ("i2c: rcar: handle RXDMA HW behaviour on Gen3")
+Signed-off-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Andy Lowe <andy_lowe@mentor.com>
+[erosca: Add "if ARCH_RCAR_GEN3" per Wolfram's request]
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
+index 146ce40d8e0aa..2d08a8719506c 100644
+--- a/drivers/i2c/busses/Kconfig
++++ b/drivers/i2c/busses/Kconfig
+@@ -1162,6 +1162,7 @@ config I2C_RCAR
+ tristate "Renesas R-Car I2C Controller"
+ depends on ARCH_RENESAS || COMPILE_TEST
+ select I2C_SLAVE
++ select RESET_CONTROLLER if ARCH_RCAR_GEN3
+ help
+ If you say yes to this option, support will be included for the
+ R-Car I2C controller.
+--
+2.25.1
+
--- /dev/null
+From 0015233bd8a20b54429b17d3ababeda618c492e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 11:32:22 +0200
+Subject: i3c: master add i3c_master_attach_boardinfo to preserve boardinfo
+
+From: Parshuram Thombare <pthombar@cadence.com>
+
+[ Upstream commit 9da36a7ec42135428e1d41621e3703429bda3b2e ]
+
+Boardinfo was lost if I3C object for devices with boardinfo
+available are not created or not added to the I3C device list
+because of some failure e.g. SETDASA failed, retrieve info failed etc
+This patch adds i3c_master_attach_boardinfo which scan boardinfo list
+in the master object and 'attach' it to the I3C device object.
+
+Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
+Signed-off-by: Parshuram Thombare <pthombar@cadence.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Link: https://lore.kernel.org/linux-i3c/1590053542-389-1-git-send-email-pthombar@cadence.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
+index 5c051dba32a51..6cc71c90f85ea 100644
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -1760,6 +1760,21 @@ static void i3c_master_bus_cleanup(struct i3c_master_controller *master)
+ i3c_master_detach_free_devs(master);
+ }
+
++static void i3c_master_attach_boardinfo(struct i3c_dev_desc *i3cdev)
++{
++ struct i3c_master_controller *master = i3cdev->common.master;
++ struct i3c_dev_boardinfo *i3cboardinfo;
++
++ list_for_each_entry(i3cboardinfo, &master->boardinfo.i3c, node) {
++ if (i3cdev->info.pid != i3cboardinfo->pid)
++ continue;
++
++ i3cdev->boardinfo = i3cboardinfo;
++ i3cdev->info.static_addr = i3cboardinfo->static_addr;
++ return;
++ }
++}
++
+ static struct i3c_dev_desc *
+ i3c_master_search_i3c_dev_duplicate(struct i3c_dev_desc *refdev)
+ {
+@@ -1815,10 +1830,10 @@ int i3c_master_add_i3c_dev_locked(struct i3c_master_controller *master,
+ if (ret)
+ goto err_detach_dev;
+
++ i3c_master_attach_boardinfo(newdev);
++
+ olddev = i3c_master_search_i3c_dev_duplicate(newdev);
+ if (olddev) {
+- newdev->boardinfo = olddev->boardinfo;
+- newdev->info.static_addr = olddev->info.static_addr;
+ newdev->dev = olddev->dev;
+ if (newdev->dev)
+ newdev->dev->desc = newdev;
+--
+2.25.1
+
--- /dev/null
+From 887735229011b93607cf59cac6333025e22a8e2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 11:33:50 +0800
+Subject: i3c: master: Fix error return in cdns_i3c_master_probe()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit abea14bfdebbe9bd02f2ad24a1f3a878ed21c8f0 ]
+
+Fix to return negative error code -ENOMEM from the error handling
+case instead of 0.
+
+Fixes: 603f2bee2c54 ("i3c: master: Add driver for Cadence IP")
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Link: https://lore.kernel.org/linux-i3c/20200911033350.23904-1-jingxiangfeng@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master/i3c-master-cdns.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i3c/master/i3c-master-cdns.c b/drivers/i3c/master/i3c-master-cdns.c
+index 10db0bf0655a9..6d5719cea9f53 100644
+--- a/drivers/i3c/master/i3c-master-cdns.c
++++ b/drivers/i3c/master/i3c-master-cdns.c
+@@ -1593,8 +1593,10 @@ static int cdns_i3c_master_probe(struct platform_device *pdev)
+ master->ibi.slots = devm_kcalloc(&pdev->dev, master->ibi.num_slots,
+ sizeof(*master->ibi.slots),
+ GFP_KERNEL);
+- if (!master->ibi.slots)
++ if (!master->ibi.slots) {
++ ret = -ENOMEM;
+ goto err_disable_sysclk;
++ }
+
+ writel(IBIR_THR(1), master->regs + CMD_IBI_THR_CTRL);
+ writel(MST_INT_IBIR_THR, master->regs + MST_IER);
+--
+2.25.1
+
--- /dev/null
+From fd03be7c453e3111e16104a88109646053682249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 08:18:12 -0500
+Subject: i40iw: Add support to make destroy QP synchronous
+
+From: Sindhu, Devale <sindhu.devale@intel.com>
+
+[ Upstream commit f2334964e969762e266a616acf9377f6046470a2 ]
+
+Occasionally ib_write_bw crash is seen due to access of a pd object in
+i40iw_sc_qp_destroy after it is freed. Destroy qp is not synchronous in
+i40iw and thus the iwqp object could be referencing a pd object that is
+freed by ib core as a result of successful return from i40iw_destroy_qp.
+
+Wait in i40iw_destroy_qp till all QP references are released and destroy
+the QP and its associated resources before returning. Switch to use the
+refcount API vs atomic API for lifetime management of the qp.
+
+ RIP: 0010:i40iw_sc_qp_destroy+0x4b/0x120 [i40iw]
+ [...]
+ RSP: 0018:ffffb4a7042e3ba8 EFLAGS: 00010002
+ RAX: 0000000000000000 RBX: 0000000000000001 RCX: dead000000000122
+ RDX: ffffb4a7042e3bac RSI: ffff8b7ef9b1e940 RDI: ffff8b7efbf09080
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+ R10: 8080808080808080 R11: 0000000000000010 R12: ffff8b7efbf08050
+ R13: 0000000000000001 R14: ffff8b7f15042928 R15: ffff8b7ef9b1e940
+ FS: 0000000000000000(0000) GS:ffff8b7f2fa00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000400 CR3: 000000020d60a006 CR4: 00000000001606e0
+ Call Trace:
+ i40iw_exec_cqp_cmd+0x4d3/0x5c0 [i40iw]
+ ? try_to_wake_up+0x1ea/0x5d0
+ ? __switch_to_asm+0x40/0x70
+ i40iw_process_cqp_cmd+0x95/0xa0 [i40iw]
+ i40iw_handle_cqp_op+0x42/0x1a0 [i40iw]
+ ? cm_event_handler+0x13c/0x1f0 [iw_cm]
+ i40iw_rem_ref+0xa0/0xf0 [i40iw]
+ cm_work_handler+0x99c/0xd10 [iw_cm]
+ process_one_work+0x1a1/0x360
+ worker_thread+0x30/0x380
+ ? process_one_work+0x360/0x360
+ kthread+0x10c/0x130
+ ? kthread_park+0x80/0x80
+ ret_from_fork+0x35/0x40
+
+Fixes: d37498417947 ("i40iw: add files for iwarp interface")
+Link: https://lore.kernel.org/r/20200916131811.2077-1-shiraz.saleem@intel.com
+Reported-by: Kamal Heib <kheib@redhat.com>
+Signed-off-by: Sindhu, Devale <sindhu.devale@intel.com>
+Signed-off-by: Shiraz, Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw.h | 9 ++--
+ drivers/infiniband/hw/i40iw/i40iw_cm.c | 10 ++--
+ drivers/infiniband/hw/i40iw/i40iw_hw.c | 4 +-
+ drivers/infiniband/hw/i40iw/i40iw_utils.c | 59 ++++-------------------
+ drivers/infiniband/hw/i40iw/i40iw_verbs.c | 31 ++++++++----
+ drivers/infiniband/hw/i40iw/i40iw_verbs.h | 3 +-
+ 6 files changed, 45 insertions(+), 71 deletions(-)
+
+diff --git a/drivers/infiniband/hw/i40iw/i40iw.h b/drivers/infiniband/hw/i40iw/i40iw.h
+index 8feec35f95a7c..6d6719fa7e46a 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw.h
++++ b/drivers/infiniband/hw/i40iw/i40iw.h
+@@ -398,8 +398,8 @@ static inline struct i40iw_qp *to_iwqp(struct ib_qp *ibqp)
+ }
+
+ /* i40iw.c */
+-void i40iw_add_ref(struct ib_qp *);
+-void i40iw_rem_ref(struct ib_qp *);
++void i40iw_qp_add_ref(struct ib_qp *ibqp);
++void i40iw_qp_rem_ref(struct ib_qp *ibqp);
+ struct ib_qp *i40iw_get_qp(struct ib_device *, int);
+
+ void i40iw_flush_wqes(struct i40iw_device *iwdev,
+@@ -543,9 +543,8 @@ enum i40iw_status_code i40iw_manage_qhash(struct i40iw_device *iwdev,
+ bool wait);
+ void i40iw_receive_ilq(struct i40iw_sc_vsi *vsi, struct i40iw_puda_buf *rbuf);
+ void i40iw_free_sqbuf(struct i40iw_sc_vsi *vsi, void *bufp);
+-void i40iw_free_qp_resources(struct i40iw_device *iwdev,
+- struct i40iw_qp *iwqp,
+- u32 qp_num);
++void i40iw_free_qp_resources(struct i40iw_qp *iwqp);
++
+ enum i40iw_status_code i40iw_obj_aligned_mem(struct i40iw_device *iwdev,
+ struct i40iw_dma_mem *memptr,
+ u32 size, u32 mask);
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
+index fa7a5ff498c73..56c1e9abc52dc 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
+@@ -2322,7 +2322,7 @@ static void i40iw_rem_ref_cm_node(struct i40iw_cm_node *cm_node)
+ iwqp = cm_node->iwqp;
+ if (iwqp) {
+ iwqp->cm_node = NULL;
+- i40iw_rem_ref(&iwqp->ibqp);
++ i40iw_qp_rem_ref(&iwqp->ibqp);
+ cm_node->iwqp = NULL;
+ } else if (cm_node->qhash_set) {
+ i40iw_get_addr_info(cm_node, &nfo);
+@@ -3452,7 +3452,7 @@ void i40iw_cm_disconn(struct i40iw_qp *iwqp)
+ kfree(work);
+ return;
+ }
+- i40iw_add_ref(&iwqp->ibqp);
++ i40iw_qp_add_ref(&iwqp->ibqp);
+ spin_unlock_irqrestore(&iwdev->qptable_lock, flags);
+
+ work->iwqp = iwqp;
+@@ -3623,7 +3623,7 @@ static void i40iw_disconnect_worker(struct work_struct *work)
+
+ kfree(dwork);
+ i40iw_cm_disconn_true(iwqp);
+- i40iw_rem_ref(&iwqp->ibqp);
++ i40iw_qp_rem_ref(&iwqp->ibqp);
+ }
+
+ /**
+@@ -3745,7 +3745,7 @@ int i40iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
+ cm_node->lsmm_size = accept.size + conn_param->private_data_len;
+ i40iw_cm_init_tsa_conn(iwqp, cm_node);
+ cm_id->add_ref(cm_id);
+- i40iw_add_ref(&iwqp->ibqp);
++ i40iw_qp_add_ref(&iwqp->ibqp);
+
+ attr.qp_state = IB_QPS_RTS;
+ cm_node->qhash_set = false;
+@@ -3908,7 +3908,7 @@ int i40iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
+ iwqp->cm_node = cm_node;
+ cm_node->iwqp = iwqp;
+ iwqp->cm_id = cm_id;
+- i40iw_add_ref(&iwqp->ibqp);
++ i40iw_qp_add_ref(&iwqp->ibqp);
+
+ if (cm_node->state != I40IW_CM_STATE_OFFLOADED) {
+ cm_node->state = I40IW_CM_STATE_SYN_SENT;
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_hw.c b/drivers/infiniband/hw/i40iw/i40iw_hw.c
+index ae8b97c306657..a7512508f7e60 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_hw.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_hw.c
+@@ -313,7 +313,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev)
+ __func__, info->qp_cq_id);
+ continue;
+ }
+- i40iw_add_ref(&iwqp->ibqp);
++ i40iw_qp_add_ref(&iwqp->ibqp);
+ spin_unlock_irqrestore(&iwdev->qptable_lock, flags);
+ qp = &iwqp->sc_qp;
+ spin_lock_irqsave(&iwqp->lock, flags);
+@@ -427,7 +427,7 @@ void i40iw_process_aeq(struct i40iw_device *iwdev)
+ break;
+ }
+ if (info->qp)
+- i40iw_rem_ref(&iwqp->ibqp);
++ i40iw_qp_rem_ref(&iwqp->ibqp);
+ } while (1);
+
+ if (aeqcnt)
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_utils.c b/drivers/infiniband/hw/i40iw/i40iw_utils.c
+index 016524683e17e..72db7c1dc2998 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_utils.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_utils.c
+@@ -479,25 +479,6 @@ void i40iw_cleanup_pending_cqp_op(struct i40iw_device *iwdev)
+ }
+ }
+
+-/**
+- * i40iw_free_qp - callback after destroy cqp completes
+- * @cqp_request: cqp request for destroy qp
+- * @num: not used
+- */
+-static void i40iw_free_qp(struct i40iw_cqp_request *cqp_request, u32 num)
+-{
+- struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)cqp_request->param;
+- struct i40iw_qp *iwqp = (struct i40iw_qp *)qp->back_qp;
+- struct i40iw_device *iwdev;
+- u32 qp_num = iwqp->ibqp.qp_num;
+-
+- iwdev = iwqp->iwdev;
+-
+- i40iw_rem_pdusecount(iwqp->iwpd, iwdev);
+- i40iw_free_qp_resources(iwdev, iwqp, qp_num);
+- i40iw_rem_devusecount(iwdev);
+-}
+-
+ /**
+ * i40iw_wait_event - wait for completion
+ * @iwdev: iwarp device
+@@ -618,26 +599,23 @@ void i40iw_rem_pdusecount(struct i40iw_pd *iwpd, struct i40iw_device *iwdev)
+ }
+
+ /**
+- * i40iw_add_ref - add refcount for qp
++ * i40iw_qp_add_ref - add refcount for qp
+ * @ibqp: iqarp qp
+ */
+-void i40iw_add_ref(struct ib_qp *ibqp)
++void i40iw_qp_add_ref(struct ib_qp *ibqp)
+ {
+ struct i40iw_qp *iwqp = (struct i40iw_qp *)ibqp;
+
+- atomic_inc(&iwqp->refcount);
++ refcount_inc(&iwqp->refcount);
+ }
+
+ /**
+- * i40iw_rem_ref - rem refcount for qp and free if 0
++ * i40iw_qp_rem_ref - rem refcount for qp and free if 0
+ * @ibqp: iqarp qp
+ */
+-void i40iw_rem_ref(struct ib_qp *ibqp)
++void i40iw_qp_rem_ref(struct ib_qp *ibqp)
+ {
+ struct i40iw_qp *iwqp;
+- enum i40iw_status_code status;
+- struct i40iw_cqp_request *cqp_request;
+- struct cqp_commands_info *cqp_info;
+ struct i40iw_device *iwdev;
+ u32 qp_num;
+ unsigned long flags;
+@@ -645,7 +623,7 @@ void i40iw_rem_ref(struct ib_qp *ibqp)
+ iwqp = to_iwqp(ibqp);
+ iwdev = iwqp->iwdev;
+ spin_lock_irqsave(&iwdev->qptable_lock, flags);
+- if (!atomic_dec_and_test(&iwqp->refcount)) {
++ if (!refcount_dec_and_test(&iwqp->refcount)) {
+ spin_unlock_irqrestore(&iwdev->qptable_lock, flags);
+ return;
+ }
+@@ -653,25 +631,8 @@ void i40iw_rem_ref(struct ib_qp *ibqp)
+ qp_num = iwqp->ibqp.qp_num;
+ iwdev->qp_table[qp_num] = NULL;
+ spin_unlock_irqrestore(&iwdev->qptable_lock, flags);
+- cqp_request = i40iw_get_cqp_request(&iwdev->cqp, false);
+- if (!cqp_request)
+- return;
+-
+- cqp_request->callback_fcn = i40iw_free_qp;
+- cqp_request->param = (void *)&iwqp->sc_qp;
+- cqp_info = &cqp_request->info;
+- cqp_info->cqp_cmd = OP_QP_DESTROY;
+- cqp_info->post_sq = 1;
+- cqp_info->in.u.qp_destroy.qp = &iwqp->sc_qp;
+- cqp_info->in.u.qp_destroy.scratch = (uintptr_t)cqp_request;
+- cqp_info->in.u.qp_destroy.remove_hash_idx = true;
+- status = i40iw_handle_cqp_op(iwdev, cqp_request);
+- if (!status)
+- return;
++ complete(&iwqp->free_qp);
+
+- i40iw_rem_pdusecount(iwqp->iwpd, iwdev);
+- i40iw_free_qp_resources(iwdev, iwqp, qp_num);
+- i40iw_rem_devusecount(iwdev);
+ }
+
+ /**
+@@ -938,7 +899,7 @@ static void i40iw_terminate_timeout(struct timer_list *t)
+ struct i40iw_sc_qp *qp = (struct i40iw_sc_qp *)&iwqp->sc_qp;
+
+ i40iw_terminate_done(qp, 1);
+- i40iw_rem_ref(&iwqp->ibqp);
++ i40iw_qp_rem_ref(&iwqp->ibqp);
+ }
+
+ /**
+@@ -950,7 +911,7 @@ void i40iw_terminate_start_timer(struct i40iw_sc_qp *qp)
+ struct i40iw_qp *iwqp;
+
+ iwqp = (struct i40iw_qp *)qp->back_qp;
+- i40iw_add_ref(&iwqp->ibqp);
++ i40iw_qp_add_ref(&iwqp->ibqp);
+ timer_setup(&iwqp->terminate_timer, i40iw_terminate_timeout, 0);
+ iwqp->terminate_timer.expires = jiffies + HZ;
+ add_timer(&iwqp->terminate_timer);
+@@ -966,7 +927,7 @@ void i40iw_terminate_del_timer(struct i40iw_sc_qp *qp)
+
+ iwqp = (struct i40iw_qp *)qp->back_qp;
+ if (del_timer(&iwqp->terminate_timer))
+- i40iw_rem_ref(&iwqp->ibqp);
++ i40iw_qp_rem_ref(&iwqp->ibqp);
+ }
+
+ /**
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.c b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+index cd9ee1664a69e..22bf4f09c0647 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c
+@@ -366,11 +366,11 @@ static struct i40iw_pbl *i40iw_get_pbl(unsigned long va,
+ * @iwqp: qp ptr (user or kernel)
+ * @qp_num: qp number assigned
+ */
+-void i40iw_free_qp_resources(struct i40iw_device *iwdev,
+- struct i40iw_qp *iwqp,
+- u32 qp_num)
++void i40iw_free_qp_resources(struct i40iw_qp *iwqp)
+ {
+ struct i40iw_pbl *iwpbl = &iwqp->iwpbl;
++ struct i40iw_device *iwdev = iwqp->iwdev;
++ u32 qp_num = iwqp->ibqp.qp_num;
+
+ i40iw_ieq_cleanup_qp(iwdev->vsi.ieq, &iwqp->sc_qp);
+ i40iw_dealloc_push_page(iwdev, &iwqp->sc_qp);
+@@ -404,6 +404,10 @@ static void i40iw_clean_cqes(struct i40iw_qp *iwqp, struct i40iw_cq *iwcq)
+ static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
+ {
+ struct i40iw_qp *iwqp = to_iwqp(ibqp);
++ struct ib_qp_attr attr;
++ struct i40iw_device *iwdev = iwqp->iwdev;
++
++ memset(&attr, 0, sizeof(attr));
+
+ iwqp->destroyed = 1;
+
+@@ -418,7 +422,15 @@ static int i40iw_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
+ }
+ }
+
+- i40iw_rem_ref(&iwqp->ibqp);
++ attr.qp_state = IB_QPS_ERR;
++ i40iw_modify_qp(&iwqp->ibqp, &attr, IB_QP_STATE, NULL);
++ i40iw_qp_rem_ref(&iwqp->ibqp);
++ wait_for_completion(&iwqp->free_qp);
++ i40iw_cqp_qp_destroy_cmd(&iwdev->sc_dev, &iwqp->sc_qp);
++ i40iw_rem_pdusecount(iwqp->iwpd, iwdev);
++ i40iw_free_qp_resources(iwqp);
++ i40iw_rem_devusecount(iwdev);
++
+ return 0;
+ }
+
+@@ -579,6 +591,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd,
+ qp->back_qp = (void *)iwqp;
+ qp->push_idx = I40IW_INVALID_PUSH_PAGE_INDEX;
+
++ iwqp->iwdev = iwdev;
+ iwqp->ctx_info.iwarp_info = &iwqp->iwarp_info;
+
+ if (i40iw_allocate_dma_mem(dev->hw,
+@@ -603,7 +616,6 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd,
+ goto error;
+ }
+
+- iwqp->iwdev = iwdev;
+ iwqp->iwpd = iwpd;
+ iwqp->ibqp.qp_num = qp_num;
+ qp = &iwqp->sc_qp;
+@@ -717,7 +729,7 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd,
+ goto error;
+ }
+
+- i40iw_add_ref(&iwqp->ibqp);
++ refcount_set(&iwqp->refcount, 1);
+ spin_lock_init(&iwqp->lock);
+ iwqp->sig_all = (init_attr->sq_sig_type == IB_SIGNAL_ALL_WR) ? 1 : 0;
+ iwdev->qp_table[qp_num] = iwqp;
+@@ -739,10 +751,11 @@ static struct ib_qp *i40iw_create_qp(struct ib_pd *ibpd,
+ }
+ init_completion(&iwqp->sq_drained);
+ init_completion(&iwqp->rq_drained);
++ init_completion(&iwqp->free_qp);
+
+ return &iwqp->ibqp;
+ error:
+- i40iw_free_qp_resources(iwdev, iwqp, qp_num);
++ i40iw_free_qp_resources(iwqp);
+ return ERR_PTR(err_code);
+ }
+
+@@ -2654,13 +2667,13 @@ static const struct ib_device_ops i40iw_dev_ops = {
+ .get_hw_stats = i40iw_get_hw_stats,
+ .get_port_immutable = i40iw_port_immutable,
+ .iw_accept = i40iw_accept,
+- .iw_add_ref = i40iw_add_ref,
++ .iw_add_ref = i40iw_qp_add_ref,
+ .iw_connect = i40iw_connect,
+ .iw_create_listen = i40iw_create_listen,
+ .iw_destroy_listen = i40iw_destroy_listen,
+ .iw_get_qp = i40iw_get_qp,
+ .iw_reject = i40iw_reject,
+- .iw_rem_ref = i40iw_rem_ref,
++ .iw_rem_ref = i40iw_qp_rem_ref,
+ .map_mr_sg = i40iw_map_mr_sg,
+ .mmap = i40iw_mmap,
+ .modify_qp = i40iw_modify_qp,
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_verbs.h b/drivers/infiniband/hw/i40iw/i40iw_verbs.h
+index 3a413752ccc38..ad7d81041bc9a 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.h
++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.h
+@@ -140,7 +140,7 @@ struct i40iw_qp {
+ struct i40iw_qp_host_ctx_info ctx_info;
+ struct i40iwarp_offload_info iwarp_info;
+ void *allocated_buffer;
+- atomic_t refcount;
++ refcount_t refcount;
+ struct iw_cm_id *cm_id;
+ void *cm_node;
+ struct ib_mr *lsmm_mr;
+@@ -175,5 +175,6 @@ struct i40iw_qp {
+ struct i40iw_dma_mem ietf_mem;
+ struct completion sq_drained;
+ struct completion rq_drained;
++ struct completion free_qp;
+ };
+ #endif
+--
+2.25.1
+
--- /dev/null
+From 02830b523bc5ec59461d0c5505ec92d795b3795c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 08:19:41 +0200
+Subject: IB/mlx4: Adjust delayed work when a dup is observed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Håkon Bugge <haakon.bugge@oracle.com>
+
+[ Upstream commit 785167a114855c5aa75efca97000e405c2cc85bf ]
+
+When scheduling delayed work to clean up the cache, if the entry already
+has been scheduled for deletion, we adjust the delay.
+
+Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization")
+Link: https://lore.kernel.org/r/20200803061941.1139994-7-haakon.bugge@oracle.com
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/cm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c
+index b591861934b3c..81d6a3460b55d 100644
+--- a/drivers/infiniband/hw/mlx4/cm.c
++++ b/drivers/infiniband/hw/mlx4/cm.c
+@@ -280,6 +280,9 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id)
+ if (!sriov->is_going_down && !id->scheduled_delete) {
+ id->scheduled_delete = 1;
+ schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT);
++ } else if (id->scheduled_delete) {
++ /* Adjust timeout if already scheduled */
++ mod_delayed_work(system_wq, &id->timeout, CM_CLEANUP_CACHE_TIMEOUT);
+ }
+ spin_unlock_irqrestore(&sriov->going_down_lock, flags);
+ spin_unlock(&sriov->id_map_lock);
+--
+2.25.1
+
--- /dev/null
+From ad89d084e7a6636e300a1f81a07ed6a5d54bb39d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 08:19:39 +0200
+Subject: IB/mlx4: Fix starvation in paravirt mux/demux
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Håkon Bugge <haakon.bugge@oracle.com>
+
+[ Upstream commit 7fd1507df7cee9c533f38152fcd1dd769fcac6ce ]
+
+The mlx4 driver will proxy MAD packets through the PF driver. A VM or an
+instantiated VF will send its MAD packets to the PF driver using
+loop-back. The PF driver will be informed by an interrupt, but defer the
+handling and polling of CQEs to a worker thread running on an ordered
+work-queue.
+
+Consider the following scenario: the VMs will in short proximity in time,
+for example due to a network event, send many MAD packets to the PF
+driver. Lets say there are K VMs, each sending N packets.
+
+The interrupt from the first VM will start the worker thread, which will
+poll N CQEs. A common case here is where the PF driver will multiplex the
+packets received from the VMs out on the wire QP.
+
+But before the wire QP has returned a send CQE and associated interrupt,
+the other K - 1 VMs have sent their N packets as well.
+
+The PF driver has to multiplex K * N packets out on the wire QP. But the
+send-queue on the wire QP has a finite capacity.
+
+So, in this scenario, if K * N is larger than the send-queue capacity of
+the wire QP, we will get MAD packets dropped on the floor with this
+dynamic debug message:
+
+mlx4_ib_multiplex_mad: failed sending GSI to wire on behalf of slave 2 (-11)
+
+and this despite the fact that the wire send-queue could have capacity,
+but the PF driver isn't aware, because the wire send CQEs have not yet
+been polled.
+
+We can also have a similar scenario inbound, with a wire recv-queue larger
+than the tunnel QP's send-queue. If many remote peers send MAD packets to
+the very same VM, the tunnel send-queue destined to the VM could allegedly
+be construed to be full by the PF driver.
+
+This starvation is fixed by introducing separate work queues for the wire
+QPs vs. the tunnel QPs.
+
+With this fix, using a dual ported HCA, 8 VFs instantiated, we could run
+cmtime on each of the 18 interfaces towards a similar configured peer,
+each cmtime instance with 800 QPs (all in all 14400 QPs) without a single
+CM packet getting lost.
+
+Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization")
+Link: https://lore.kernel.org/r/20200803061941.1139994-5-haakon.bugge@oracle.com
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/mad.c | 34 +++++++++++++++++++++++++---
+ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 ++
+ 2 files changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
+index 57079110af9b5..08eccf2b6967d 100644
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -1307,6 +1307,18 @@ static void mlx4_ib_tunnel_comp_handler(struct ib_cq *cq, void *arg)
+ spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags);
+ }
+
++static void mlx4_ib_wire_comp_handler(struct ib_cq *cq, void *arg)
++{
++ unsigned long flags;
++ struct mlx4_ib_demux_pv_ctx *ctx = cq->cq_context;
++ struct mlx4_ib_dev *dev = to_mdev(ctx->ib_dev);
++
++ spin_lock_irqsave(&dev->sriov.going_down_lock, flags);
++ if (!dev->sriov.is_going_down && ctx->state == DEMUX_PV_STATE_ACTIVE)
++ queue_work(ctx->wi_wq, &ctx->work);
++ spin_unlock_irqrestore(&dev->sriov.going_down_lock, flags);
++}
++
+ static int mlx4_ib_post_pv_qp_buf(struct mlx4_ib_demux_pv_ctx *ctx,
+ struct mlx4_ib_demux_pv_qp *tun_qp,
+ int index)
+@@ -2009,7 +2021,8 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port,
+ cq_size *= 2;
+
+ cq_attr.cqe = cq_size;
+- ctx->cq = ib_create_cq(ctx->ib_dev, mlx4_ib_tunnel_comp_handler,
++ ctx->cq = ib_create_cq(ctx->ib_dev,
++ create_tun ? mlx4_ib_tunnel_comp_handler : mlx4_ib_wire_comp_handler,
+ NULL, ctx, &cq_attr);
+ if (IS_ERR(ctx->cq)) {
+ ret = PTR_ERR(ctx->cq);
+@@ -2046,6 +2059,7 @@ static int create_pv_resources(struct ib_device *ibdev, int slave, int port,
+ INIT_WORK(&ctx->work, mlx4_ib_sqp_comp_worker);
+
+ ctx->wq = to_mdev(ibdev)->sriov.demux[port - 1].wq;
++ ctx->wi_wq = to_mdev(ibdev)->sriov.demux[port - 1].wi_wq;
+
+ ret = ib_req_notify_cq(ctx->cq, IB_CQ_NEXT_COMP);
+ if (ret) {
+@@ -2189,7 +2203,7 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev,
+ goto err_mcg;
+ }
+
+- snprintf(name, sizeof name, "mlx4_ibt%d", port);
++ snprintf(name, sizeof(name), "mlx4_ibt%d", port);
+ ctx->wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
+ if (!ctx->wq) {
+ pr_err("Failed to create tunnelling WQ for port %d\n", port);
+@@ -2197,7 +2211,15 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev,
+ goto err_wq;
+ }
+
+- snprintf(name, sizeof name, "mlx4_ibud%d", port);
++ snprintf(name, sizeof(name), "mlx4_ibwi%d", port);
++ ctx->wi_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
++ if (!ctx->wi_wq) {
++ pr_err("Failed to create wire WQ for port %d\n", port);
++ ret = -ENOMEM;
++ goto err_wiwq;
++ }
++
++ snprintf(name, sizeof(name), "mlx4_ibud%d", port);
+ ctx->ud_wq = alloc_ordered_workqueue(name, WQ_MEM_RECLAIM);
+ if (!ctx->ud_wq) {
+ pr_err("Failed to create up/down WQ for port %d\n", port);
+@@ -2208,6 +2230,10 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev,
+ return 0;
+
+ err_udwq:
++ destroy_workqueue(ctx->wi_wq);
++ ctx->wi_wq = NULL;
++
++err_wiwq:
+ destroy_workqueue(ctx->wq);
+ ctx->wq = NULL;
+
+@@ -2255,12 +2281,14 @@ static void mlx4_ib_free_demux_ctx(struct mlx4_ib_demux_ctx *ctx)
+ ctx->tun[i]->state = DEMUX_PV_STATE_DOWNING;
+ }
+ flush_workqueue(ctx->wq);
++ flush_workqueue(ctx->wi_wq);
+ for (i = 0; i < dev->dev->caps.sqp_demux; i++) {
+ destroy_pv_resources(dev, i, ctx->port, ctx->tun[i], 0);
+ free_pv_object(dev, i, ctx->port);
+ }
+ kfree(ctx->tun);
+ destroy_workqueue(ctx->ud_wq);
++ destroy_workqueue(ctx->wi_wq);
+ destroy_workqueue(ctx->wq);
+ }
+ }
+diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h
+index eb53bb4c0c91c..0173e3931cc7f 100644
+--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
+@@ -459,6 +459,7 @@ struct mlx4_ib_demux_pv_ctx {
+ struct ib_pd *pd;
+ struct work_struct work;
+ struct workqueue_struct *wq;
++ struct workqueue_struct *wi_wq;
+ struct mlx4_ib_demux_pv_qp qp[2];
+ };
+
+@@ -466,6 +467,7 @@ struct mlx4_ib_demux_ctx {
+ struct ib_device *ib_dev;
+ int port;
+ struct workqueue_struct *wq;
++ struct workqueue_struct *wi_wq;
+ struct workqueue_struct *ud_wq;
+ spinlock_t ud_lock;
+ atomic64_t subnet_prefix;
+--
+2.25.1
+
--- /dev/null
+From 23a6630219ad9cebdf7c281cfd2d4a8e8fb92f80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 10:52:04 +0100
+Subject: IB/rdmavt: Fix sizeof mismatch
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 8e71f694e0c819db39af2336f16eb9689f1ae53f ]
+
+An incorrect sizeof is being used, struct rvt_ibport ** is not correct, it
+should be struct rvt_ibport *. Note that since ** is the same size as
+* this is not causing any issues. Improve this fix by using
+sizeof(*rdi->ports) as this allows us to not even reference the type
+of the pointer. Also remove line breaks as the entire statement can
+fit on one line.
+
+Link: https://lore.kernel.org/r/20201008095204.82683-1-colin.king@canonical.com
+Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)")
+Fixes: ff6acd69518e ("IB/rdmavt: Add device structure allocation")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rdmavt/vt.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c
+index 18da1e1ea9797..833f3f1b87f5e 100644
+--- a/drivers/infiniband/sw/rdmavt/vt.c
++++ b/drivers/infiniband/sw/rdmavt/vt.c
+@@ -95,9 +95,7 @@ struct rvt_dev_info *rvt_alloc_device(size_t size, int nports)
+ if (!rdi)
+ return rdi;
+
+- rdi->ports = kcalloc(nports,
+- sizeof(struct rvt_ibport **),
+- GFP_KERNEL);
++ rdi->ports = kcalloc(nports, sizeof(*rdi->ports), GFP_KERNEL);
+ if (!rdi->ports)
+ ib_dealloc_device(&rdi->ibdev);
+
+--
+2.25.1
+
--- /dev/null
+From ebbe9428f67a2d0e5b0767792a0fb0e45a3cd5d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Sep 2020 19:06:25 -0500
+Subject: ibmvnic: set up 200GBPS speed
+
+From: Lijun Pan <ljp@linux.ibm.com>
+
+[ Upstream commit b9cd795b0e4860f482bf3741d12e1c8f3ec1cfc9 ]
+
+Set up the speed according to crq->query_phys_parms.rsp.speed.
+Fix IBMVNIC_10GBPS typo.
+
+Fixes: f8d6ae0d27ec ("ibmvnic: Report actual backing device speed and duplex values")
+Signed-off-by: Lijun Pan <ljp@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 ++++-
+ drivers/net/ethernet/ibm/ibmvnic.h | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 59d437df6cab4..48105a2eebe4d 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -4477,7 +4477,7 @@ static int handle_query_phys_parms_rsp(union ibmvnic_crq *crq,
+ case IBMVNIC_1GBPS:
+ adapter->speed = SPEED_1000;
+ break;
+- case IBMVNIC_10GBP:
++ case IBMVNIC_10GBPS:
+ adapter->speed = SPEED_10000;
+ break;
+ case IBMVNIC_25GBPS:
+@@ -4492,6 +4492,9 @@ static int handle_query_phys_parms_rsp(union ibmvnic_crq *crq,
+ case IBMVNIC_100GBPS:
+ adapter->speed = SPEED_100000;
+ break;
++ case IBMVNIC_200GBPS:
++ adapter->speed = SPEED_200000;
++ break;
+ default:
+ if (netif_carrier_ok(netdev))
+ netdev_warn(netdev, "Unknown speed 0x%08x\n", rspeed);
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h
+index ebc39248b334a..0da20f19bb17c 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.h
++++ b/drivers/net/ethernet/ibm/ibmvnic.h
+@@ -373,7 +373,7 @@ struct ibmvnic_phys_parms {
+ #define IBMVNIC_10MBPS 0x40000000
+ #define IBMVNIC_100MBPS 0x20000000
+ #define IBMVNIC_1GBPS 0x10000000
+-#define IBMVNIC_10GBP 0x08000000
++#define IBMVNIC_10GBPS 0x08000000
+ #define IBMVNIC_40GBPS 0x04000000
+ #define IBMVNIC_100GBPS 0x02000000
+ #define IBMVNIC_25GBPS 0x01000000
+--
+2.25.1
+
--- /dev/null
+From de81b5a79f34b61a05b18a1b07d805afbf8b5dd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Apr 2020 14:26:13 -0400
+Subject: ida: Free allocated bitmap in error path
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit a219b856a2b993da234108307be772448f22b0ce ]
+
+If a bitmap needs to be allocated, and then by the time the thread
+is scheduled to be run again all the indices which would satisfy the
+allocation have been allocated then we would leak the allocation. Almost
+impossible to hit in practice, but a trivial fix. Found by Coverity.
+
+Fixes: f32f004cddf8 ("ida: Convert to XArray")
+Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/idr.c | 1 +
+ tools/testing/radix-tree/idr-test.c | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+diff --git a/lib/idr.c b/lib/idr.c
+index c2cf2c52bbde5..4d2eef0259d2c 100644
+--- a/lib/idr.c
++++ b/lib/idr.c
+@@ -470,6 +470,7 @@ int ida_alloc_range(struct ida *ida, unsigned int min, unsigned int max,
+ goto retry;
+ nospc:
+ xas_unlock_irqrestore(&xas, flags);
++ kfree(alloc);
+ return -ENOSPC;
+ }
+ EXPORT_SYMBOL(ida_alloc_range);
+diff --git a/tools/testing/radix-tree/idr-test.c b/tools/testing/radix-tree/idr-test.c
+index 8995092d541ec..3b796dd5e5772 100644
+--- a/tools/testing/radix-tree/idr-test.c
++++ b/tools/testing/radix-tree/idr-test.c
+@@ -523,8 +523,27 @@ static void *ida_random_fn(void *arg)
+ return NULL;
+ }
+
++static void *ida_leak_fn(void *arg)
++{
++ struct ida *ida = arg;
++ time_t s = time(NULL);
++ int i, ret;
++
++ rcu_register_thread();
++
++ do for (i = 0; i < 1000; i++) {
++ ret = ida_alloc_range(ida, 128, 128, GFP_KERNEL);
++ if (ret >= 0)
++ ida_free(ida, 128);
++ } while (time(NULL) < s + 2);
++
++ rcu_unregister_thread();
++ return NULL;
++}
++
+ void ida_thread_tests(void)
+ {
++ DEFINE_IDA(ida);
+ pthread_t threads[20];
+ int i;
+
+@@ -536,6 +555,16 @@ void ida_thread_tests(void)
+
+ while (i--)
+ pthread_join(threads[i], NULL);
++
++ for (i = 0; i < ARRAY_SIZE(threads); i++)
++ if (pthread_create(&threads[i], NULL, ida_leak_fn, &ida)) {
++ perror("creating ida thread");
++ exit(1);
++ }
++
++ while (i--)
++ pthread_join(threads[i], NULL);
++ assert(ida_is_empty(&ida));
+ }
+
+ void ida_tests(void)
+--
+2.25.1
+
--- /dev/null
+From 703cdaa4cf0caa3435b3bad9d2e88a8769e63b3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jul 2020 16:55:28 +0200
+Subject: iio: adc: stm32-adc: fix runtime autosuspend delay when slow polling
+
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+
+[ Upstream commit c537d3457542a398caa1fe58e0976c5f83cf7281 ]
+
+When the ADC is runtime suspended and starting a conversion, the stm32-adc
+driver calls pm_runtime_get_sync() that gets cascaded to the parent
+(e.g. runtime resume of stm32-adc-core driver). This also kicks the
+autosuspend delay (e.g. 2s) of the parent.
+Once the ADC is active, calling pm_runtime_get_sync() again (upon a new
+capture) won't kick the autosuspend delay for the parent (stm32-adc-core
+driver) as already active.
+
+Currently, this makes the stm32-adc-core driver go in suspend state
+every 2s when doing slow polling. As an example, doing a capture, e.g.
+cat in_voltageY_raw at a 0.2s rate, the auto suspend delay for the parent
+isn't refreshed. Once it expires, the parent immediately falls into
+runtime suspended state, in between two captures, as soon as the child
+driver falls into runtime suspend state:
+- e.g. after 2s, + child calls pm_runtime_put_autosuspend() + 100ms
+ autosuspend delay of the child.
+- stm32-adc-core switches off regulators, clocks and so on.
+- They get switched on back again 100ms later in this example (at 2.2s).
+
+So, use runtime_idle() callback in stm32-adc-core driver to call
+pm_runtime_mark_last_busy() for the parent driver (stm32-adc-core),
+to avoid this.
+
+Fixes: 9bdbb1139ca1 ("iio: adc: stm32-adc: add power management support")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/1593615328-5180-1-git-send-email-fabrice.gasnier@st.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/stm32-adc-core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/stm32-adc-core.c b/drivers/iio/adc/stm32-adc-core.c
+index 74f3a2be17a64..14d6a537289cb 100644
+--- a/drivers/iio/adc/stm32-adc-core.c
++++ b/drivers/iio/adc/stm32-adc-core.c
+@@ -780,6 +780,13 @@ static int stm32_adc_core_runtime_resume(struct device *dev)
+ {
+ return stm32_adc_core_hw_start(dev);
+ }
++
++static int stm32_adc_core_runtime_idle(struct device *dev)
++{
++ pm_runtime_mark_last_busy(dev);
++
++ return 0;
++}
+ #endif
+
+ static const struct dev_pm_ops stm32_adc_core_pm_ops = {
+@@ -787,7 +794,7 @@ static const struct dev_pm_ops stm32_adc_core_pm_ops = {
+ pm_runtime_force_resume)
+ SET_RUNTIME_PM_OPS(stm32_adc_core_runtime_suspend,
+ stm32_adc_core_runtime_resume,
+- NULL)
++ stm32_adc_core_runtime_idle)
+ };
+
+ static const struct stm32_adc_priv_cfg stm32f4_adc_priv_cfg = {
+--
+2.25.1
+
--- /dev/null
+From b06621a75dd319f1b9aae0090285eb266360902b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:51:05 -0700
+Subject: Input: ep93xx_keypad - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 7d50f6656dacf085a00beeedbc48b19a37d17881 ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: 60214f058f44 ("Input: ep93xx_keypad - update driver to new core support")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-1-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/ep93xx_keypad.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/keyboard/ep93xx_keypad.c b/drivers/input/keyboard/ep93xx_keypad.c
+index 7c70492d9d6b5..f831f01501d58 100644
+--- a/drivers/input/keyboard/ep93xx_keypad.c
++++ b/drivers/input/keyboard/ep93xx_keypad.c
+@@ -250,8 +250,8 @@ static int ep93xx_keypad_probe(struct platform_device *pdev)
+ }
+
+ keypad->irq = platform_get_irq(pdev, 0);
+- if (!keypad->irq) {
+- err = -ENXIO;
++ if (keypad->irq < 0) {
++ err = keypad->irq;
+ goto failed_free;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From ec664e591b8df5db6e8a7e27f016d39122f1f58b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 10:17:01 -0700
+Subject: Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 30df23c5ecdfb8da5b0bc17ceef67eff9e1b0957 ]
+
+If imx6ul_tsc_init() fails then we need to clean up the clocks.
+
+I reversed the "if (input_dev->users) {" condition to make the code a
+bit simpler.
+
+Fixes: 6cc527b05847 ("Input: imx6ul_tsc - propagate the errors")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20200905124942.GC183976@mwanda
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/imx6ul_tsc.c | 27 +++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/input/touchscreen/imx6ul_tsc.c b/drivers/input/touchscreen/imx6ul_tsc.c
+index 9ed258854349b..5e6ba5c4eca2a 100644
+--- a/drivers/input/touchscreen/imx6ul_tsc.c
++++ b/drivers/input/touchscreen/imx6ul_tsc.c
+@@ -530,20 +530,25 @@ static int __maybe_unused imx6ul_tsc_resume(struct device *dev)
+
+ mutex_lock(&input_dev->mutex);
+
+- if (input_dev->users) {
+- retval = clk_prepare_enable(tsc->adc_clk);
+- if (retval)
+- goto out;
+-
+- retval = clk_prepare_enable(tsc->tsc_clk);
+- if (retval) {
+- clk_disable_unprepare(tsc->adc_clk);
+- goto out;
+- }
++ if (!input_dev->users)
++ goto out;
+
+- retval = imx6ul_tsc_init(tsc);
++ retval = clk_prepare_enable(tsc->adc_clk);
++ if (retval)
++ goto out;
++
++ retval = clk_prepare_enable(tsc->tsc_clk);
++ if (retval) {
++ clk_disable_unprepare(tsc->adc_clk);
++ goto out;
+ }
+
++ retval = imx6ul_tsc_init(tsc);
++ if (retval) {
++ clk_disable_unprepare(tsc->tsc_clk);
++ clk_disable_unprepare(tsc->adc_clk);
++ goto out;
++ }
+ out:
+ mutex_unlock(&input_dev->mutex);
+ return retval;
+--
+2.25.1
+
--- /dev/null
+From 7bb3020f7f89e03a90ecd3cc1d164d8f75acf1c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:52:15 -0700
+Subject: Input: omap4-keypad - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 4738dd1992fa13acfbbd71800c71c612f466fa44 ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: f3a1ba60dbdb ("Input: omap4-keypad - use platform device helpers")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-2-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/omap4-keypad.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c
+index 94c94d7f5155f..d6c924032aaa8 100644
+--- a/drivers/input/keyboard/omap4-keypad.c
++++ b/drivers/input/keyboard/omap4-keypad.c
+@@ -240,10 +240,8 @@ static int omap4_keypad_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
+- if (!irq) {
+- dev_err(&pdev->dev, "no keyboard irq assigned\n");
+- return -EINVAL;
+- }
++ if (irq < 0)
++ return irq;
+
+ keypad_data = kzalloc(sizeof(struct omap4_keypad), GFP_KERNEL);
+ if (!keypad_data) {
+--
+2.25.1
+
--- /dev/null
+From 337a60e195589b0d4b1d8978e3f286cab5c5fd7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 10:26:09 -0700
+Subject: Input: stmfts - fix a & vs && typo
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit d04afe14b23651e7a8bc89727a759e982a8458e4 ]
+
+In stmfts_sysfs_hover_enable_write(), we should check value and
+sdata->hover_enabled is all true.
+
+Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20200916141941.16684-1-yuehaibing@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/stmfts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/input/touchscreen/stmfts.c b/drivers/input/touchscreen/stmfts.c
+index b6f95f20f9244..cd8805d71d977 100644
+--- a/drivers/input/touchscreen/stmfts.c
++++ b/drivers/input/touchscreen/stmfts.c
+@@ -479,7 +479,7 @@ static ssize_t stmfts_sysfs_hover_enable_write(struct device *dev,
+
+ mutex_lock(&sdata->mutex);
+
+- if (value & sdata->hover_enabled)
++ if (value && sdata->hover_enabled)
+ goto out;
+
+ if (sdata->running)
+--
+2.25.1
+
--- /dev/null
+From 76d2d9c2801014053395cd549ddd46548d4dff35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:56:40 -0700
+Subject: Input: sun4i-ps2 - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit cafb3abea6136e59ea534004e5773361e196bb94 ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: e443631d20f5 ("Input: serio - add support for Alwinner A10/A20 PS/2 controller")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-4-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/sun4i-ps2.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/serio/sun4i-ps2.c b/drivers/input/serio/sun4i-ps2.c
+index a681a2c04e399..f15ed3dcdb9b2 100644
+--- a/drivers/input/serio/sun4i-ps2.c
++++ b/drivers/input/serio/sun4i-ps2.c
+@@ -211,7 +211,6 @@ static int sun4i_ps2_probe(struct platform_device *pdev)
+ struct sun4i_ps2data *drvdata;
+ struct serio *serio;
+ struct device *dev = &pdev->dev;
+- unsigned int irq;
+ int error;
+
+ drvdata = kzalloc(sizeof(struct sun4i_ps2data), GFP_KERNEL);
+@@ -264,14 +263,12 @@ static int sun4i_ps2_probe(struct platform_device *pdev)
+ writel(0, drvdata->reg_base + PS2_REG_GCTL);
+
+ /* Get IRQ for the device */
+- irq = platform_get_irq(pdev, 0);
+- if (!irq) {
+- dev_err(dev, "no IRQ found\n");
+- error = -ENXIO;
++ drvdata->irq = platform_get_irq(pdev, 0);
++ if (drvdata->irq < 0) {
++ error = drvdata->irq;
+ goto err_disable_clk;
+ }
+
+- drvdata->irq = irq;
+ drvdata->serio = serio;
+ drvdata->dev = dev;
+
+--
+2.25.1
+
--- /dev/null
+From 94a69e09185b3a93df0d12bb915891bf92f951f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:56:19 -0700
+Subject: Input: twl4030_keypad - fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit c277e1f0dc3c7d7b5b028e20dd414df241642036 ]
+
+platform_get_irq() returns -ERRNO on error. In such case casting to
+unsigned and comparing to 0 would pass the check.
+
+Fixes: 7abf38d6d13c ("Input: twl4030-keypad - add device tree support")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200828145744.3636-3-krzk@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/twl4030_keypad.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/input/keyboard/twl4030_keypad.c b/drivers/input/keyboard/twl4030_keypad.c
+index af3a6824f1a4d..77e0743a3cf85 100644
+--- a/drivers/input/keyboard/twl4030_keypad.c
++++ b/drivers/input/keyboard/twl4030_keypad.c
+@@ -50,7 +50,7 @@ struct twl4030_keypad {
+ bool autorepeat;
+ unsigned int n_rows;
+ unsigned int n_cols;
+- unsigned int irq;
++ int irq;
+
+ struct device *dbg_dev;
+ struct input_dev *input;
+@@ -376,10 +376,8 @@ static int twl4030_kp_probe(struct platform_device *pdev)
+ }
+
+ kp->irq = platform_get_irq(pdev, 0);
+- if (!kp->irq) {
+- dev_err(&pdev->dev, "no keyboard irq assigned\n");
+- return -EINVAL;
+- }
++ if (kp->irq < 0)
++ return kp->irq;
+
+ error = matrix_keypad_build_keymap(keymap_data, NULL,
+ TWL4030_MAX_ROWS,
+--
+2.25.1
+
--- /dev/null
+From 60d38631cc80ebe3182dc936f6d5f6b34ccda8a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 08:26:17 -0700
+Subject: iomap: Clear page error before beginning a write
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit e6e7ca92623a43156100306861272e04d46385fc ]
+
+If we find a page in write_begin which is !Uptodate, we need
+to clear any error on the page before starting to read data
+into it. This matches how filemap_fault(), do_read_cache_page()
+and generic_file_buffered_read() handle PageError on !Uptodate pages.
+When calling iomap_set_range_uptodate() in __iomap_write_begin(), blocks
+were not being marked as uptodate.
+
+This was found with generic/127 and a specially modified kernel which
+would fail (some) readahead I/Os. The test read some bytes in a prior
+page which caused readahead to extend into page 0x34. There was
+a subsequent write to page 0x34, followed by a read to page 0x34.
+Because the blocks were still marked as !Uptodate, the read caused all
+blocks to be re-read, overwriting the write. With this change, and the
+next one, the bytes which were written are marked as being Uptodate, so
+even though the page is still marked as !Uptodate, the blocks containing
+the written data are not re-read from storage.
+
+Fixes: 9dc55f1389f9 ("iomap: add support for sub-pagesize buffered I/O without buffer heads")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/iomap/buffered-io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
+index a30ea7ecb790a..80867a1a94f26 100644
+--- a/fs/iomap/buffered-io.c
++++ b/fs/iomap/buffered-io.c
+@@ -559,6 +559,7 @@ __iomap_write_begin(struct inode *inode, loff_t pos, unsigned len,
+
+ if (PageUptodate(page))
+ return 0;
++ ClearPageError(page);
+
+ do {
+ iomap_adjust_read_range(inode, iop, &block_start,
+--
+2.25.1
+
--- /dev/null
+From 41479f9141e09f88b61ff264d0fe6a90ab72e802 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 08:26:15 -0700
+Subject: iomap: fix WARN_ON_ONCE() from unprivileged users
+
+From: Qian Cai <cai@lca.pw>
+
+[ Upstream commit a805c111650cdba6ee880f528abdd03c1af82089 ]
+
+It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by
+unprivileged users which would taint the kernel, or worse - panic if
+panic_on_warn or panic_on_taint is set. Hence, just convert it to
+pr_warn_ratelimited() to let users know their workloads are racing.
+Thank Dave Chinner for the initial analysis of the racing reproducers.
+
+Signed-off-by: Qian Cai <cai@lca.pw>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/iomap/direct-io.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c
+index 7b5f76efef02d..8c98fd92bf665 100644
+--- a/fs/iomap/direct-io.c
++++ b/fs/iomap/direct-io.c
+@@ -377,6 +377,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length,
+ return iomap_dio_bio_actor(inode, pos, length, dio, iomap);
+ case IOMAP_INLINE:
+ return iomap_dio_inline_actor(inode, pos, length, dio, iomap);
++ case IOMAP_DELALLOC:
++ /*
++ * DIO is not serialised against mmap() access at all, and so
++ * if the page_mkwrite occurs between the writeback and the
++ * iomap_apply() call in the DIO path, then it will see the
++ * DELALLOC block that the page-mkwrite allocated.
++ */
++ pr_warn_ratelimited("Direct I/O collision with buffered writes! File: %pD4 Comm: %.20s\n",
++ dio->iocb->ki_filp, current->comm);
++ return -EIO;
+ default:
+ WARN_ON_ONCE(1);
+ return -EIO;
+--
+2.25.1
+
--- /dev/null
+From 472d656c215b8b74e9e420cf934332751467cfd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 16:17:21 -0700
+Subject: ip_gre: set dev->hard_header_len and dev->needed_headroom properly
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit fdafed459998e2be0e877e6189b24cb7a0183224 ]
+
+GRE tunnel has its own header_ops, ipgre_header_ops, and sets it
+conditionally. When it is set, it assumes the outer IP header is
+already created before ipgre_xmit().
+
+This is not true when we send packets through a raw packet socket,
+where L2 headers are supposed to be constructed by user. Packet
+socket calls dev_validate_header() to validate the header. But
+GRE tunnel does not set dev->hard_header_len, so that check can
+be simply bypassed, therefore uninit memory could be passed down
+to ipgre_xmit(). Similar for dev->needed_headroom.
+
+dev->hard_header_len is supposed to be the length of the header
+created by dev->header_ops->create(), so it should be used whenever
+header_ops is set, and dev->needed_headroom should be used when it
+is not set.
+
+Reported-and-tested-by: syzbot+4a2c52677a8a1aa283cb@syzkaller.appspotmail.com
+Cc: William Tu <u9012063@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Xie He <xie.he.0141@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 85ba1453ba5ca..fedad3a3e61b8 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -603,9 +603,7 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
+ }
+
+ if (dev->header_ops) {
+- /* Need space for new headers */
+- if (skb_cow_head(skb, dev->needed_headroom -
+- (tunnel->hlen + sizeof(struct iphdr))))
++ if (skb_cow_head(skb, 0))
+ goto free_skb;
+
+ tnl_params = (const struct iphdr *)skb->data;
+@@ -723,7 +721,11 @@ static void ipgre_link_update(struct net_device *dev, bool set_mtu)
+ len = tunnel->tun_hlen - len;
+ tunnel->hlen = tunnel->hlen + len;
+
+- dev->needed_headroom = dev->needed_headroom + len;
++ if (dev->header_ops)
++ dev->hard_header_len += len;
++ else
++ dev->needed_headroom += len;
++
+ if (set_mtu)
+ dev->mtu = max_t(int, dev->mtu - len, 68);
+
+@@ -926,6 +928,7 @@ static void __gre_tunnel_init(struct net_device *dev)
+ tunnel->parms.iph.protocol = IPPROTO_GRE;
+
+ tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
++ dev->needed_headroom = tunnel->hlen + sizeof(tunnel->parms.iph);
+
+ dev->features |= GRE_FEATURES;
+ dev->hw_features |= GRE_FEATURES;
+@@ -969,10 +972,14 @@ static int ipgre_tunnel_init(struct net_device *dev)
+ return -EINVAL;
+ dev->flags = IFF_BROADCAST;
+ dev->header_ops = &ipgre_header_ops;
++ dev->hard_header_len = tunnel->hlen + sizeof(*iph);
++ dev->needed_headroom = 0;
+ }
+ #endif
+ } else if (!tunnel->collect_md) {
+ dev->header_ops = &ipgre_header_ops;
++ dev->hard_header_len = tunnel->hlen + sizeof(*iph);
++ dev->needed_headroom = 0;
+ }
+
+ return ip_tunnel_init(dev);
+--
+2.25.1
+
--- /dev/null
+From e6cc99662b855eeee4b1cf68bf01e9567d802393 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Oct 2020 22:52:12 +0800
+Subject: ipmi_si: Fix wrong return value in try_smi_init()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 8fe7990ceda8597e407d06bffc4bdbe835a93ece ]
+
+On an error exit path, a negative error code should be returned
+instead of a positive return value.
+
+Fixes: 90b2d4f15ff7 ("ipmi_si: Remove hacks for adding a dummy platform devices")
+Cc: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Message-Id: <20201005145212.84435-1-tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
+index 6b9a0593d2eb7..b6e7df9e88503 100644
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -1977,7 +1977,7 @@ static int try_smi_init(struct smi_info *new_smi)
+ /* Do this early so it's available for logs. */
+ if (!new_smi->io.dev) {
+ pr_err("IPMI interface added with no device\n");
+- rv = EIO;
++ rv = -EIO;
+ goto out_err;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From fc8ed5d5843e8a34e969d58a210b50ba3314c618 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Oct 2020 21:24:25 +0300
+Subject: ipvs: clear skb->tstamp in forwarding path
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 7980d2eabde82be86c5be18aa3d07e88ec13c6a1 ]
+
+fq qdisc requires tstamp to be cleared in forwarding path
+
+Reported-by: Evgeny B <abt-admin@mail.ru>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209427
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths")
+Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC")
+Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Reviewed-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_xmit.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
+index c62a131a60948..cefc39878b1a4 100644
+--- a/net/netfilter/ipvs/ip_vs_xmit.c
++++ b/net/netfilter/ipvs/ip_vs_xmit.c
+@@ -615,6 +615,8 @@ static inline int ip_vs_tunnel_xmit_prepare(struct sk_buff *skb,
+ if (ret == NF_ACCEPT) {
+ nf_reset_ct(skb);
+ skb_forward_csum(skb);
++ if (skb->dev)
++ skb->tstamp = 0;
+ }
+ return ret;
+ }
+@@ -655,6 +657,8 @@ static inline int ip_vs_nat_send_or_cont(int pf, struct sk_buff *skb,
+
+ if (!local) {
+ skb_forward_csum(skb);
++ if (skb->dev)
++ skb->tstamp = 0;
+ NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb,
+ NULL, skb_dst(skb)->dev, dst_output);
+ } else
+@@ -675,6 +679,8 @@ static inline int ip_vs_send_or_cont(int pf, struct sk_buff *skb,
+ if (!local) {
+ ip_vs_drop_early_demux_sk(skb);
+ skb_forward_csum(skb);
++ if (skb->dev)
++ skb->tstamp = 0;
+ NF_HOOK(pf, NF_INET_LOCAL_OUT, cp->ipvs->net, NULL, skb,
+ NULL, skb_dst(skb)->dev, dst_output);
+ } else
+--
+2.25.1
+
--- /dev/null
+From 02c3822d60bcd4a638c36654ae46b6829f0304f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 03:46:40 -0400
+Subject: ipvs: Fix uninit-value in do_ip_vs_set_ctl()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ]
+
+do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
+zero. Fix it.
+
+Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
+Suggested-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Reviewed-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index 3cccc88ef817b..99168af0c28d9 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -2465,6 +2465,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ /* Set timeout values for (tcp tcpfin udp) */
+ ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
+ goto out_unlock;
++ } else if (!len) {
++ /* No more commands with len == 0 below */
++ ret = -EINVAL;
++ goto out_unlock;
+ }
+
+ usvc_compat = (struct ip_vs_service_user *)arg;
+@@ -2541,9 +2545,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
+ break;
+ case IP_VS_SO_SET_DELDEST:
+ ret = ip_vs_del_dest(svc, &udest);
+- break;
+- default:
+- ret = -EINVAL;
+ }
+
+ out_unlock:
+--
+2.25.1
+
--- /dev/null
+From a642c59689ef4068680fc712a1ae9a3ed3a08520 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Sep 2020 10:31:20 +0300
+Subject: iwlwifi: mvm: split a print to avoid a WARNING in ROC
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 903b3f9badf1d54f77b468b96706dab679b45b14 ]
+
+A print in the remain on channel code was too long and caused
+a WARNING, split it.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Fixes: dc28e12f2125 ("iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200930102759.58d57c0bdc68.Ib06008665e7bf1199c360aa92691d9c74fb84990@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index ed92a8e8cd519..01b26b3327b01 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -3650,9 +3650,12 @@ static int iwl_mvm_send_aux_roc_cmd(struct iwl_mvm *mvm,
+ tail->apply_time_max_delay = cpu_to_le32(delay);
+
+ IWL_DEBUG_TE(mvm,
+- "ROC: Requesting to remain on channel %u for %ums (requested = %ums, max_delay = %ums, dtim_interval = %ums)\n",
+- channel->hw_value, req_dur, duration, delay,
+- dtim_interval);
++ "ROC: Requesting to remain on channel %u for %ums\n",
++ channel->hw_value, req_dur);
++ IWL_DEBUG_TE(mvm,
++ "\t(requested = %ums, max_delay = %ums, dtim_interval = %ums)\n",
++ duration, delay, dtim_interval);
++
+ /* Set the node address */
+ memcpy(tail->node_addr, vif->addr, ETH_ALEN);
+
+--
+2.25.1
+
--- /dev/null
+From 72f08330f4d8f1a9688003ec012a01c62525a304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 15:17:08 +0100
+Subject: kdb: Fix pager search for multi-line strings
+
+From: Daniel Thompson <daniel.thompson@linaro.org>
+
+[ Upstream commit d081a6e353168f15e63eb9e9334757f20343319f ]
+
+Currently using forward search doesn't handle multi-line strings correctly.
+The search routine replaces line breaks with \0 during the search and, for
+regular searches ("help | grep Common\n"), there is code after the line
+has been discarded or printed to replace the break character.
+
+However during a pager search ("help\n" followed by "/Common\n") when the
+string is matched we will immediately return to normal output and the code
+that should restore the \n becomes unreachable. Fix this by restoring the
+replaced character when we disable the search mode and update the comment
+accordingly.
+
+Fixes: fb6daa7520f9d ("kdb: Provide forward search at more prompt")
+Link: https://lore.kernel.org/r/20200909141708.338273-1-daniel.thompson@linaro.org
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index 3a5184eb6977d..46821793637a1 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -679,12 +679,16 @@ int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap)
+ size_avail = sizeof(kdb_buffer) - len;
+ goto kdb_print_out;
+ }
+- if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH)
++ if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) {
+ /*
+ * This was a interactive search (using '/' at more
+- * prompt) and it has completed. Clear the flag.
++ * prompt) and it has completed. Replace the \0 with
++ * its original value to ensure multi-line strings
++ * are handled properly, and return to normal mode.
+ */
++ *cphold = replaced_byte;
+ kdb_grepping_flag = 0;
++ }
+ /*
+ * at this point the string is a full line and
+ * should be printed, up to the null.
+--
+2.25.1
+
--- /dev/null
+From 555193dd01a8c4fe509e7572f1921a124fadc24d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 10:23:42 +0800
+Subject: KVM: x86: emulating RDPID failure shall return #UD rather than #GP
+
+From: Robert Hoo <robert.hu@linux.intel.com>
+
+[ Upstream commit a9e2e0ae686094571378c72d8146b5a1a92d0652 ]
+
+Per Intel's SDM, RDPID takes a #UD if it is unsupported, which is more or
+less what KVM is emulating when MSR_TSC_AUX is not available. In fact,
+there are no scenarios in which RDPID is supposed to #GP.
+
+Fixes: fb6d4d340e ("KVM: x86: emulate RDPID")
+Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
+Message-Id: <1598581422-76264-1-git-send-email-robert.hu@linux.intel.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/emulate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
+index cc7823e7ef96c..484c32b7f79ff 100644
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -3617,7 +3617,7 @@ static int em_rdpid(struct x86_emulate_ctxt *ctxt)
+ u64 tsc_aux = 0;
+
+ if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux))
+- return emulate_gp(ctxt, 0);
++ return emulate_ud(ctxt);
+ ctxt->dst.val = tsc_aux;
+ return X86EMUL_CONTINUE;
+ }
+--
+2.25.1
+
--- /dev/null
+From 456b0ea832dd2664f5c3208d915d84d91ace62b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:11:38 -0700
+Subject: lib/crc32.c: fix trivial typo in preprocessor condition
+
+From: Tobias Jordan <kernel@cdqe.de>
+
+[ Upstream commit 904542dc56524f921a6bab0639ff6249c01e775f ]
+
+Whether crc32_be needs a lookup table is chosen based on CRC_LE_BITS.
+Obviously, the _be function should be governed by the _BE_ define.
+
+This probably never pops up as it's hard to come up with a configuration
+where CRC_BE_BITS isn't the same as CRC_LE_BITS and as nobody is using
+bitwise CRC anyway.
+
+Fixes: 46c5801eaf86 ("crc32: bolt on crc32c")
+Signed-off-by: Tobias Jordan <kernel@cdqe.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Link: https://lkml.kernel.org/r/20200923182122.GA3338@agrajag.zerfleddert.de
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/crc32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/crc32.c b/lib/crc32.c
+index 4a20455d1f61e..bf60ef26a45c2 100644
+--- a/lib/crc32.c
++++ b/lib/crc32.c
+@@ -331,7 +331,7 @@ static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p,
+ return crc;
+ }
+
+-#if CRC_LE_BITS == 1
++#if CRC_BE_BITS == 1
+ u32 __pure crc32_be(u32 crc, unsigned char const *p, size_t len)
+ {
+ return crc32_be_generic(crc, p, len, NULL, CRC32_POLY_BE);
+--
+2.25.1
+
--- /dev/null
+From 9971df532ca745bf9959935b6d98d5c8a3d4ac74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Oct 2020 15:33:51 +0100
+Subject: lightnvm: fix out-of-bounds write to array devices->info[]
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit a48faebe65b0db55a73b9220c3d919eee849bb79 ]
+
+There is an off-by-one array check that can lead to a out-of-bounds
+write to devices->info[i]. Fix this by checking by using >= rather
+than > for the size check. Also replace hard-coded array size limit
+with ARRAY_SIZE on the array.
+
+Addresses-Coverity: ("Out-of-bounds write")
+Fixes: cd9e9808d18f ("lightnvm: Support for Open-Channel SSDs")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/lightnvm/core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
+index 7543e395a2c64..a2ebc75af8c79 100644
+--- a/drivers/lightnvm/core.c
++++ b/drivers/lightnvm/core.c
+@@ -1316,8 +1316,9 @@ static long nvm_ioctl_get_devices(struct file *file, void __user *arg)
+ strlcpy(info->bmname, "gennvm", sizeof(info->bmname));
+ i++;
+
+- if (i > 31) {
+- pr_err("max 31 devices can be reported.\n");
++ if (i >= ARRAY_SIZE(devices->info)) {
++ pr_err("max %zd devices can be reported.\n",
++ ARRAY_SIZE(devices->info));
+ break;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 8e3f102729945f4125b1a80569a92db5d90c7f37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Oct 2020 09:45:21 -0700
+Subject: mac80211: handle lack of sband->bitrates in rates
+
+From: Thomas Pedersen <thomas@adapt-ip.com>
+
+[ Upstream commit 8b783d104e7f40684333d2ec155fac39219beb2f ]
+
+Even though a driver or mac80211 shouldn't produce a
+legacy bitrate if sband->bitrates doesn't exist, don't
+crash if that is the case either.
+
+This fixes a kernel panic if station dump is run before
+last_rate can be updated with a data frame when
+sband->bitrates is missing (eg. in S1G bands).
+
+Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
+Link: https://lore.kernel.org/r/20201005164522.18069-1-thomas@adapt-ip.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 ++-
+ net/mac80211/sta_info.c | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index a9dda5c228f60..fa293feef935d 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -698,7 +698,8 @@ void sta_set_rate_info_tx(struct sta_info *sta,
+ u16 brate;
+
+ sband = ieee80211_get_sband(sta->sdata);
+- if (sband) {
++ WARN_ON_ONCE(sband && !sband->bitrates);
++ if (sband && sband->bitrates) {
+ brate = sband->bitrates[rate->idx].bitrate;
+ rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift);
+ }
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index f5d96107af6de..4f14d8a06915a 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2083,6 +2083,10 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u32 rate,
+ int rate_idx = STA_STATS_GET(LEGACY_IDX, rate);
+
+ sband = local->hw.wiphy->bands[band];
++
++ if (WARN_ON_ONCE(!sband->bitrates))
++ break;
++
+ brate = sband->bitrates[rate_idx].bitrate;
+ if (rinfo->bw == RATE_INFO_BW_5)
+ shift = 2;
+--
+2.25.1
+
--- /dev/null
+From 0cf0833f7e939478df8c22b02afc4f42e111da77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 09:31:28 +0200
+Subject: maiblox: mediatek: Fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 558e4c36ec9f2722af4fe8ef84dc812bcdb5c43a ]
+
+platform_get_irq() returns -ERRNO on error. In such case casting to u32
+and comparing to 0 would pass the check.
+
+Fixes: 623a6143a845 ("mailbox: mediatek: Add Mediatek CMDQ driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mtk-cmdq-mailbox.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c
+index 9a6ce9f5a7db5..3c8b365ce635a 100644
+--- a/drivers/mailbox/mtk-cmdq-mailbox.c
++++ b/drivers/mailbox/mtk-cmdq-mailbox.c
+@@ -70,7 +70,7 @@ struct cmdq_task {
+ struct cmdq {
+ struct mbox_controller mbox;
+ void __iomem *base;
+- u32 irq;
++ int irq;
+ u32 thread_nr;
+ u32 irq_mask;
+ struct cmdq_thread *thread;
+@@ -474,10 +474,8 @@ static int cmdq_probe(struct platform_device *pdev)
+ }
+
+ cmdq->irq = platform_get_irq(pdev, 0);
+- if (!cmdq->irq) {
+- dev_err(dev, "failed to get irq\n");
+- return -EINVAL;
+- }
++ if (cmdq->irq < 0)
++ return cmdq->irq;
+
+ cmdq->thread_nr = (u32)(unsigned long)of_device_get_match_data(dev);
+ cmdq->irq_mask = GENMASK(cmdq->thread_nr - 1, 0);
+--
+2.25.1
+
--- /dev/null
+From 0233ffbbdfb590a862f8e702433a9da6f669cf1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Oct 2020 12:20:56 -0500
+Subject: mailbox: avoid timer start from callback
+
+From: Jassi Brar <jaswinder.singh@linaro.org>
+
+[ Upstream commit c7dacf5b0f32957b24ef29df1207dc2cd8307743 ]
+
+If the txdone is done by polling, it is possible for msg_submit() to start
+the timer while txdone_hrtimer() callback is running. If the timer needs
+recheduling, it could already be enqueued by the time hrtimer_forward_now()
+is called, leading hrtimer to loudly complain.
+
+WARNING: CPU: 3 PID: 74 at kernel/time/hrtimer.c:932 hrtimer_forward+0xc4/0x110
+CPU: 3 PID: 74 Comm: kworker/u8:1 Not tainted 5.9.0-rc2-00236-gd3520067d01c-dirty #5
+Hardware name: Libre Computer AML-S805X-AC (DT)
+Workqueue: events_freezable_power_ thermal_zone_device_check
+pstate: 20000085 (nzCv daIf -PAN -UAO BTYPE=--)
+pc : hrtimer_forward+0xc4/0x110
+lr : txdone_hrtimer+0xf8/0x118
+[...]
+
+This can be fixed by not starting the timer from the callback path. Which
+requires the timer reloading as long as any message is queued on the
+channel, and not just when current tx is not done yet.
+
+Fixes: 0cc67945ea59 ("mailbox: switch to hrtimer for tx_complete polling")
+Reported-by: Da Xue <da@libre.computer>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Jerome Brunet <jbrunet@baylibre.com>
+Tested-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
+index 0b821a5b2db84..3e7d4b20ab34f 100644
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -82,9 +82,12 @@ static void msg_submit(struct mbox_chan *chan)
+ exit:
+ spin_unlock_irqrestore(&chan->lock, flags);
+
+- if (!err && (chan->txdone_method & TXDONE_BY_POLL))
+- /* kick start the timer immediately to avoid delays */
+- hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL);
++ /* kick start the timer immediately to avoid delays */
++ if (!err && (chan->txdone_method & TXDONE_BY_POLL)) {
++ /* but only if not already active */
++ if (!hrtimer_active(&chan->mbox->poll_hrt))
++ hrtimer_start(&chan->mbox->poll_hrt, 0, HRTIMER_MODE_REL);
++ }
+ }
+
+ static void tx_tick(struct mbox_chan *chan, int r)
+@@ -122,11 +125,10 @@ static enum hrtimer_restart txdone_hrtimer(struct hrtimer *hrtimer)
+ struct mbox_chan *chan = &mbox->chans[i];
+
+ if (chan->active_req && chan->cl) {
++ resched = true;
+ txdone = chan->mbox->ops->last_tx_done(chan);
+ if (txdone)
+ tx_tick(chan, 0);
+- else
+- resched = true;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 4089ead4b8e96f6b58bfec14fbf4308ad5cc0846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Sep 2020 13:40:13 +0800
+Subject: md/bitmap: fix memory leak of temporary bitmap
+
+From: Zhao Heming <heming.zhao@suse.com>
+
+[ Upstream commit 1383b347a8ae4a69c04ae3746e6cb5c8d38e2585 ]
+
+Callers of get_bitmap_from_slot() are responsible to free the bitmap.
+
+Suggested-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
+Signed-off-by: Zhao Heming <heming.zhao@suse.com>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 3 ++-
+ drivers/md/md-cluster.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index 3ad18246fcb3c..7227d03dbbea7 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -1954,6 +1954,7 @@ int md_bitmap_load(struct mddev *mddev)
+ }
+ EXPORT_SYMBOL_GPL(md_bitmap_load);
+
++/* caller need to free returned bitmap with md_bitmap_free() */
+ struct bitmap *get_bitmap_from_slot(struct mddev *mddev, int slot)
+ {
+ int rv = 0;
+@@ -2017,6 +2018,7 @@ int md_bitmap_copy_from_slot(struct mddev *mddev, int slot,
+ md_bitmap_unplug(mddev->bitmap);
+ *low = lo;
+ *high = hi;
++ md_bitmap_free(bitmap);
+
+ return rv;
+ }
+@@ -2620,4 +2622,3 @@ struct attribute_group md_bitmap_group = {
+ .name = "bitmap",
+ .attrs = md_bitmap_attrs,
+ };
+-
+diff --git a/drivers/md/md-cluster.c b/drivers/md/md-cluster.c
+index d50737ec40394..afbbc552c3275 100644
+--- a/drivers/md/md-cluster.c
++++ b/drivers/md/md-cluster.c
+@@ -1166,6 +1166,7 @@ static int resize_bitmaps(struct mddev *mddev, sector_t newsize, sector_t oldsiz
+ * can't resize bitmap
+ */
+ goto out;
++ md_bitmap_free(bitmap);
+ }
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 29125bd28760d4b437b4c7413345de5ebc408b68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Sep 2020 15:50:51 +0200
+Subject: media: ati_remote: sanity check for both endpoints
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ]
+
+If you do sanity checks, you should do them for both endpoints.
+Hence introduce checking for endpoint type for the output
+endpoint, too.
+
+Reported-by: syzbot+998261c2ae5932458f6c@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ati_remote.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c
+index 9cdef17b4793f..c12dda73cdd53 100644
+--- a/drivers/media/rc/ati_remote.c
++++ b/drivers/media/rc/ati_remote.c
+@@ -835,6 +835,10 @@ static int ati_remote_probe(struct usb_interface *interface,
+ err("%s: endpoint_in message size==0? \n", __func__);
+ return -ENODEV;
+ }
++ if (!usb_endpoint_is_int_out(endpoint_out)) {
++ err("%s: Unexpected endpoint_out\n", __func__);
++ return -ENODEV;
++ }
+
+ ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL);
+ rc_dev = rc_allocate_device(RC_DRIVER_SCANCODE);
+--
+2.25.1
+
--- /dev/null
+From 14916e37e67bc8bab3a338213bfc1b5fbebf0ded Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 12:00:21 +0200
+Subject: media: bdisp: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+index 675b5f2b4c2ee..a55ddf8d185d5 100644
+--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+@@ -1367,7 +1367,7 @@ static int bdisp_probe(struct platform_device *pdev)
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "failed to set PM\n");
+- goto err_dbg;
++ goto err_pm;
+ }
+
+ /* Filters */
+@@ -1395,7 +1395,6 @@ static int bdisp_probe(struct platform_device *pdev)
+ bdisp_hw_free_filters(bdisp->dev);
+ err_pm:
+ pm_runtime_put(dev);
+-err_dbg:
+ bdisp_debugfs_remove(bdisp);
+ err_v4l2:
+ v4l2_device_unregister(&bdisp->v4l2_dev);
+--
+2.25.1
+
--- /dev/null
+From b75cae197a8261e415cf0ed660c36fbe82c1fb18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 01:27:12 +0200
+Subject: media: camss: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit d0675b67b42eb4f1a840d1513b5b00f78312f833 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+PM runtime put is not called in error handling paths.
+Thus call pm_runtime_put_sync() if pm_runtime_get_sync() fails.
+
+Fixes: 02afa816dbbf ("media: camss: Add basic runtime PM support")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss-csiphy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss-csiphy.c b/drivers/media/platform/qcom/camss/camss-csiphy.c
+index 008afb85023be..3c5b9082ad723 100644
+--- a/drivers/media/platform/qcom/camss/camss-csiphy.c
++++ b/drivers/media/platform/qcom/camss/camss-csiphy.c
+@@ -176,8 +176,10 @@ static int csiphy_set_power(struct v4l2_subdev *sd, int on)
+ int ret;
+
+ ret = pm_runtime_get_sync(dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_sync(dev);
+ return ret;
++ }
+
+ ret = csiphy_set_clock_rates(csiphy);
+ if (ret < 0) {
+--
+2.25.1
+
--- /dev/null
+From 2582c782c1f7e7a05febd64a961a317e144c22a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:10:58 +0200
+Subject: media: exynos4-is: Fix a reference count leak due to
+ pm_runtime_get_sync
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+reference count before returning the error.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/media-dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
+index 2f90607c3797d..a07d796f63df0 100644
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -484,8 +484,10 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd)
+ return -ENXIO;
+
+ ret = pm_runtime_get_sync(fmd->pmf);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put(fmd->pmf);
+ return ret;
++ }
+
+ fmd->num_sensors = 0;
+
+--
+2.25.1
+
--- /dev/null
+From f43e37a7ff103a548b0b2e147a32a254b8bb008d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:01:11 +0200
+Subject: media: exynos4-is: Fix a reference count leak
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 64157b2cb1940449e7df2670e85781c690266588 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/mipi-csis.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c
+index 540151bbf58f2..1aac167abb175 100644
+--- a/drivers/media/platform/exynos4-is/mipi-csis.c
++++ b/drivers/media/platform/exynos4-is/mipi-csis.c
+@@ -510,8 +510,10 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable)
+ if (enable) {
+ s5pcsis_clear_counters(state);
+ ret = pm_runtime_get_sync(&state->pdev->dev);
+- if (ret && ret != 1)
++ if (ret && ret != 1) {
++ pm_runtime_put_noidle(&state->pdev->dev);
+ return ret;
++ }
+ }
+
+ mutex_lock(&state->lock);
+--
+2.25.1
+
--- /dev/null
+From ebf80575d5916878ef3e68aeaaead59f3743f9af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:18:29 +0200
+Subject: media: exynos4-is: Fix several reference count leaks due to
+ pm_runtime_get_sync
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ]
+
+On calling pm_runtime_get_sync() the reference count of the device
+is incremented. In case of failure, decrement the
+reference count before returning the error.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/fimc-isp.c | 4 +++-
+ drivers/media/platform/exynos4-is/fimc-lite.c | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c
+index cde0d254ec1c4..a77c49b185115 100644
+--- a/drivers/media/platform/exynos4-is/fimc-isp.c
++++ b/drivers/media/platform/exynos4-is/fimc-isp.c
+@@ -305,8 +305,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on)
+
+ if (on) {
+ ret = pm_runtime_get_sync(&is->pdev->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put(&is->pdev->dev);
+ return ret;
++ }
+ set_bit(IS_ST_PWR_ON, &is->state);
+
+ ret = fimc_is_start_firmware(is);
+diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c
+index e87c6a09205bd..efd06621951c7 100644
+--- a/drivers/media/platform/exynos4-is/fimc-lite.c
++++ b/drivers/media/platform/exynos4-is/fimc-lite.c
+@@ -470,7 +470,7 @@ static int fimc_lite_open(struct file *file)
+ set_bit(ST_FLITE_IN_USE, &fimc->state);
+ ret = pm_runtime_get_sync(&fimc->pdev->dev);
+ if (ret < 0)
+- goto unlock;
++ goto err_pm;
+
+ ret = v4l2_fh_open(file);
+ if (ret < 0)
+--
+2.25.1
+
--- /dev/null
+From 8790af765b569e6f05c0863ff4fe9287db8cc419 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Sep 2020 11:01:37 +0200
+Subject: media: firewire: fix memory leak
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ]
+
+Fix memory leak in node_probe.
+
+Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/firewire/firedtv-fw.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c
+index 3f1ca40b9b987..8a8585261bb80 100644
+--- a/drivers/media/firewire/firedtv-fw.c
++++ b/drivers/media/firewire/firedtv-fw.c
+@@ -272,8 +272,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id)
+
+ name_len = fw_csr_string(unit->directory, CSR_MODEL,
+ name, sizeof(name));
+- if (name_len < 0)
+- return name_len;
++ if (name_len < 0) {
++ err = name_len;
++ goto fail_free;
++ }
+ for (i = ARRAY_SIZE(model_names); --i; )
+ if (strlen(model_names[i]) <= name_len &&
+ strncmp(name, model_names[i], name_len) == 0)
+--
+2.25.1
+
--- /dev/null
+From 35ef78a0d38492595d1a84e362a1018cd524f727 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 22:18:32 +0200
+Subject: media: i2c: ov5640: Enable data pins on poweron for DVP mode
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 576f5d4ba8f672953513280510abf9a736b015cc ]
+
+During testing this sensor on iW-RainboW-G21D-Qseven platform in 8-bit DVP
+mode with rcar-vin bridge noticed the capture worked fine for the first run
+(with yavta), but for subsequent runs the bridge driver waited for the
+frame to be captured. Debugging further noticed the data lines were
+enabled/disabled in stream on/off callback and dumping the register
+contents 0x3017/0x3018 in ov5640_set_stream_dvp() reported the correct
+values, but yet frame capturing failed.
+
+To get around this issue data lines are enabled in s_power callback.
+(Also the sensor remains in power down mode if not streaming so power
+consumption shouldn't be affected)
+
+Fixes: f22996db44e2d ("media: ov5640: add support of DVP parallel interface")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Tested-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov5640.c | 73 +++++++++++++++++++++-----------------
+ 1 file changed, 40 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
+index 3c6ad2dd9c0e1..be6c882dd1d54 100644
+--- a/drivers/media/i2c/ov5640.c
++++ b/drivers/media/i2c/ov5640.c
+@@ -274,8 +274,7 @@ static inline struct v4l2_subdev *ctrl_to_sd(struct v4l2_ctrl *ctrl)
+ /* YUV422 UYVY VGA@30fps */
+ static const struct reg_value ov5640_init_setting_30fps_VGA[] = {
+ {0x3103, 0x11, 0, 0}, {0x3008, 0x82, 0, 5}, {0x3008, 0x42, 0, 0},
+- {0x3103, 0x03, 0, 0}, {0x3017, 0x00, 0, 0}, {0x3018, 0x00, 0, 0},
+- {0x3630, 0x36, 0, 0},
++ {0x3103, 0x03, 0, 0}, {0x3630, 0x36, 0, 0},
+ {0x3631, 0x0e, 0, 0}, {0x3632, 0xe2, 0, 0}, {0x3633, 0x12, 0, 0},
+ {0x3621, 0xe0, 0, 0}, {0x3704, 0xa0, 0, 0}, {0x3703, 0x5a, 0, 0},
+ {0x3715, 0x78, 0, 0}, {0x3717, 0x01, 0, 0}, {0x370b, 0x60, 0, 0},
+@@ -1272,33 +1271,6 @@ static int ov5640_set_stream_dvp(struct ov5640_dev *sensor, bool on)
+ if (ret)
+ return ret;
+
+- /*
+- * enable VSYNC/HREF/PCLK DVP control lines
+- * & D[9:6] DVP data lines
+- *
+- * PAD OUTPUT ENABLE 01
+- * - 6: VSYNC output enable
+- * - 5: HREF output enable
+- * - 4: PCLK output enable
+- * - [3:0]: D[9:6] output enable
+- */
+- ret = ov5640_write_reg(sensor,
+- OV5640_REG_PAD_OUTPUT_ENABLE01,
+- on ? 0x7f : 0);
+- if (ret)
+- return ret;
+-
+- /*
+- * enable D[5:0] DVP data lines
+- *
+- * PAD OUTPUT ENABLE 02
+- * - [7:2]: D[5:0] output enable
+- */
+- ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02,
+- on ? 0xfc : 0);
+- if (ret)
+- return ret;
+-
+ return ov5640_write_reg(sensor, OV5640_REG_SYS_CTRL0, on ?
+ OV5640_REG_SYS_CTRL0_SW_PWUP :
+ OV5640_REG_SYS_CTRL0_SW_PWDN);
+@@ -2055,6 +2027,40 @@ static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on)
+ return 0;
+ }
+
++static int ov5640_set_power_dvp(struct ov5640_dev *sensor, bool on)
++{
++ int ret;
++
++ if (!on) {
++ /* Reset settings to their default values. */
++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE01, 0x00);
++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, 0x00);
++ return 0;
++ }
++
++ /*
++ * enable VSYNC/HREF/PCLK DVP control lines
++ * & D[9:6] DVP data lines
++ *
++ * PAD OUTPUT ENABLE 01
++ * - 6: VSYNC output enable
++ * - 5: HREF output enable
++ * - 4: PCLK output enable
++ * - [3:0]: D[9:6] output enable
++ */
++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE01, 0x7f);
++ if (ret)
++ return ret;
++
++ /*
++ * enable D[5:0] DVP data lines
++ *
++ * PAD OUTPUT ENABLE 02
++ * - [7:2]: D[5:0] output enable
++ */
++ return ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02, 0xfc);
++}
++
+ static int ov5640_set_power(struct ov5640_dev *sensor, bool on)
+ {
+ int ret = 0;
+@@ -2069,11 +2075,12 @@ static int ov5640_set_power(struct ov5640_dev *sensor, bool on)
+ goto power_off;
+ }
+
+- if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) {
++ if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY)
+ ret = ov5640_set_power_mipi(sensor, on);
+- if (ret)
+- goto power_off;
+- }
++ else
++ ret = ov5640_set_power_dvp(sensor, on);
++ if (ret)
++ goto power_off;
+
+ if (!on)
+ ov5640_set_power_off(sensor);
+--
+2.25.1
+
--- /dev/null
+From 35209651ee8b191a07c43fc748bdc9f6edfcf5c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 22:18:30 +0200
+Subject: media: i2c: ov5640: Remain in power down for DVP mode unless
+ streaming
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit 3b987d70e903962eb8c5961ba166c345a49d1a0b ]
+
+Keep the sensor in software power down mode and wake up only in
+ov5640_set_stream_dvp() callback.
+
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Tested-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov5640.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
+index b21ddbd514465..065f9706db7e5 100644
+--- a/drivers/media/i2c/ov5640.c
++++ b/drivers/media/i2c/ov5640.c
+@@ -34,6 +34,8 @@
+ #define OV5640_REG_SYS_RESET02 0x3002
+ #define OV5640_REG_SYS_CLOCK_ENABLE02 0x3006
+ #define OV5640_REG_SYS_CTRL0 0x3008
++#define OV5640_REG_SYS_CTRL0_SW_PWDN 0x42
++#define OV5640_REG_SYS_CTRL0_SW_PWUP 0x02
+ #define OV5640_REG_CHIP_ID 0x300a
+ #define OV5640_REG_IO_MIPI_CTRL00 0x300e
+ #define OV5640_REG_PAD_OUTPUT_ENABLE01 0x3017
+@@ -1109,6 +1111,12 @@ static int ov5640_load_regs(struct ov5640_dev *sensor,
+ val = regs->val;
+ mask = regs->mask;
+
++ /* remain in power down mode for DVP */
++ if (regs->reg_addr == OV5640_REG_SYS_CTRL0 &&
++ val == OV5640_REG_SYS_CTRL0_SW_PWUP &&
++ sensor->ep.bus_type != V4L2_MBUS_CSI2_DPHY)
++ continue;
++
+ if (mask)
+ ret = ov5640_mod_reg(sensor, reg_addr, mask, val);
+ else
+@@ -1286,9 +1294,14 @@ static int ov5640_set_stream_dvp(struct ov5640_dev *sensor, bool on)
+ * PAD OUTPUT ENABLE 02
+ * - [7:2]: D[5:0] output enable
+ */
+- return ov5640_write_reg(sensor,
+- OV5640_REG_PAD_OUTPUT_ENABLE02,
+- on ? 0xfc : 0);
++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT_ENABLE02,
++ on ? 0xfc : 0);
++ if (ret)
++ return ret;
++
++ return ov5640_write_reg(sensor, OV5640_REG_SYS_CTRL0, on ?
++ OV5640_REG_SYS_CTRL0_SW_PWUP :
++ OV5640_REG_SYS_CTRL0_SW_PWDN);
+ }
+
+ static int ov5640_set_stream_mipi(struct ov5640_dev *sensor, bool on)
+--
+2.25.1
+
--- /dev/null
+From ba2f0a533aa167dafb723fb1278ea972a9da748e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 22:18:31 +0200
+Subject: media: i2c: ov5640: Separate out mipi configuration from s_power
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit b1751ae652fb95919c08df5bdd739ccf9886158a ]
+
+In preparation for adding DVP configuration in s_power callback
+move mipi configuration into separate function
+
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Tested-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov5640.c | 116 +++++++++++++++++++------------------
+ 1 file changed, 60 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
+index 065f9706db7e5..3c6ad2dd9c0e1 100644
+--- a/drivers/media/i2c/ov5640.c
++++ b/drivers/media/i2c/ov5640.c
+@@ -2000,6 +2000,61 @@ static void ov5640_set_power_off(struct ov5640_dev *sensor)
+ clk_disable_unprepare(sensor->xclk);
+ }
+
++static int ov5640_set_power_mipi(struct ov5640_dev *sensor, bool on)
++{
++ int ret;
++
++ if (!on) {
++ /* Reset MIPI bus settings to their default values. */
++ ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x58);
++ ov5640_write_reg(sensor, OV5640_REG_MIPI_CTRL00, 0x04);
++ ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT00, 0x00);
++ return 0;
++ }
++
++ /*
++ * Power up MIPI HS Tx and LS Rx; 2 data lanes mode
++ *
++ * 0x300e = 0x40
++ * [7:5] = 010 : 2 data lanes mode (see FIXME note in
++ * "ov5640_set_stream_mipi()")
++ * [4] = 0 : Power up MIPI HS Tx
++ * [3] = 0 : Power up MIPI LS Rx
++ * [2] = 0 : MIPI interface disabled
++ */
++ ret = ov5640_write_reg(sensor, OV5640_REG_IO_MIPI_CTRL00, 0x40);
++ if (ret)
++ return ret;
++
++ /*
++ * Gate clock and set LP11 in 'no packets mode' (idle)
++ *
++ * 0x4800 = 0x24
++ * [5] = 1 : Gate clock when 'no packets'
++ * [2] = 1 : MIPI bus in LP11 when 'no packets'
++ */
++ ret = ov5640_write_reg(sensor, OV5640_REG_MIPI_CTRL00, 0x24);
++ if (ret)
++ return ret;
++
++ /*
++ * Set data lanes and clock in LP11 when 'sleeping'
++ *
++ * 0x3019 = 0x70
++ * [6] = 1 : MIPI data lane 2 in LP11 when 'sleeping'
++ * [5] = 1 : MIPI data lane 1 in LP11 when 'sleeping'
++ * [4] = 1 : MIPI clock lane in LP11 when 'sleeping'
++ */
++ ret = ov5640_write_reg(sensor, OV5640_REG_PAD_OUTPUT00, 0x70);
++ if (ret)
++ return ret;
++
++ /* Give lanes some time to coax into LP11 state. */
++ usleep_range(500, 1000);
++
++ return 0;
++}
++
+ static int ov5640_set_power(struct ov5640_dev *sensor, bool on)
+ {
+ int ret = 0;
+@@ -2012,67 +2067,16 @@ static int ov5640_set_power(struct ov5640_dev *sensor, bool on)
+ ret = ov5640_restore_mode(sensor);
+ if (ret)
+ goto power_off;
++ }
+
+- /* We're done here for DVP bus, while CSI-2 needs setup. */
+- if (sensor->ep.bus_type != V4L2_MBUS_CSI2_DPHY)
+- return 0;
+-
+- /*
+- * Power up MIPI HS Tx and LS Rx; 2 data lanes mode
+- *
+- * 0x300e = 0x40
+- * [7:5] = 010 : 2 data lanes mode (see FIXME note in
+- * "ov5640_set_stream_mipi()")
+- * [4] = 0 : Power up MIPI HS Tx
+- * [3] = 0 : Power up MIPI LS Rx
+- * [2] = 0 : MIPI interface disabled
+- */
+- ret = ov5640_write_reg(sensor,
+- OV5640_REG_IO_MIPI_CTRL00, 0x40);
+- if (ret)
+- goto power_off;
+-
+- /*
+- * Gate clock and set LP11 in 'no packets mode' (idle)
+- *
+- * 0x4800 = 0x24
+- * [5] = 1 : Gate clock when 'no packets'
+- * [2] = 1 : MIPI bus in LP11 when 'no packets'
+- */
+- ret = ov5640_write_reg(sensor,
+- OV5640_REG_MIPI_CTRL00, 0x24);
+- if (ret)
+- goto power_off;
+-
+- /*
+- * Set data lanes and clock in LP11 when 'sleeping'
+- *
+- * 0x3019 = 0x70
+- * [6] = 1 : MIPI data lane 2 in LP11 when 'sleeping'
+- * [5] = 1 : MIPI data lane 1 in LP11 when 'sleeping'
+- * [4] = 1 : MIPI clock lane in LP11 when 'sleeping'
+- */
+- ret = ov5640_write_reg(sensor,
+- OV5640_REG_PAD_OUTPUT00, 0x70);
++ if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) {
++ ret = ov5640_set_power_mipi(sensor, on);
+ if (ret)
+ goto power_off;
++ }
+
+- /* Give lanes some time to coax into LP11 state. */
+- usleep_range(500, 1000);
+-
+- } else {
+- if (sensor->ep.bus_type == V4L2_MBUS_CSI2_DPHY) {
+- /* Reset MIPI bus settings to their default values. */
+- ov5640_write_reg(sensor,
+- OV5640_REG_IO_MIPI_CTRL00, 0x58);
+- ov5640_write_reg(sensor,
+- OV5640_REG_MIPI_CTRL00, 0x04);
+- ov5640_write_reg(sensor,
+- OV5640_REG_PAD_OUTPUT00, 0x00);
+- }
+-
++ if (!on)
+ ov5640_set_power_off(sensor);
+- }
+
+ return 0;
+
+--
+2.25.1
+
--- /dev/null
+From 3e9752346476389e7f74b5bad7ca792eece25859 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jul 2020 17:34:47 +0200
+Subject: media: m5mols: Check function pointer in m5mols_sensor_power
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 52438c4463ac904d14bf3496765e67750766f3a6 ]
+
+clang static analysis reports this error
+
+m5mols_core.c:767:4: warning: Called function pointer
+ is null (null dereference) [core.CallAndMessage]
+ info->set_power(&client->dev, 0);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In other places, the set_power ptr is checked.
+So add a check.
+
+Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/m5mols/m5mols_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c
+index de295114ca482..21666d705e372 100644
+--- a/drivers/media/i2c/m5mols/m5mols_core.c
++++ b/drivers/media/i2c/m5mols/m5mols_core.c
+@@ -764,7 +764,8 @@ static int m5mols_sensor_power(struct m5mols_info *info, bool enable)
+
+ ret = regulator_bulk_enable(ARRAY_SIZE(supplies), supplies);
+ if (ret) {
+- info->set_power(&client->dev, 0);
++ if (info->set_power)
++ info->set_power(&client->dev, 0);
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From e61dd6caa7ef53b6cdc5af139b64108abcc1603c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 11:52:30 +0200
+Subject: media: media/pci: prevent memory leak in bttv_probe
+
+From: Xiaolong Huang <butterflyhuangxx@gmail.com>
+
+[ Upstream commit 7b817585b730665126b45df5508dd69526448bc8 ]
+
+In bttv_probe if some functions such as pci_enable_device,
+pci_set_dma_mask and request_mem_region fails the allocated
+ memory for btv should be released.
+
+Signed-off-by: Xiaolong Huang <butterflyhuangxx@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/bt8xx/bttv-driver.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
+index a359da7773a90..ff2962cea6164 100644
+--- a/drivers/media/pci/bt8xx/bttv-driver.c
++++ b/drivers/media/pci/bt8xx/bttv-driver.c
+@@ -4013,11 +4013,13 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ btv->id = dev->device;
+ if (pci_enable_device(dev)) {
+ pr_warn("%d: Can't enable device\n", btv->c.nr);
+- return -EIO;
++ result = -EIO;
++ goto free_mem;
+ }
+ if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) {
+ pr_warn("%d: No suitable DMA available\n", btv->c.nr);
+- return -EIO;
++ result = -EIO;
++ goto free_mem;
+ }
+ if (!request_mem_region(pci_resource_start(dev,0),
+ pci_resource_len(dev,0),
+@@ -4025,7 +4027,8 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ pr_warn("%d: can't request iomem (0x%llx)\n",
+ btv->c.nr,
+ (unsigned long long)pci_resource_start(dev, 0));
+- return -EBUSY;
++ result = -EBUSY;
++ goto free_mem;
+ }
+ pci_set_master(dev);
+ pci_set_command(dev);
+@@ -4211,6 +4214,10 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ release_mem_region(pci_resource_start(btv->c.pci,0),
+ pci_resource_len(btv->c.pci,0));
+ pci_disable_device(btv->c.pci);
++
++free_mem:
++ bttvs[btv->c.nr] = NULL;
++ kfree(btv);
+ return result;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 87dcb617f177b5aea251208600083426501ef37d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Aug 2020 11:26:04 +0200
+Subject: media: mx2_emmaprp: Fix memleak in emmaprp_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 21d387b8d372f859d9e87fdcc7c3b4a432737f4d ]
+
+When platform_get_irq() fails, we should release
+vfd and unregister pcdev->v4l2_dev just like the
+subsequent error paths.
+
+Fixes: d4e192cc44914 ("media: mx2_emmaprp: Check for platform_get_irq() error")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mx2_emmaprp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/mx2_emmaprp.c b/drivers/media/platform/mx2_emmaprp.c
+index 27779b75df543..ac112cf06ab31 100644
+--- a/drivers/media/platform/mx2_emmaprp.c
++++ b/drivers/media/platform/mx2_emmaprp.c
+@@ -852,8 +852,11 @@ static int emmaprp_probe(struct platform_device *pdev)
+ platform_set_drvdata(pdev, pcdev);
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq < 0)
+- return irq;
++ if (irq < 0) {
++ ret = irq;
++ goto rel_vdev;
++ }
++
+ ret = devm_request_irq(&pdev->dev, irq, emmaprp_irq, 0,
+ dev_name(&pdev->dev), pcdev);
+ if (ret)
+--
+2.25.1
+
--- /dev/null
+From 4debf249981920e77f207074aa09ea01bc221ee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 08:53:52 +0200
+Subject: media: omap3isp: Fix memleak in isp_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit d8fc21c17099635e8ebd986d042be65a6c6b5bd0 ]
+
+When devm_ioremap_resource() fails, isp should be
+freed just like other error paths in isp_probe.
+
+Fixes: 8644cdf972dd6 ("[media] omap3isp: Replace many MMIO regions by two")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/omap3isp/isp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c
+index 327c5716922ac..dce6b3685e135 100644
+--- a/drivers/media/platform/omap3isp/isp.c
++++ b/drivers/media/platform/omap3isp/isp.c
+@@ -2330,8 +2330,10 @@ static int isp_probe(struct platform_device *pdev)
+ mem = platform_get_resource(pdev, IORESOURCE_MEM, i);
+ isp->mmio_base[map_idx] =
+ devm_ioremap_resource(isp->dev, mem);
+- if (IS_ERR(isp->mmio_base[map_idx]))
+- return PTR_ERR(isp->mmio_base[map_idx]);
++ if (IS_ERR(isp->mmio_base[map_idx])) {
++ ret = PTR_ERR(isp->mmio_base[map_idx]);
++ goto error;
++ }
+ }
+
+ ret = isp_get_clocks(isp);
+--
+2.25.1
+
--- /dev/null
+From 273a22aea3d2e08cfc459f5b8d5d7a65f521f417 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 11:06:58 +0200
+Subject: media: ov5640: Correct Bit Div register in clock tree diagram
+
+From: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+
+[ Upstream commit 4c85f628f6639e3e3e0a7788416154f28dfcae4f ]
+
+Although the code is correct and doing the right thing, the clock diagram
+showed the wrong register for the bit divider, which had me doubting the
+understanding of the tree. Fix this to avoid doubts in the future.
+
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Fixes: aa2882481cada ("media: ov5640: Adjust the clock based on the expected rate")
+Acked-by: Jacopo Mondi <jacopo@jmondi.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov5640.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/ov5640.c b/drivers/media/i2c/ov5640.c
+index 266e947572c1e..b21ddbd514465 100644
+--- a/drivers/media/i2c/ov5640.c
++++ b/drivers/media/i2c/ov5640.c
+@@ -740,7 +740,7 @@ static int ov5640_mod_reg(struct ov5640_dev *sensor, u16 reg,
+ * +->| PLL Root Div | - reg 0x3037, bit 4
+ * +-+------------+
+ * | +---------+
+- * +->| Bit Div | - reg 0x3035, bits 0-3
++ * +->| Bit Div | - reg 0x3034, bits 0-3
+ * +-+-------+
+ * | +-------------+
+ * +->| SCLK Div | - reg 0x3108, bits 0-1
+--
+2.25.1
+
--- /dev/null
+From b47754de148a1d0674fcbdcbfa1b68981d88c73d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 01:19:44 +0200
+Subject: media: platform: fcp: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 63e36a381d92a9cded97e90d481ee22566557dd1 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Fixes: 6eaafbdb668b ("[media] v4l: rcar-fcp: Keep the coding style consistent")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-fcp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/rcar-fcp.c b/drivers/media/platform/rcar-fcp.c
+index 5c6b00737fe75..05c712e00a2a7 100644
+--- a/drivers/media/platform/rcar-fcp.c
++++ b/drivers/media/platform/rcar-fcp.c
+@@ -103,8 +103,10 @@ int rcar_fcp_enable(struct rcar_fcp_device *fcp)
+ return 0;
+
+ ret = pm_runtime_get_sync(fcp->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_noidle(fcp->dev);
+ return ret;
++ }
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 4d3826029a9a06de7a203d11db30a22309791bd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 15:29:33 +0200
+Subject: media: platform: s3c-camif: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit dafa3605fe60d5a61239d670919b2a36e712481e ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Also, call pm_runtime_disable() when pm_runtime_get_sync() returns
+an error code.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Sylwester Nawrocki <snawrocki@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s3c-camif/camif-core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c
+index c6fbcd7036d6d..ee624804862e2 100644
+--- a/drivers/media/platform/s3c-camif/camif-core.c
++++ b/drivers/media/platform/s3c-camif/camif-core.c
+@@ -464,7 +464,7 @@ static int s3c_camif_probe(struct platform_device *pdev)
+
+ ret = camif_media_dev_init(camif);
+ if (ret < 0)
+- goto err_alloc;
++ goto err_pm;
+
+ ret = camif_register_sensor(camif);
+ if (ret < 0)
+@@ -498,10 +498,9 @@ static int s3c_camif_probe(struct platform_device *pdev)
+ media_device_unregister(&camif->media_dev);
+ media_device_cleanup(&camif->media_dev);
+ camif_unregister_media_entities(camif);
+-err_alloc:
++err_pm:
+ pm_runtime_put(dev);
+ pm_runtime_disable(dev);
+-err_pm:
+ camif_clk_put(camif);
+ err_clk:
+ s3c_camif_unregister_subdev(camif);
+--
+2.25.1
+
--- /dev/null
+From d30d6b96b2eb8fc25dd22fefd1623cade4496561 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2020 12:05:02 +0200
+Subject: media: platform: sti: hva: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit d912a1d9e9afe69c6066c1ceb6bfc09063074075 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/hva/hva-hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c
+index bb13348be0832..43f279e2a6a38 100644
+--- a/drivers/media/platform/sti/hva/hva-hw.c
++++ b/drivers/media/platform/sti/hva/hva-hw.c
+@@ -389,7 +389,7 @@ int hva_hw_probe(struct platform_device *pdev, struct hva_dev *hva)
+ ret = pm_runtime_get_sync(dev);
+ if (ret < 0) {
+ dev_err(dev, "%s failed to set PM\n", HVA_PREFIX);
+- goto err_clk;
++ goto err_pm;
+ }
+
+ /* check IP hardware version */
+--
+2.25.1
+
--- /dev/null
+From d557f84535be9249d8d78d46d9db41d1c0d541e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 22:59:38 +0200
+Subject: media: rcar-csi2: Allocate v4l2_async_subdev dynamically
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit 2cac7cbfb4099980e78244359ab9c6f056d6a7ec ]
+
+v4l2_async_notifier_add_subdev() requires the asd to be allocated
+dynamically, but the rcar-csi2 driver embeds it in the rcar_csi2
+structure. This causes memory corruption when the notifier is destroyed
+at remove time with v4l2_async_notifier_cleanup().
+
+Fix this issue by registering the asd with
+v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically
+internally.
+
+Fixes: 769afd212b16 ("media: rcar-csi2: add Renesas R-Car MIPI CSI-2 receiver driver")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-vin/rcar-csi2.c | 24 +++++++++------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
+index c14af1b929dff..d27eccfa57cae 100644
+--- a/drivers/media/platform/rcar-vin/rcar-csi2.c
++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
+@@ -361,7 +361,6 @@ struct rcar_csi2 {
+ struct media_pad pads[NR_OF_RCAR_CSI2_PAD];
+
+ struct v4l2_async_notifier notifier;
+- struct v4l2_async_subdev asd;
+ struct v4l2_subdev *remote;
+
+ struct v4l2_mbus_framefmt mf;
+@@ -810,6 +809,8 @@ static int rcsi2_parse_v4l2(struct rcar_csi2 *priv,
+
+ static int rcsi2_parse_dt(struct rcar_csi2 *priv)
+ {
++ struct v4l2_async_subdev *asd;
++ struct fwnode_handle *fwnode;
+ struct device_node *ep;
+ struct v4l2_fwnode_endpoint v4l2_ep = { .bus_type = 0 };
+ int ret;
+@@ -833,24 +834,19 @@ static int rcsi2_parse_dt(struct rcar_csi2 *priv)
+ return ret;
+ }
+
+- priv->asd.match.fwnode =
+- fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep));
+- priv->asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
+-
++ fwnode = fwnode_graph_get_remote_endpoint(of_fwnode_handle(ep));
+ of_node_put(ep);
+
+- v4l2_async_notifier_init(&priv->notifier);
+-
+- ret = v4l2_async_notifier_add_subdev(&priv->notifier, &priv->asd);
+- if (ret) {
+- fwnode_handle_put(priv->asd.match.fwnode);
+- return ret;
+- }
++ dev_dbg(priv->dev, "Found '%pOF'\n", to_of_node(fwnode));
+
++ v4l2_async_notifier_init(&priv->notifier);
+ priv->notifier.ops = &rcar_csi2_notify_ops;
+
+- dev_dbg(priv->dev, "Found '%pOF'\n",
+- to_of_node(priv->asd.match.fwnode));
++ asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, fwnode,
++ sizeof(*asd));
++ fwnode_handle_put(fwnode);
++ if (IS_ERR(asd))
++ return PTR_ERR(asd);
+
+ ret = v4l2_async_subdev_notifier_register(&priv->subdev,
+ &priv->notifier);
+--
+2.25.1
+
--- /dev/null
+From 5980a14bf724a2be4746ad415a33a91820cd1de4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 00:30:08 +0200
+Subject: media: rcar-vin: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit aaffa0126a111d65f4028c503c76192d4cc93277 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus call pm_runtime_put_noidle()
+if pm_runtime_get_sync() fails.
+
+Fixes: 90dedce9bc54 ("media: rcar-vin: add function to manipulate Gen3 chsel value")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar-vin/rcar-dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/rcar-vin/rcar-dma.c b/drivers/media/platform/rcar-vin/rcar-dma.c
+index 3cb29b2e0b2b1..e5f6360801082 100644
+--- a/drivers/media/platform/rcar-vin/rcar-dma.c
++++ b/drivers/media/platform/rcar-vin/rcar-dma.c
+@@ -1334,8 +1334,10 @@ int rvin_set_channel_routing(struct rvin_dev *vin, u8 chsel)
+ int ret;
+
+ ret = pm_runtime_get_sync(vin->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_noidle(vin->dev);
+ return ret;
++ }
+
+ /* Make register writes take effect immediately. */
+ vnmc = rvin_read(vin, VNMC_REG);
+--
+2.25.1
+
--- /dev/null
+From d6f5cc2dff01d06f2efb0bf6a6345a21110fe6dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 22:59:37 +0200
+Subject: media: rcar_drif: Allocate v4l2_async_subdev dynamically
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit 468e986dac0e94194334ca6d0abf3af8c250792e ]
+
+v4l2_async_notifier_add_subdev() requires the asd to be allocated
+dynamically, but the rcar-drif driver embeds it in the
+rcar_drif_graph_ep structure. This causes memory corruption when the
+notifier is destroyed at remove time with v4l2_async_notifier_cleanup().
+
+Fix this issue by registering the asd with
+v4l2_async_notifier_add_fwnode_subdev(), which allocates it dynamically
+internally.
+
+Fixes: d079f94c9046 ("media: platform: Switch to v4l2_async_notifier_add_subdev")
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar_drif.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c
+index 208ff260b0c10..af3c8d405509e 100644
+--- a/drivers/media/platform/rcar_drif.c
++++ b/drivers/media/platform/rcar_drif.c
+@@ -185,7 +185,6 @@ struct rcar_drif_frame_buf {
+ /* OF graph endpoint's V4L2 async data */
+ struct rcar_drif_graph_ep {
+ struct v4l2_subdev *subdev; /* Async matched subdev */
+- struct v4l2_async_subdev asd; /* Async sub-device descriptor */
+ };
+
+ /* DMA buffer */
+@@ -1105,12 +1104,6 @@ static int rcar_drif_notify_bound(struct v4l2_async_notifier *notifier,
+ struct rcar_drif_sdr *sdr =
+ container_of(notifier, struct rcar_drif_sdr, notifier);
+
+- if (sdr->ep.asd.match.fwnode !=
+- of_fwnode_handle(subdev->dev->of_node)) {
+- rdrif_err(sdr, "subdev %s cannot bind\n", subdev->name);
+- return -EINVAL;
+- }
+-
+ v4l2_set_subdev_hostdata(subdev, sdr);
+ sdr->ep.subdev = subdev;
+ rdrif_dbg(sdr, "bound asd %s\n", subdev->name);
+@@ -1214,7 +1207,7 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr)
+ {
+ struct v4l2_async_notifier *notifier = &sdr->notifier;
+ struct fwnode_handle *fwnode, *ep;
+- int ret;
++ struct v4l2_async_subdev *asd;
+
+ v4l2_async_notifier_init(notifier);
+
+@@ -1233,12 +1226,13 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr)
+ return -EINVAL;
+ }
+
+- sdr->ep.asd.match.fwnode = fwnode;
+- sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
+- ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd);
++ asd = v4l2_async_notifier_add_fwnode_subdev(notifier, fwnode,
++ sizeof(*asd));
+ fwnode_handle_put(fwnode);
++ if (IS_ERR(asd))
++ return PTR_ERR(asd);
+
+- return ret;
++ return 0;
+ }
+
+ /* Check if the given device is the primary bond */
+--
+2.25.1
+
--- /dev/null
+From d22095d2bee51f3ea2421230ff3706164f804ec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 22:59:36 +0200
+Subject: media: rcar_drif: Fix fwnode reference leak when parsing DT
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+[ Upstream commit cdd4f7824994c9254acc6e415750529ea2d2cfe0 ]
+
+The fwnode reference corresponding to the endpoint is leaked in an error
+path of the rcar_drif_parse_subdevs() function. Fix it, and reorganize
+fwnode reference handling in the function to release references early,
+simplifying error paths.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rcar_drif.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/platform/rcar_drif.c b/drivers/media/platform/rcar_drif.c
+index 0f267a237b424..208ff260b0c10 100644
+--- a/drivers/media/platform/rcar_drif.c
++++ b/drivers/media/platform/rcar_drif.c
+@@ -1223,28 +1223,22 @@ static int rcar_drif_parse_subdevs(struct rcar_drif_sdr *sdr)
+ if (!ep)
+ return 0;
+
++ /* Get the endpoint properties */
++ rcar_drif_get_ep_properties(sdr, ep);
++
+ fwnode = fwnode_graph_get_remote_port_parent(ep);
++ fwnode_handle_put(ep);
+ if (!fwnode) {
+ dev_warn(sdr->dev, "bad remote port parent\n");
+- fwnode_handle_put(ep);
+ return -EINVAL;
+ }
+
+ sdr->ep.asd.match.fwnode = fwnode;
+ sdr->ep.asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
+ ret = v4l2_async_notifier_add_subdev(notifier, &sdr->ep.asd);
+- if (ret) {
+- fwnode_handle_put(fwnode);
+- return ret;
+- }
+-
+- /* Get the endpoint properties */
+- rcar_drif_get_ep_properties(sdr, ep);
+-
+ fwnode_handle_put(fwnode);
+- fwnode_handle_put(ep);
+
+- return 0;
++ return ret;
+ }
+
+ /* Check if the given device is the primary bond */
+--
+2.25.1
+
--- /dev/null
+From 7e4db62060f8329dcba3d237ad371895dc28cfbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Aug 2020 17:32:39 +0200
+Subject: media: Revert "media: exynos4-is: Add missed check for
+ pinctrl_lookup_state()"
+
+From: Sylwester Nawrocki <s.nawrocki@samsung.com>
+
+[ Upstream commit 00d21f325d58567d81d9172096692d0a9ea7f725 ]
+
+The "idle" pinctrl state is optional as documented in the DT binding.
+The change introduced by the commit being reverted makes that pinctrl state
+mandatory and breaks initialization of the whole media driver, since the
+"idle" state is not specified in any mainline dts.
+
+This reverts commit 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()")
+to fix the regression.
+
+Fixes: 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()")
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/media-dev.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
+index 9c31d950cddf7..2f90607c3797d 100644
+--- a/drivers/media/platform/exynos4-is/media-dev.c
++++ b/drivers/media/platform/exynos4-is/media-dev.c
+@@ -1268,11 +1268,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd)
+ if (IS_ERR(pctl->state_default))
+ return PTR_ERR(pctl->state_default);
+
++ /* PINCTRL_STATE_IDLE is optional */
+ pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl,
+ PINCTRL_STATE_IDLE);
+- if (IS_ERR(pctl->state_idle))
+- return PTR_ERR(pctl->state_idle);
+-
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 2ff57265991ae2921ad23e26bce6eb4e8aa0970d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 01:13:49 +0200
+Subject: media: rockchip/rga: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 884d638e0853c4b5f01eb6d048fc3b6239012404 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus call pm_runtime_put_noidle()
+if pm_runtime_get_sync() fails.
+
+Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/rockchip/rga/rga-buf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/rockchip/rga/rga-buf.c b/drivers/media/platform/rockchip/rga/rga-buf.c
+index 36b821ccc1dba..bf9a75b75083b 100644
+--- a/drivers/media/platform/rockchip/rga/rga-buf.c
++++ b/drivers/media/platform/rockchip/rga/rga-buf.c
+@@ -81,6 +81,7 @@ static int rga_buf_start_streaming(struct vb2_queue *q, unsigned int count)
+
+ ret = pm_runtime_get_sync(rga->dev);
+ if (ret < 0) {
++ pm_runtime_put_noidle(rga->dev);
+ rga_buf_return_buffers(q, VB2_BUF_STATE_QUEUED);
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 4ffbd8d2a4dc5c718038acdee2535c636e7185aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 04:31:22 +0200
+Subject: media: s5p-mfc: Fix a reference count leak
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 78741ce98c2e36188e2343434406b0e0bc50b0e7 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Fixes: c5086f130a77 ("[media] s5p-mfc: Use clock gating only on MFC v5 hardware")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_pm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+index 7d52431c2c837..62d2320a72186 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_pm.c
+@@ -79,8 +79,10 @@ int s5p_mfc_power_on(void)
+ int i, ret = 0;
+
+ ret = pm_runtime_get_sync(pm->device);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_noidle(pm->device);
+ return ret;
++ }
+
+ /* clock control */
+ for (i = 0; i < pm->num_clocks; i++) {
+--
+2.25.1
+
--- /dev/null
+From 198cbd378dc5e5894b9e485602dede4a39f36167 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 08:37:12 +0200
+Subject: media: saa7134: avoid a shift overflow
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 15a36aae1ec1c1f17149b6113b92631791830740 ]
+
+As reported by smatch:
+ drivers/media/pci/saa7134//saa7134-tvaudio.c:686 saa_dsp_writel() warn: should 'reg << 2' be a 64 bit type?
+
+On a 64-bits Kernel, the shift might be bigger than 32 bits.
+
+In real, this should never happen, but let's shut up the warning.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7134/saa7134-tvaudio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/saa7134/saa7134-tvaudio.c b/drivers/media/pci/saa7134/saa7134-tvaudio.c
+index 79e1afb710758..5cc4ef21f9d37 100644
+--- a/drivers/media/pci/saa7134/saa7134-tvaudio.c
++++ b/drivers/media/pci/saa7134/saa7134-tvaudio.c
+@@ -683,7 +683,8 @@ int saa_dsp_writel(struct saa7134_dev *dev, int reg, u32 value)
+ {
+ int err;
+
+- audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", reg << 2, value);
++ audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n",
++ (reg << 2) & 0xffffffff, value);
+ err = saa_dsp_wait_bit(dev,SAA7135_DSP_RWSTATE_WRR);
+ if (err < 0)
+ return err;
+--
+2.25.1
+
--- /dev/null
+From 7fda546662519cc3d5a267b31671595d35afeb9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:58:41 +0200
+Subject: media: st-delta: Fix reference count leak in delta_run_work
+
+From: Aditya Pakki <pakki001@umn.edu>
+
+[ Upstream commit 57cc666d36adc7b45e37ba4cd7bc4e44ec4c43d7 ]
+
+delta_run_work() calls delta_get_sync() that increments
+the reference counter. In case of failure, decrement the reference
+count by calling delta_put_autosuspend().
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/delta/delta-v4l2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/sti/delta/delta-v4l2.c b/drivers/media/platform/sti/delta/delta-v4l2.c
+index 91369fb3ffaa4..2791107e641bc 100644
+--- a/drivers/media/platform/sti/delta/delta-v4l2.c
++++ b/drivers/media/platform/sti/delta/delta-v4l2.c
+@@ -954,8 +954,10 @@ static void delta_run_work(struct work_struct *work)
+ /* enable the hardware */
+ if (!dec->pm) {
+ ret = delta_get_sync(ctx);
+- if (ret)
++ if (ret) {
++ delta_put_autosuspend(ctx);
+ goto err;
++ }
+ }
+
+ /* decode this access unit */
+--
+2.25.1
+
--- /dev/null
+From 463d86496235dcea63882d3839184153b508c5df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Aug 2020 15:11:24 +0200
+Subject: media: staging/intel-ipu3: css: Correctly reset some memory
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 08913a8e458e03f886a1a1154a6501fcb9344c39 ]
+
+The intent here is to reset the whole 'scaler_coeffs_luma' array, not just
+the first element.
+
+Fixes: e11110a5b744 ("media: staging/intel-ipu3: css: Compute and program ccs")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/ipu3/ipu3-css-params.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/ipu3/ipu3-css-params.c b/drivers/staging/media/ipu3/ipu3-css-params.c
+index 4533dacad4beb..ef3b5d07137a1 100644
+--- a/drivers/staging/media/ipu3/ipu3-css-params.c
++++ b/drivers/staging/media/ipu3/ipu3-css-params.c
+@@ -161,7 +161,7 @@ imgu_css_scaler_calc(u32 input_width, u32 input_height, u32 target_width,
+
+ memset(&cfg->scaler_coeffs_chroma, 0,
+ sizeof(cfg->scaler_coeffs_chroma));
+- memset(&cfg->scaler_coeffs_luma, 0, sizeof(*cfg->scaler_coeffs_luma));
++ memset(&cfg->scaler_coeffs_luma, 0, sizeof(cfg->scaler_coeffs_luma));
+ do {
+ phase_step_correction++;
+
+--
+2.25.1
+
--- /dev/null
+From 2355819dd910a137e2427d9698d75b8970db1b08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 05:31:06 +0200
+Subject: media: sti: Fix reference count leaks
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 6f4432bae9f2d12fc1815b5e26cc07e69bcad0df ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/hva/hva-hw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c
+index 401aaafa17109..bb13348be0832 100644
+--- a/drivers/media/platform/sti/hva/hva-hw.c
++++ b/drivers/media/platform/sti/hva/hva-hw.c
+@@ -272,6 +272,7 @@ static unsigned long int hva_hw_get_ip_version(struct hva_dev *hva)
+
+ if (pm_runtime_get_sync(dev) < 0) {
+ dev_err(dev, "%s failed to get pm_runtime\n", HVA_PREFIX);
++ pm_runtime_put_noidle(dev);
+ mutex_unlock(&hva->protect_mutex);
+ return -EFAULT;
+ }
+@@ -553,6 +554,7 @@ void hva_hw_dump_regs(struct hva_dev *hva, struct seq_file *s)
+
+ if (pm_runtime_get_sync(dev) < 0) {
+ seq_puts(s, "Cannot wake up IP\n");
++ pm_runtime_put_noidle(dev);
+ mutex_unlock(&hva->protect_mutex);
+ return;
+ }
+--
+2.25.1
+
--- /dev/null
+From 5c717c93cc5d60b1269a5dbe2eeb52fc9aa1fa34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 04:36:59 +0200
+Subject: media: stm32-dcmi: Fix a reference count leak
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 88f50a05f907d96a27a9ce3cc9e8cbb91a6f0f22 ]
+
+Calling pm_runtime_get_sync increments the counter even in case of
+failure, causing incorrect ref count if pm_runtime_put is not
+called in error handling paths. Thus replace the jump target
+"err_release_buffers" by "err_pm_putw".
+
+Fixes: 152e0bf60219 ("media: stm32-dcmi: add power saving support")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/stm32/stm32-dcmi.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c
+index 9392e3409fba0..d41475f56ab54 100644
+--- a/drivers/media/platform/stm32/stm32-dcmi.c
++++ b/drivers/media/platform/stm32/stm32-dcmi.c
+@@ -733,7 +733,7 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count)
+ if (ret < 0) {
+ dev_err(dcmi->dev, "%s: Failed to start streaming, cannot get sync (%d)\n",
+ __func__, ret);
+- goto err_release_buffers;
++ goto err_pm_put;
+ }
+
+ ret = media_pipeline_start(&dcmi->vdev->entity, &dcmi->pipeline);
+@@ -837,8 +837,6 @@ static int dcmi_start_streaming(struct vb2_queue *vq, unsigned int count)
+
+ err_pm_put:
+ pm_runtime_put(dcmi->dev);
+-
+-err_release_buffers:
+ spin_lock_irq(&dcmi->irqlock);
+ /*
+ * Return all buffers to vb2 in QUEUED state.
+--
+2.25.1
+
--- /dev/null
+From a6c9dc1d64535eb9be93fb857665fdb12fb2131f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 20:32:12 +0200
+Subject: media: tc358743: cleanup tc358743_cec_isr
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 877cb8a444dad2304e891294afb0915fe3c278d6 ]
+
+tc358743_cec_isr is misnammed, it is not the main isr.
+So rename it to be consistent with its siblings,
+tc358743_cec_handler.
+
+It also does not check if its input parameter 'handled' is
+is non NULL like its siblings, so add a check.
+
+Fixes: a0ec8d1dc42e ("media: tc358743: add CEC support")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index 211caade9f998..cff99cf61ed4d 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -919,8 +919,8 @@ static const struct cec_adap_ops tc358743_cec_adap_ops = {
+ .adap_monitor_all_enable = tc358743_cec_adap_monitor_all_enable,
+ };
+
+-static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus,
+- bool *handled)
++static void tc358743_cec_handler(struct v4l2_subdev *sd, u16 intstatus,
++ bool *handled)
+ {
+ struct tc358743_state *state = to_state(sd);
+ unsigned int cec_rxint, cec_txint;
+@@ -953,7 +953,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus,
+ cec_transmit_attempt_done(state->cec_adap,
+ CEC_TX_STATUS_ERROR);
+ }
+- *handled = true;
++ if (handled)
++ *handled = true;
+ }
+ if ((intstatus & MASK_CEC_RINT) &&
+ (cec_rxint & MASK_CECRIEND)) {
+@@ -968,7 +969,8 @@ static void tc358743_cec_isr(struct v4l2_subdev *sd, u16 intstatus,
+ msg.msg[i] = v & 0xff;
+ }
+ cec_received_msg(state->cec_adap, &msg);
+- *handled = true;
++ if (handled)
++ *handled = true;
+ }
+ i2c_wr16(sd, INTSTATUS,
+ intstatus & (MASK_CEC_RINT | MASK_CEC_TINT));
+@@ -1432,7 +1434,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled)
+
+ #ifdef CONFIG_VIDEO_TC358743_CEC
+ if (intstatus & (MASK_CEC_RINT | MASK_CEC_TINT)) {
+- tc358743_cec_isr(sd, intstatus, handled);
++ tc358743_cec_handler(sd, intstatus, handled);
+ i2c_wr16(sd, INTSTATUS,
+ intstatus & (MASK_CEC_RINT | MASK_CEC_TINT));
+ intstatus &= ~(MASK_CEC_RINT | MASK_CEC_TINT);
+--
+2.25.1
+
--- /dev/null
+From bb900de15b3abc2d4d3b37cba6a9b103492761a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Aug 2020 18:30:43 +0200
+Subject: media: tc358743: initialize variable
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 274cf92d5dff5c2fec1a518078542ffe70d07646 ]
+
+clang static analysis flags this error
+
+tc358743.c:1468:9: warning: Branch condition evaluates
+ to a garbage value
+ return handled ? IRQ_HANDLED : IRQ_NONE;
+ ^~~~~~~
+handled should be initialized to false.
+
+Fixes: d747b806abf4 ("[media] tc358743: add direct interrupt handling")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index dbbab75f135ec..211caade9f998 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1461,7 +1461,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled)
+ static irqreturn_t tc358743_irq_handler(int irq, void *dev_id)
+ {
+ struct tc358743_state *state = dev_id;
+- bool handled;
++ bool handled = false;
+
+ tc358743_isr(&state->sd, 0, &handled);
+
+--
+2.25.1
+
--- /dev/null
+From 7ae11afbc10792f63512588c81037a1cfe787381 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 04:56:05 +0200
+Subject: media: ti-vpe: Fix a missing check and reference count leak
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit 7dae2aaaf432767ca7aa11fa84643a7c2600dbdd ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code, causing incorrect ref count if
+pm_runtime_put_noidle() is not called in error handling paths.
+And also, when the call of function vpe_runtime_get() failed,
+we won't call vpe_runtime_put().
+Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails
+inside vpe_runtime_get().
+
+Fixes: 4571912743ac ("[media] v4l: ti-vpe: Add VPE mem to mem driver")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/ti-vpe/vpe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c
+index 8b14ba4a3d9ea..817bd13370eff 100644
+--- a/drivers/media/platform/ti-vpe/vpe.c
++++ b/drivers/media/platform/ti-vpe/vpe.c
+@@ -2435,6 +2435,8 @@ static int vpe_runtime_get(struct platform_device *pdev)
+
+ r = pm_runtime_get_sync(&pdev->dev);
+ WARN_ON(r < 0);
++ if (r)
++ pm_runtime_put_noidle(&pdev->dev);
+ return r < 0 ? r : 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From f69f138ed9b408699a05725dfcb143a1c02da44c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Aug 2020 23:15:47 +0200
+Subject: media: tuner-simple: fix regression in simple_set_radio_freq
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 505bfc2a142f12ce7bc7a878b44abc3496f2e747 ]
+
+clang static analysis reports this problem
+
+tuner-simple.c:714:13: warning: Assigned value is
+ garbage or undefined
+ buffer[1] = buffer[3];
+ ^ ~~~~~~~~~
+In simple_set_radio_freq buffer[3] used to be done
+in-function with a switch of tuner type, now done
+by a call to simple_radio_bandswitch which has this case
+
+ case TUNER_TENA_9533_DI:
+ case TUNER_YMEC_TVF_5533MF:
+ tuner_dbg("This tuner doesn't ...
+ return 0;
+
+which does not set buffer[3]. In the old logic, this case
+would have returned 0 from simple_set_radio_freq.
+
+Recover this old behavior by returning an error for this
+codition. Since the old simple_set_radio_freq behavior
+returned a 0, do the same.
+
+Fixes: c7a9f3aa1e1b ("V4L/DVB (7129): tuner-simple: move device-specific code into three separate functions")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/tuner-simple.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/tuners/tuner-simple.c b/drivers/media/tuners/tuner-simple.c
+index b6e70fada3fb2..8fb186b25d6af 100644
+--- a/drivers/media/tuners/tuner-simple.c
++++ b/drivers/media/tuners/tuner-simple.c
+@@ -500,7 +500,7 @@ static int simple_radio_bandswitch(struct dvb_frontend *fe, u8 *buffer)
+ case TUNER_TENA_9533_DI:
+ case TUNER_YMEC_TVF_5533MF:
+ tuner_dbg("This tuner doesn't have FM. Most cards have a TEA5767 for FM\n");
+- return 0;
++ return -EINVAL;
+ case TUNER_PHILIPS_FM1216ME_MK3:
+ case TUNER_PHILIPS_FM1236_MK3:
+ case TUNER_PHILIPS_FMD1216ME_MK3:
+@@ -702,7 +702,8 @@ static int simple_set_radio_freq(struct dvb_frontend *fe,
+ TUNER_RATIO_SELECT_50; /* 50 kHz step */
+
+ /* Bandswitch byte */
+- simple_radio_bandswitch(fe, &buffer[0]);
++ if (simple_radio_bandswitch(fe, &buffer[0]))
++ return 0;
+
+ /* Convert from 1/16 kHz V4L steps to 1/20 MHz (=50 kHz) PLL steps
+ freq * (1 Mhz / 16000 V4L steps) * (20 PLL steps / 1 MHz) =
+--
+2.25.1
+
--- /dev/null
+From 23b542ddcba971bc801a61345f58727ae042a840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Aug 2020 03:21:33 +0200
+Subject: media: uvcvideo: Ensure all probed info is returned to v4l2
+
+From: Adam Goode <agoode@google.com>
+
+[ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ]
+
+bFrameIndex and bFormatIndex can be negotiated by the camera during
+probing, resulting in the camera choosing a different format than
+expected. v4l2 can already accommodate such changes, but the code was
+not updating the proper fields.
+
+Without such a change, v4l2 would potentially interpret the payload
+incorrectly, causing corrupted output. This was happening on the
+Elgato HD60 S+, which currently always renegotiates to format 1.
+
+As an aside, the Elgato firmware is buggy and should not be renegotating,
+but it is still a valid thing for the camera to do. Both macOS and Windows
+will properly probe and read uncorrupted images from this camera.
+
+With this change, both qv4l2 and chromium can now read uncorrupted video
+from the Elgato HD60 S+.
+
+[Add blank lines, remove periods at the of messages]
+
+Signed-off-by: Adam Goode <agoode@google.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index 0335e69b70abe..5e6f3153b5ff8 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -247,11 +247,41 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream,
+ if (ret < 0)
+ goto done;
+
++ /* After the probe, update fmt with the values returned from
++ * negotiation with the device.
++ */
++ for (i = 0; i < stream->nformats; ++i) {
++ if (probe->bFormatIndex == stream->format[i].index) {
++ format = &stream->format[i];
++ break;
++ }
++ }
++
++ if (i == stream->nformats) {
++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n",
++ probe->bFormatIndex);
++ return -EINVAL;
++ }
++
++ for (i = 0; i < format->nframes; ++i) {
++ if (probe->bFrameIndex == format->frame[i].bFrameIndex) {
++ frame = &format->frame[i];
++ break;
++ }
++ }
++
++ if (i == format->nframes) {
++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n",
++ probe->bFrameIndex);
++ return -EINVAL;
++ }
++
+ fmt->fmt.pix.width = frame->wWidth;
+ fmt->fmt.pix.height = frame->wHeight;
+ fmt->fmt.pix.field = V4L2_FIELD_NONE;
+ fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(format, frame);
+ fmt->fmt.pix.sizeimage = probe->dwMaxVideoFrameSize;
++ fmt->fmt.pix.pixelformat = format->fcc;
+ fmt->fmt.pix.colorspace = format->colorspace;
+
+ if (uvc_format != NULL)
+--
+2.25.1
+
--- /dev/null
+From 7374b0431b875c7fb9359a048fde768a7f4d0dc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Jun 2020 04:05:49 +0200
+Subject: media: uvcvideo: Set media controller entity functions
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit d6834b4b58d110814aaf3469e7fd87d34ae5ae81 ]
+
+The media controller core prints a warning when an entity is registered
+without a function being set. This affects the uvcvideo driver, as the
+warning was added without first addressing the issue in existing
+drivers. The problem is harmless, but unnecessarily worries users. Fix
+it by mapping UVC entity types to MC entity functions as accurately as
+possible using the existing functions.
+
+Fixes: b50bde4e476d ("[media] v4l2-subdev: use MEDIA_ENT_T_UNKNOWN for new subdevs")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_entity.c | 35 ++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_entity.c b/drivers/media/usb/uvc/uvc_entity.c
+index b4499cddeffe5..ca3a9c2eec271 100644
+--- a/drivers/media/usb/uvc/uvc_entity.c
++++ b/drivers/media/usb/uvc/uvc_entity.c
+@@ -73,10 +73,45 @@ static int uvc_mc_init_entity(struct uvc_video_chain *chain,
+ int ret;
+
+ if (UVC_ENTITY_TYPE(entity) != UVC_TT_STREAMING) {
++ u32 function;
++
+ v4l2_subdev_init(&entity->subdev, &uvc_subdev_ops);
+ strscpy(entity->subdev.name, entity->name,
+ sizeof(entity->subdev.name));
+
++ switch (UVC_ENTITY_TYPE(entity)) {
++ case UVC_VC_SELECTOR_UNIT:
++ function = MEDIA_ENT_F_VID_MUX;
++ break;
++ case UVC_VC_PROCESSING_UNIT:
++ case UVC_VC_EXTENSION_UNIT:
++ /* For lack of a better option. */
++ function = MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER;
++ break;
++ case UVC_COMPOSITE_CONNECTOR:
++ case UVC_COMPONENT_CONNECTOR:
++ function = MEDIA_ENT_F_CONN_COMPOSITE;
++ break;
++ case UVC_SVIDEO_CONNECTOR:
++ function = MEDIA_ENT_F_CONN_SVIDEO;
++ break;
++ case UVC_ITT_CAMERA:
++ function = MEDIA_ENT_F_CAM_SENSOR;
++ break;
++ case UVC_TT_VENDOR_SPECIFIC:
++ case UVC_ITT_VENDOR_SPECIFIC:
++ case UVC_ITT_MEDIA_TRANSPORT_INPUT:
++ case UVC_OTT_VENDOR_SPECIFIC:
++ case UVC_OTT_DISPLAY:
++ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT:
++ case UVC_EXTERNAL_VENDOR_SPECIFIC:
++ default:
++ function = MEDIA_ENT_F_V4L2_SUBDEV_UNKNOWN;
++ break;
++ }
++
++ entity->subdev.entity.function = function;
++
+ ret = media_entity_pads_init(&entity->subdev.entity,
+ entity->num_pads, entity->pads);
+
+--
+2.25.1
+
--- /dev/null
+From a7e427b1fc0d6d6af62588d111095ad306b9c62e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 01:56:49 +0200
+Subject: media: uvcvideo: Silence shift-out-of-bounds warning
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 171994e498a0426cbe17f874c5c6af3c0af45200 ]
+
+UBSAN reports a shift-out-of-bounds warning in uvc_get_le_value(). The
+report is correct, but the issue should be harmless as the computed
+value isn't used when the shift is negative. This may however cause
+incorrect behaviour if a negative shift could generate adverse side
+effects (such as a trap on some architectures for instance).
+
+Regardless of whether that may happen or not, silence the warning as a
+full WARN backtrace isn't nice.
+
+Reported-by: Bart Van Assche <bvanassche@acm.org>
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index e399b9fad7574..a30a8a731eda8 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -773,12 +773,16 @@ static s32 uvc_get_le_value(struct uvc_control_mapping *mapping,
+ offset &= 7;
+ mask = ((1LL << bits) - 1) << offset;
+
+- for (; bits > 0; data++) {
++ while (1) {
+ u8 byte = *data & mask;
+ value |= offset > 0 ? (byte >> offset) : (byte << (-offset));
+ bits -= 8 - (offset > 0 ? offset : 0);
++ if (bits <= 0)
++ break;
++
+ offset -= 8;
+ mask = (1 << bits) - 1;
++ data++;
+ }
+
+ /* Sign-extend the value if needed. */
+--
+2.25.1
+
--- /dev/null
+From 4ad47f46917cc7834a3191fa0c210ca3a7e8fb64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jun 2020 07:55:23 +0200
+Subject: media: venus: core: Fix runtime PM imbalance in venus_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit bbe516e976fce538db96bd2b7287df942faa14a3 ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced. For other error
+paths after this call, things are the same.
+
+Fix this by adding pm_runtime_put_noidle() after 'err_runtime_disable'
+label. But in this case, the error path after pm_runtime_put_sync()
+will decrease PM usage counter twice. Thus add an extra
+pm_runtime_get_noresume() in this path to balance PM counter.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
+index 84e982f259a06..bbc430a003443 100644
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -316,8 +316,10 @@ static int venus_probe(struct platform_device *pdev)
+ goto err_core_deinit;
+
+ ret = pm_runtime_put_sync(dev);
+- if (ret)
++ if (ret) {
++ pm_runtime_get_noresume(dev);
+ goto err_dev_unregister;
++ }
+
+ return 0;
+
+@@ -328,6 +330,7 @@ static int venus_probe(struct platform_device *pdev)
+ err_venus_shutdown:
+ venus_shutdown(core);
+ err_runtime_disable:
++ pm_runtime_put_noidle(dev);
+ pm_runtime_set_suspended(dev);
+ pm_runtime_disable(dev);
+ hfi_destroy(core);
+--
+2.25.1
+
--- /dev/null
+From 9ec5213f8f76e158a402345d7e733ec5b552a6a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Aug 2020 13:48:45 +0200
+Subject: media: venus: fixes for list corruption
+
+From: Vikash Garodia <vgarodia@codeaurora.org>
+
+[ Upstream commit e1c69c4eef61ffe295b747992c6fd849e6cd747d ]
+
+There are few list handling issues while adding and deleting
+node in the registered buf list in the driver.
+1. list addition - buffer added into the list during buf_init
+while not deleted during cleanup.
+2. list deletion - In capture streamoff, the list was reinitialized.
+As a result, if any node was present in the list, it would
+lead to issue while cleaning up that node during buf_cleanup.
+
+Corresponding call traces below:
+[ 165.751014] Call trace:
+[ 165.753541] __list_add_valid+0x58/0x88
+[ 165.757532] venus_helper_vb2_buf_init+0x74/0xa8 [venus_core]
+[ 165.763450] vdec_buf_init+0x34/0xb4 [venus_dec]
+[ 165.768271] __buf_prepare+0x598/0x8a0 [videobuf2_common]
+[ 165.773820] vb2_core_qbuf+0xb4/0x334 [videobuf2_common]
+[ 165.779298] vb2_qbuf+0x78/0xb8 [videobuf2_v4l2]
+[ 165.784053] v4l2_m2m_qbuf+0x80/0xf8 [v4l2_mem2mem]
+[ 165.789067] v4l2_m2m_ioctl_qbuf+0x2c/0x38 [v4l2_mem2mem]
+[ 165.794624] v4l_qbuf+0x48/0x58
+
+[ 1797.556001] Call trace:
+[ 1797.558516] __list_del_entry_valid+0x88/0x9c
+[ 1797.562989] vdec_buf_cleanup+0x54/0x228 [venus_dec]
+[ 1797.568088] __buf_prepare+0x270/0x8a0 [videobuf2_common]
+[ 1797.573625] vb2_core_qbuf+0xb4/0x338 [videobuf2_common]
+[ 1797.579082] vb2_qbuf+0x78/0xb8 [videobuf2_v4l2]
+[ 1797.583830] v4l2_m2m_qbuf+0x80/0xf8 [v4l2_mem2mem]
+[ 1797.588843] v4l2_m2m_ioctl_qbuf+0x2c/0x38 [v4l2_mem2mem]
+[ 1797.594389] v4l_qbuf+0x48/0x58
+
+Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
+Reviewed-by: Fritz Koenig <frkoenig@chromium.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/venus/vdec.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c
+index 05b80a66e80ed..658825b4c4e8d 100644
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -993,8 +993,6 @@ static int vdec_stop_capture(struct venus_inst *inst)
+ break;
+ }
+
+- INIT_LIST_HEAD(&inst->registeredbufs);
+-
+ return ret;
+ }
+
+@@ -1091,6 +1089,14 @@ static int vdec_buf_init(struct vb2_buffer *vb)
+ static void vdec_buf_cleanup(struct vb2_buffer *vb)
+ {
+ struct venus_inst *inst = vb2_get_drv_priv(vb->vb2_queue);
++ struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);
++ struct venus_buffer *buf = to_venus_buffer(vbuf);
++
++ mutex_lock(&inst->lock);
++ if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
++ if (!list_empty(&inst->registeredbufs))
++ list_del_init(&buf->reg_list);
++ mutex_unlock(&inst->lock);
+
+ inst->buf_count--;
+ if (!inst->buf_count)
+--
+2.25.1
+
--- /dev/null
+From a8f9c42a39abe8a6c29210d8682865028aaeaf11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2020 07:29:19 +0200
+Subject: media: vsp1: Fix runtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 98fae901c8883640202802174a4bd70a1b9118bd ]
+
+pm_runtime_get_sync() increments the runtime PM usage counter even
+when it returns an error code. Thus a pairing decrement is needed on
+the error handling path to keep the counter balanced.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vsp1/vsp1_drv.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c
+index c650e45bb0ad1..dc62533cf32ce 100644
+--- a/drivers/media/platform/vsp1/vsp1_drv.c
++++ b/drivers/media/platform/vsp1/vsp1_drv.c
+@@ -562,7 +562,12 @@ int vsp1_device_get(struct vsp1_device *vsp1)
+ int ret;
+
+ ret = pm_runtime_get_sync(vsp1->dev);
+- return ret < 0 ? ret : 0;
++ if (ret < 0) {
++ pm_runtime_put_noidle(vsp1->dev);
++ return ret;
++ }
++
++ return 0;
+ }
+
+ /*
+@@ -845,12 +850,12 @@ static int vsp1_probe(struct platform_device *pdev)
+ /* Configure device parameters based on the version register. */
+ pm_runtime_enable(&pdev->dev);
+
+- ret = pm_runtime_get_sync(&pdev->dev);
++ ret = vsp1_device_get(vsp1);
+ if (ret < 0)
+ goto done;
+
+ vsp1->version = vsp1_read(vsp1, VI6_IP_VERSION);
+- pm_runtime_put_sync(&pdev->dev);
++ vsp1_device_put(vsp1);
+
+ for (i = 0; i < ARRAY_SIZE(vsp1_device_infos); ++i) {
+ if ((vsp1->version & VI6_IP_VERSION_MODEL_MASK) ==
+--
+2.25.1
+
--- /dev/null
+From f1938a2eb49a50da26e2e04f27fe60b1f874cd4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 09:33:15 +0200
+Subject: memory: fsl-corenet-cf: Fix handling of platform_get_irq() error
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit dd85345abca60a8916617e8d75c0f9ce334336dd ]
+
+platform_get_irq() returns -ERRNO on error. In such case comparison
+to 0 would pass the check.
+
+Fixes: 54afbec0d57f ("memory: Freescale CoreNet Coherency Fabric error reporting driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200827073315.29351-1-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/fsl-corenet-cf.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/memory/fsl-corenet-cf.c b/drivers/memory/fsl-corenet-cf.c
+index 0b0ed72016da8..0309bd5a18008 100644
+--- a/drivers/memory/fsl-corenet-cf.c
++++ b/drivers/memory/fsl-corenet-cf.c
+@@ -211,10 +211,8 @@ static int ccf_probe(struct platform_device *pdev)
+ dev_set_drvdata(&pdev->dev, ccf);
+
+ irq = platform_get_irq(pdev, 0);
+- if (!irq) {
+- dev_err(&pdev->dev, "%s: no irq\n", __func__);
+- return -ENXIO;
+- }
++ if (irq < 0)
++ return irq;
+
+ ret = devm_request_irq(&pdev->dev, irq, ccf_irq, 0, pdev->name, ccf);
+ if (ret) {
+--
+2.25.1
+
--- /dev/null
+From 89b32e46f44ccc74e44a13550cb31c37e295a8e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 13:47:07 +0300
+Subject: memory: omap-gpmc: Fix a couple off by ones
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4c54228ac8fd55044195825873c50a524131fa53 ]
+
+These comparisons should be >= instead of > to prevent reading one
+element beyond the end of the gpmc_cs[] array.
+
+Fixes: cdd6928c589a ("ARM: OMAP2+: Add device-tree support for NOR flash")
+Fixes: f37e4580c409 ("ARM: OMAP2: Dynamic allocator for GPMC memory space")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Link: https://lore.kernel.org/r/20200825104707.GB278587@mwanda
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/omap-gpmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
+index eff26c1b13940..b5055577843a2 100644
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -949,7 +949,7 @@ static int gpmc_cs_remap(int cs, u32 base)
+ int ret;
+ u32 old_base, size;
+
+- if (cs > gpmc_cs_num) {
++ if (cs >= gpmc_cs_num) {
+ pr_err("%s: requested chip-select is disabled\n", __func__);
+ return -ENODEV;
+ }
+@@ -984,7 +984,7 @@ int gpmc_cs_request(int cs, unsigned long size, unsigned long *base)
+ struct resource *res = &gpmc->mem;
+ int r = -1;
+
+- if (cs > gpmc_cs_num) {
++ if (cs >= gpmc_cs_num) {
+ pr_err("%s: requested chip-select is disabled\n", __func__);
+ return -ENODEV;
+ }
+--
+2.25.1
+
--- /dev/null
+From 1c64a0be8890edfebf57d0562536efad21b2cbf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 20:53:16 +0800
+Subject: memory: omap-gpmc: Fix build error without CONFIG_OF
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 13d029ee51da365aa9c859db0c7395129252bde8 ]
+
+If CONFIG_OF is n, gcc fails:
+
+drivers/memory/omap-gpmc.o: In function `gpmc_omap_onenand_set_timings':
+ omap-gpmc.c:(.text+0x2a88): undefined reference to `gpmc_read_settings_dt'
+
+Add gpmc_read_settings_dt() helper function, which zero the gpmc_settings
+so the caller doesn't proceed with random/invalid settings.
+
+Fixes: a758f50f10cf ("mtd: onenand: omap2: Configure driver from DT")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Link: https://lore.kernel.org/r/20200827125316.20780-1-yuehaibing@huawei.com
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/omap-gpmc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
+index b5055577843a2..27bc417029e11 100644
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -2274,6 +2274,10 @@ static void gpmc_probe_dt_children(struct platform_device *pdev)
+ }
+ }
+ #else
++void gpmc_read_settings_dt(struct device_node *np, struct gpmc_settings *p)
++{
++ memset(p, 0, sizeof(*p));
++}
+ static int gpmc_probe_dt(struct platform_device *pdev)
+ {
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From f04d9401a6c5d6f72969241e5c7489a9b2e9d64c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 14:33:26 +0300
+Subject: mfd: sm501: Fix leaks in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8ce24f8967df2836b4557a23e74dc4bb098249f1 ]
+
+This code should clean up if sm501_init_dev() fails.
+
+Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/sm501.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
+index 154270f8d8d78..bbcde58e2a11e 100644
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -1424,8 +1424,14 @@ static int sm501_plat_probe(struct platform_device *dev)
+ goto err_claim;
+ }
+
+- return sm501_init_dev(sm);
++ ret = sm501_init_dev(sm);
++ if (ret)
++ goto err_unmap;
++
++ return 0;
+
++ err_unmap:
++ iounmap(sm->regs);
+ err_claim:
+ release_resource(sm->regs_claim);
+ kfree(sm->regs_claim);
+--
+2.25.1
+
--- /dev/null
+From 759288d57010141e68c69d0b7c7ef5ef8d2e8b48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 17:11:06 +0800
+Subject: mic: vop: copy data to kernel space then write to io memory
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit 675f0ad4046946e80412896436164d172cd92238 ]
+
+Read and write io memory should address align on ARCH ARM. Change to use
+memcpy_toio to avoid kernel panic caused by the address un-align issue.
+
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20200929091106.24624-5-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/vop/vop_vringh.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c
+index 30eac172f0170..d069947b09345 100644
+--- a/drivers/misc/mic/vop/vop_vringh.c
++++ b/drivers/misc/mic/vop/vop_vringh.c
+@@ -602,6 +602,7 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf,
+ size_t partlen;
+ bool dma = VOP_USE_DMA && vi->dma_ch;
+ int err = 0;
++ size_t offset = 0;
+
+ if (dma) {
+ dma_alignment = 1 << vi->dma_ch->device->copy_align;
+@@ -655,13 +656,20 @@ static int vop_virtio_copy_from_user(struct vop_vdev *vdev, void __user *ubuf,
+ * We are copying to IO below and should ideally use something
+ * like copy_from_user_toio(..) if it existed.
+ */
+- if (copy_from_user((void __force *)dbuf, ubuf, len)) {
+- err = -EFAULT;
+- dev_err(vop_dev(vdev), "%s %d err %d\n",
+- __func__, __LINE__, err);
+- goto err;
++ while (len) {
++ partlen = min_t(size_t, len, VOP_INT_DMA_BUF_SIZE);
++
++ if (copy_from_user(vvr->buf, ubuf + offset, partlen)) {
++ err = -EFAULT;
++ dev_err(vop_dev(vdev), "%s %d err %d\n",
++ __func__, __LINE__, err);
++ goto err;
++ }
++ memcpy_toio(dbuf + offset, vvr->buf, partlen);
++ offset += partlen;
++ vdev->out_bytes += partlen;
++ len -= partlen;
+ }
+- vdev->out_bytes += len;
+ err = 0;
+ err:
+ vpdev->hw_ops->unmap(vpdev, dbuf);
+--
+2.25.1
+
--- /dev/null
+From fe2b63b6585b8e61743f6c53bbebd7750374bace Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Sep 2020 08:21:35 +0530
+Subject: misc: mic: scif: Fix error handling path
+
+From: Souptick Joarder <jrdr.linux@gmail.com>
+
+[ Upstream commit a81072a9c0ae734b7889929b0bc070fe3f353f0e ]
+
+Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it
+will call pin_user_pages_fast() to map nr_pages. However,
+pin_user_pages_fast() might fail with a return value -ERRNO.
+
+The return value is stored in pinned_pages->nr_pages. which in
+turn is passed to unpin_user_pages(), which expects
+pinned_pages->nr_pages >=0, else disaster.
+
+Fix this by assigning pinned_pages->nr_pages to 0 if
+pin_user_pages_fast() returns -ERRNO.
+
+Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and unregistration")
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
+Link: https://lore.kernel.org/r/1600570295-29546-1-git-send-email-jrdr.linux@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/scif/scif_rma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c
+index 01e27682ea303..a486c6c7f4077 100644
+--- a/drivers/misc/mic/scif/scif_rma.c
++++ b/drivers/misc/mic/scif/scif_rma.c
+@@ -1381,6 +1381,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
+ (prot & SCIF_PROT_WRITE) ? FOLL_WRITE : 0,
+ pinned_pages->pages);
+ if (nr_pages != pinned_pages->nr_pages) {
++ if (pinned_pages->nr_pages < 0)
++ pinned_pages->nr_pages = 0;
+ if (try_upgrade) {
+ if (ulimit)
+ __scif_dec_pinned_vm_lock(mm, nr_pages);
+@@ -1400,7 +1402,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
+
+ if (pinned_pages->nr_pages < nr_pages) {
+ err = -EFAULT;
+- pinned_pages->nr_pages = nr_pages;
+ goto dec_pinned;
+ }
+
+@@ -1413,7 +1414,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot,
+ __scif_dec_pinned_vm_lock(mm, nr_pages);
+ /* Something went wrong! Rollback */
+ error_unmap:
+- pinned_pages->nr_pages = nr_pages;
+ scif_destroy_pinned_pages(pinned_pages);
+ *pages = NULL;
+ dev_dbg(scif_info.mdev.this_device,
+--
+2.25.1
+
--- /dev/null
+From f8383a2d1d1d0bc474921f2cc6190ff5cb72f795 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 07:18:51 +0000
+Subject: misc: rtsx: Fix memory leak in rtsx_pci_probe
+
+From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+
+[ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ]
+
+When mfd_add_devices() fail, pcr->slots should also be freed. However,
+the current implementation does not free the member, leading to a memory
+leak.
+
+Fix this by adding a new goto label that frees pcr->slots.
+
+Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
+Link: https://lore.kernel.org/r/20200909071853.4053-1-keitasuzuki.park@sslab.ics.keio.ac.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/cardreader/rtsx_pcr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/cardreader/rtsx_pcr.c b/drivers/misc/cardreader/rtsx_pcr.c
+index 1958833b3b74e..4fd57052ddd3d 100644
+--- a/drivers/misc/cardreader/rtsx_pcr.c
++++ b/drivers/misc/cardreader/rtsx_pcr.c
+@@ -1534,12 +1534,14 @@ static int rtsx_pci_probe(struct pci_dev *pcidev,
+ ret = mfd_add_devices(&pcidev->dev, pcr->id, rtsx_pcr_cells,
+ ARRAY_SIZE(rtsx_pcr_cells), NULL, 0, NULL);
+ if (ret < 0)
+- goto disable_irq;
++ goto free_slots;
+
+ schedule_delayed_work(&pcr->idle_work, msecs_to_jiffies(200));
+
+ return 0;
+
++free_slots:
++ kfree(pcr->slots);
+ disable_irq:
+ free_irq(pcr->irq, (void *)pcr);
+ disable_msi:
+--
+2.25.1
+
--- /dev/null
+From 8005215b5f3fd4992b607129746fe8ddeac50ebe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 17:11:05 +0800
+Subject: misc: vop: add round_up(x,4) for vring_size to avoid kernel panic
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ]
+
+Since struct _mic_vring_info and vring are allocated together and follow
+vring, if the vring_size() is not four bytes aligned, which will cause
+the start address of struct _mic_vring_info is not four byte aligned.
+For example, when vring entries is 128, the vring_size() will be 5126
+bytes. The _mic_vring_info struct layout in ddr looks like:
+0x90002400: 00000000 00390000 EE010000 0000C0FF
+Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member.
+
+When EP use ioread32(magic) to reads the magic in RC's share memory, it
+will cause kernel panic on ARM64 platform due to the cross-byte io read.
+Here read magic in user space use le32toh(vr0->info->magic) will meet
+the same issue.
+So add round_up(x,4) for vring_size, then the struct _mic_vring_info
+will store in this way:
+0x90002400: 00000000 00000000 00000039 C0FFEE01
+Which will avoid kernel panic when read magic in struct _mic_vring_info.
+
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mic/vop/vop_main.c | 2 +-
+ drivers/misc/mic/vop/vop_vringh.c | 4 ++--
+ samples/mic/mpssd/mpssd.c | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/misc/mic/vop/vop_main.c b/drivers/misc/mic/vop/vop_main.c
+index 85942f6717c57..8aadc6055df17 100644
+--- a/drivers/misc/mic/vop/vop_main.c
++++ b/drivers/misc/mic/vop/vop_main.c
+@@ -320,7 +320,7 @@ static struct virtqueue *vop_find_vq(struct virtio_device *dev,
+ /* First assign the vring's allocated in host memory */
+ vqconfig = _vop_vq_config(vdev->desc) + index;
+ memcpy_fromio(&config, vqconfig, sizeof(config));
+- _vr_size = vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN);
++ _vr_size = round_up(vring_size(le16_to_cpu(config.num), MIC_VIRTIO_RING_ALIGN), 4);
+ vr_size = PAGE_ALIGN(_vr_size + sizeof(struct _mic_vring_info));
+ va = vpdev->hw_ops->remap(vpdev, le64_to_cpu(config.address), vr_size);
+ if (!va)
+diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c
+index d069947b09345..7014ffe88632e 100644
+--- a/drivers/misc/mic/vop/vop_vringh.c
++++ b/drivers/misc/mic/vop/vop_vringh.c
+@@ -296,7 +296,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev,
+
+ num = le16_to_cpu(vqconfig[i].num);
+ mutex_init(&vvr->vr_mutex);
+- vr_size = PAGE_ALIGN(vring_size(num, MIC_VIRTIO_RING_ALIGN) +
++ vr_size = PAGE_ALIGN(round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4) +
+ sizeof(struct _mic_vring_info));
+ vr->va = (void *)
+ __get_free_pages(GFP_KERNEL | __GFP_ZERO,
+@@ -308,7 +308,7 @@ static int vop_virtio_add_device(struct vop_vdev *vdev,
+ goto err;
+ }
+ vr->len = vr_size;
+- vr->info = vr->va + vring_size(num, MIC_VIRTIO_RING_ALIGN);
++ vr->info = vr->va + round_up(vring_size(num, MIC_VIRTIO_RING_ALIGN), 4);
+ vr->info->magic = cpu_to_le32(MIC_MAGIC + vdev->virtio_id + i);
+ vr_addr = dma_map_single(&vpdev->dev, vr->va, vr_size,
+ DMA_BIDIRECTIONAL);
+diff --git a/samples/mic/mpssd/mpssd.c b/samples/mic/mpssd/mpssd.c
+index a11bf6c5b53b4..cd3f16a6f5caf 100644
+--- a/samples/mic/mpssd/mpssd.c
++++ b/samples/mic/mpssd/mpssd.c
+@@ -403,9 +403,9 @@ mic_virtio_copy(struct mic_info *mic, int fd,
+
+ static inline unsigned _vring_size(unsigned int num, unsigned long align)
+ {
+- return ((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num)
++ return _ALIGN_UP(((sizeof(struct vring_desc) * num + sizeof(__u16) * (3 + num)
+ + align - 1) & ~(align - 1))
+- + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num;
++ + sizeof(__u16) * 3 + sizeof(struct vring_used_elem) * num, 4);
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From e7dd9074f3ff0dd3207a4787047c3d42637091fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 15:01:10 -0700
+Subject: mm/error_inject: Fix allow_error_inject function signatures.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 76cd61739fd107a7f7ec4c24a045e98d8ee150f0 ]
+
+'static' and 'static noinline' function attributes make no guarantees that
+gcc/clang won't optimize them. The compiler may decide to inline 'static'
+function and in such case ALLOW_ERROR_INJECT becomes meaningless. The compiler
+could have inlined __add_to_page_cache_locked() in one callsite and didn't
+inline in another. In such case injecting errors into it would cause
+unpredictable behavior. It's worse with 'static noinline' which won't be
+inlined, but it still can be optimized. Like the compiler may decide to remove
+one argument or constant propagate the value depending on the callsite.
+
+To avoid such issues make sure that these functions are global noinline.
+
+Fixes: af3b854492f3 ("mm/page_alloc.c: allow error injection")
+Fixes: cfcbfb1382db ("mm/filemap.c: enable error injection at add_to_page_cache()")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/bpf/20200827220114.69225-2-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/filemap.c | 8 ++++----
+ mm/page_alloc.c | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/mm/filemap.c b/mm/filemap.c
+index 51b2cb5aa5030..db542b4948838 100644
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -847,10 +847,10 @@ int replace_page_cache_page(struct page *old, struct page *new, gfp_t gfp_mask)
+ }
+ EXPORT_SYMBOL_GPL(replace_page_cache_page);
+
+-static int __add_to_page_cache_locked(struct page *page,
+- struct address_space *mapping,
+- pgoff_t offset, gfp_t gfp_mask,
+- void **shadowp)
++noinline int __add_to_page_cache_locked(struct page *page,
++ struct address_space *mapping,
++ pgoff_t offset, gfp_t gfp_mask,
++ void **shadowp)
+ {
+ XA_STATE(xas, &mapping->i_pages, offset);
+ int huge = PageHuge(page);
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index aff0bb4629bdf..2640f67410044 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3385,7 +3385,7 @@ static inline bool __should_fail_alloc_page(gfp_t gfp_mask, unsigned int order)
+
+ #endif /* CONFIG_FAIL_PAGE_ALLOC */
+
+-static noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order)
++noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order)
+ {
+ return __should_fail_alloc_page(gfp_mask, order);
+ }
+--
+2.25.1
+
--- /dev/null
+From cc8037f8ef73f4b4050a57c473bc72caafc8fab0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 16:53:13 -0700
+Subject: mm/memcg: fix device private memcg accounting
+
+From: Ralph Campbell <rcampbell@nvidia.com>
+
+[ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ]
+
+The code in mc_handle_swap_pte() checks for non_swap_entry() and returns
+NULL before checking is_device_private_entry() so device private pages are
+never handled. Fix this by checking for non_swap_entry() after handling
+device private swap PTEs.
+
+I assume the memory cgroup accounting would be off somehow when moving
+a process to another memory cgroup. Currently, the device private page
+is charged like a normal anonymous page when allocated and is uncharged
+when the page is freed so I think that path is OK.
+
+Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Balbir Singh <bsingharora@gmail.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com
+xFixes: c733a82874a7 ("mm/memcontrol: support MEMORY_DEVICE_PRIVATE")
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memcontrol.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index ca1632850fb76..edf98f8588eeb 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -5398,7 +5398,7 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma,
+ struct page *page = NULL;
+ swp_entry_t ent = pte_to_swp_entry(ptent);
+
+- if (!(mc.flags & MOVE_ANON) || non_swap_entry(ent))
++ if (!(mc.flags & MOVE_ANON))
+ return NULL;
+
+ /*
+@@ -5417,6 +5417,9 @@ static struct page *mc_handle_swap_pte(struct vm_area_struct *vma,
+ return page;
+ }
+
++ if (non_swap_entry(ent))
++ return NULL;
++
+ /*
+ * Because lookup_swap_cache() updates some statistics counter,
+ * we call find_get_page() with swapper_space directly.
+--
+2.25.1
+
--- /dev/null
+From 9ac80e2beb22cc1c655667338a4e33b883c8e164 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 16:58:35 -0700
+Subject: mm, oom_adj: don't loop through tasks in __set_oom_adj when not
+ necessary
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+[ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ]
+
+Currently __set_oom_adj loops through all processes in the system to keep
+oom_score_adj and oom_score_adj_min in sync between processes sharing
+their mm. This is done for any task with more that one mm_users, which
+includes processes with multiple threads (sharing mm and signals).
+However for such processes the loop is unnecessary because their signal
+structure is shared as well.
+
+Android updates oom_score_adj whenever a tasks changes its role
+(background/foreground/...) or binds to/unbinds from a service, making it
+more/less important. Such operation can happen frequently. We noticed
+that updates to oom_score_adj became more expensive and after further
+investigation found out that the patch mentioned in "Fixes" introduced a
+regression. Using Pixel 4 with a typical Android workload, write time to
+oom_score_adj increased from ~3.57us to ~362us. Moreover this regression
+linearly depends on the number of multi-threaded processes running on the
+system.
+
+Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with
+(CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use
+MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj
+update should be synchronized between multiple processes. To prevent
+races between clone() and __set_oom_adj(), when oom_score_adj of the
+process being cloned might be modified from userspace, we use
+oom_adj_mutex. Its scope is changed to global.
+
+The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for
+the case of vfork(). To prevent performance regressions of vfork(), we
+skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is
+specified. Clearing the MMF_MULTIPROCESS flag (when the last process
+sharing the mm exits) is left out of this patch to keep it simple and
+because it is believed that this threading model is rare. Should there
+ever be a need for optimizing that case as well, it can be done by hooking
+into the exit path, likely following the mm_update_next_owner pattern.
+
+With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being
+quite rare, the regression is gone after the change is applied.
+
+[surenb@google.com: v3]
+ Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com
+
+Fixes: 44a70adec910 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj")
+Reported-by: Tim Murray <timmurray@google.com>
+Suggested-by: Michal Hocko <mhocko@kernel.org>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Eugene Syromiatnikov <esyr@redhat.com>
+Cc: Christian Kellner <christian@kellner.me>
+Cc: Adrian Reber <areber@redhat.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Aleksa Sarai <cyphar@cyphar.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Alexey Gladkov <gladkov.alexey@gmail.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
+Cc: Andrei Vagin <avagin@gmail.com>
+Cc: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Cc: John Johansen <john.johansen@canonical.com>
+Cc: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lkml.kernel.org/r/20200824153036.3201505-1-surenb@google.com
+Debugged-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 3 +--
+ include/linux/oom.h | 1 +
+ include/linux/sched/coredump.h | 1 +
+ kernel/fork.c | 21 +++++++++++++++++++++
+ mm/oom_kill.c | 2 ++
+ 5 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 529d0c6ec6f9c..b690074e65ffa 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -1036,7 +1036,6 @@ static ssize_t oom_adj_read(struct file *file, char __user *buf, size_t count,
+
+ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy)
+ {
+- static DEFINE_MUTEX(oom_adj_mutex);
+ struct mm_struct *mm = NULL;
+ struct task_struct *task;
+ int err = 0;
+@@ -1076,7 +1075,7 @@ static int __set_oom_adj(struct file *file, int oom_adj, bool legacy)
+ struct task_struct *p = find_lock_task_mm(task);
+
+ if (p) {
+- if (atomic_read(&p->mm->mm_users) > 1) {
++ if (test_bit(MMF_MULTIPROCESS, &p->mm->flags)) {
+ mm = p->mm;
+ mmgrab(mm);
+ }
+diff --git a/include/linux/oom.h b/include/linux/oom.h
+index c696c265f0193..b9df34326772c 100644
+--- a/include/linux/oom.h
++++ b/include/linux/oom.h
+@@ -55,6 +55,7 @@ struct oom_control {
+ };
+
+ extern struct mutex oom_lock;
++extern struct mutex oom_adj_mutex;
+
+ static inline void set_current_oom_origin(void)
+ {
+diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h
+index ecdc6542070f1..dfd82eab29025 100644
+--- a/include/linux/sched/coredump.h
++++ b/include/linux/sched/coredump.h
+@@ -72,6 +72,7 @@ static inline int get_dumpable(struct mm_struct *mm)
+ #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */
+ #define MMF_OOM_VICTIM 25 /* mm is the oom victim */
+ #define MMF_OOM_REAP_QUEUED 26 /* mm was queued for oom_reaper */
++#define MMF_MULTIPROCESS 27 /* mm is shared between processes */
+ #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP)
+
+ #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 594272569a80f..e3d5963d8c6f5 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1750,6 +1750,25 @@ static __always_inline void delayed_free_task(struct task_struct *tsk)
+ free_task(tsk);
+ }
+
++static void copy_oom_score_adj(u64 clone_flags, struct task_struct *tsk)
++{
++ /* Skip if kernel thread */
++ if (!tsk->mm)
++ return;
++
++ /* Skip if spawning a thread or using vfork */
++ if ((clone_flags & (CLONE_VM | CLONE_THREAD | CLONE_VFORK)) != CLONE_VM)
++ return;
++
++ /* We need to synchronize with __set_oom_adj */
++ mutex_lock(&oom_adj_mutex);
++ set_bit(MMF_MULTIPROCESS, &tsk->mm->flags);
++ /* Update the values in case they were changed after copy_signal */
++ tsk->signal->oom_score_adj = current->signal->oom_score_adj;
++ tsk->signal->oom_score_adj_min = current->signal->oom_score_adj_min;
++ mutex_unlock(&oom_adj_mutex);
++}
++
+ /*
+ * This creates a new process as a copy of the old one,
+ * but does not actually start it yet.
+@@ -2222,6 +2241,8 @@ static __latent_entropy struct task_struct *copy_process(
+ trace_task_newtask(p, clone_flags);
+ uprobe_copy_process(p, clone_flags);
+
++ copy_oom_score_adj(clone_flags, p);
++
+ return p;
+
+ bad_fork_cancel_cgroup:
+diff --git a/mm/oom_kill.c b/mm/oom_kill.c
+index d58c481b3df83..212e718743018 100644
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -63,6 +63,8 @@ int sysctl_oom_dump_tasks = 1;
+ * and mark_oom_victim
+ */
+ DEFINE_MUTEX(oom_lock);
++/* Serializes oom_score_adj and oom_score_adj_min updates */
++DEFINE_MUTEX(oom_adj_mutex);
+
+ static inline bool is_memcg_oom(struct oom_control *oc)
+ {
+--
+2.25.1
+
--- /dev/null
+From fa46d44ff16b7446c0cb7a53a145b36a7364c3f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:05:29 -0700
+Subject: mm/page_owner: change split_page_owner to take a count
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 8fb156c9ee2db94f7127c930c89917634a1a9f56 ]
+
+The implementation of split_page_owner() prefers a count rather than the
+old order of the page. When we support a variable size THP, we won't
+have the order at this point, but we will have the number of pages.
+So change the interface to what the caller and callee would prefer.
+
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: SeongJae Park <sjpark@amazon.de>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Link: https://lkml.kernel.org/r/20200908195539.25896-4-willy@infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/page_owner.h | 6 +++---
+ mm/huge_memory.c | 2 +-
+ mm/page_alloc.c | 2 +-
+ mm/page_owner.c | 4 ++--
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/page_owner.h b/include/linux/page_owner.h
+index 8679ccd722e89..3468794f83d23 100644
+--- a/include/linux/page_owner.h
++++ b/include/linux/page_owner.h
+@@ -11,7 +11,7 @@ extern struct page_ext_operations page_owner_ops;
+ extern void __reset_page_owner(struct page *page, unsigned int order);
+ extern void __set_page_owner(struct page *page,
+ unsigned int order, gfp_t gfp_mask);
+-extern void __split_page_owner(struct page *page, unsigned int order);
++extern void __split_page_owner(struct page *page, unsigned int nr);
+ extern void __copy_page_owner(struct page *oldpage, struct page *newpage);
+ extern void __set_page_owner_migrate_reason(struct page *page, int reason);
+ extern void __dump_page_owner(struct page *page);
+@@ -31,10 +31,10 @@ static inline void set_page_owner(struct page *page,
+ __set_page_owner(page, order, gfp_mask);
+ }
+
+-static inline void split_page_owner(struct page *page, unsigned int order)
++static inline void split_page_owner(struct page *page, unsigned int nr)
+ {
+ if (static_branch_unlikely(&page_owner_inited))
+- __split_page_owner(page, order);
++ __split_page_owner(page, nr);
+ }
+ static inline void copy_page_owner(struct page *oldpage, struct page *newpage)
+ {
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 873de55d93fb2..9295d9d70681e 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2569,7 +2569,7 @@ static void __split_huge_page(struct page *page, struct list_head *list,
+
+ ClearPageCompound(head);
+
+- split_page_owner(head, HPAGE_PMD_ORDER);
++ split_page_owner(head, HPAGE_PMD_NR);
+
+ /* See comment in __split_huge_page_tail() */
+ if (PageAnon(head)) {
+diff --git a/mm/page_alloc.c b/mm/page_alloc.c
+index 2640f67410044..c20e664866c33 100644
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3130,7 +3130,7 @@ void split_page(struct page *page, unsigned int order)
+
+ for (i = 1; i < (1 << order); i++)
+ set_page_refcounted(page + i);
+- split_page_owner(page, order);
++ split_page_owner(page, 1 << order);
+ }
+ EXPORT_SYMBOL_GPL(split_page);
+
+diff --git a/mm/page_owner.c b/mm/page_owner.c
+index 18ecde9f45b24..83d08943bcdee 100644
+--- a/mm/page_owner.c
++++ b/mm/page_owner.c
+@@ -204,7 +204,7 @@ void __set_page_owner_migrate_reason(struct page *page, int reason)
+ page_owner->last_migrate_reason = reason;
+ }
+
+-void __split_page_owner(struct page *page, unsigned int order)
++void __split_page_owner(struct page *page, unsigned int nr)
+ {
+ int i;
+ struct page_ext *page_ext = lookup_page_ext(page);
+@@ -213,7 +213,7 @@ void __split_page_owner(struct page *page, unsigned int order)
+ if (unlikely(!page_ext))
+ return;
+
+- for (i = 0; i < (1 << order); i++) {
++ for (i = 0; i < nr; i++) {
+ page_owner = get_page_owner(page_ext);
+ page_owner->order = 0;
+ page_ext = page_ext_next(page_ext);
+--
+2.25.1
+
--- /dev/null
+From d768dda2af5b5fb16c312eaa0419df3957fd6395 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 16:52:30 -0700
+Subject: mm/swapfile.c: fix potential memory leak in sys_swapon
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 822bca52ee7eb279acfba261a423ed7ac47d6f73 ]
+
+If we failed to drain inode, we would forget to free the swap address
+space allocated by init_swap_address_space() above.
+
+Fixes: dc617f29dbe5 ("vfs: don't allow writes to swap files")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Link: https://lkml.kernel.org/r/20200930101803.53884-1-linmiaohe@huawei.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/swapfile.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/mm/swapfile.c b/mm/swapfile.c
+index cf62bdb7b3045..ff83ffe7a9108 100644
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -3284,7 +3284,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
+ error = inode_drain_writes(inode);
+ if (error) {
+ inode->i_flags &= ~S_SWAPFILE;
+- goto bad_swap_unlock_inode;
++ goto free_swap_address_space;
+ }
+
+ mutex_lock(&swapon_mutex);
+@@ -3309,6 +3309,8 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
+
+ error = 0;
+ goto out;
++free_swap_address_space:
++ exit_swap_address_space(p->type);
+ bad_swap_unlock_inode:
+ inode_unlock(inode);
+ bad_swap:
+--
+2.25.1
+
--- /dev/null
+From 2fb14d2e2974bb5a6b715559e6d531037d8b6c00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 15:38:34 +0200
+Subject: mmc: sdio: Check for CISTPL_VERS_1 buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ]
+
+Before parsing CISTPL_VERS_1 structure check that its size is at least two
+bytes to prevent buffer overflow.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20200727133837.19086-2-pali@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sdio_cis.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
+index e0655278c5c32..3efaa9534a777 100644
+--- a/drivers/mmc/core/sdio_cis.c
++++ b/drivers/mmc/core/sdio_cis.c
+@@ -26,6 +26,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
+ unsigned i, nr_strings;
+ char **buffer, *string;
+
++ if (size < 2)
++ return 0;
++
+ /* Find all null-terminated (including zero length) strings in
+ the TPLLV1_INFO field. Trailing garbage is ignored. */
+ buf += 2;
+--
+2.25.1
+
--- /dev/null
+From e6feb90c23eb19344785ad8b428d0b8ebf8ea523 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 13:32:20 -0400
+Subject: module: statically initialize init section freeing data
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit fdf09ab887829cd1b671e45d9549f8ec1ffda0fa ]
+
+Corentin hit the following workqueue warning when running with
+CRYPTO_MANAGER_EXTRA_TESTS:
+
+ WARNING: CPU: 2 PID: 147 at kernel/workqueue.c:1473 __queue_work+0x3b8/0x3d0
+ Modules linked in: ghash_generic
+ CPU: 2 PID: 147 Comm: modprobe Not tainted
+ 5.6.0-rc1-next-20200214-00068-g166c9264f0b1-dirty #545
+ Hardware name: Pine H64 model A (DT)
+ pc : __queue_work+0x3b8/0x3d0
+ Call trace:
+ __queue_work+0x3b8/0x3d0
+ queue_work_on+0x6c/0x90
+ do_init_module+0x188/0x1f0
+ load_module+0x1d00/0x22b0
+
+I wasn't able to reproduce on x86 or rpi 3b+.
+
+This is
+
+ WARN_ON(!list_empty(&work->entry))
+
+from __queue_work(), and it happens because the init_free_wq work item
+isn't initialized in time for a crypto test that requests the gcm
+module. Some crypto tests were recently moved earlier in boot as
+explained in commit c4741b230597 ("crypto: run initcalls for generic
+implementations earlier"), which went into mainline less than two weeks
+before the Fixes commit.
+
+Avoid the warning by statically initializing init_free_wq and the
+corresponding llist.
+
+Link: https://lore.kernel.org/lkml/20200217204803.GA13479@Red/
+Fixes: 1a7b7d922081 ("modules: Use vmalloc special flag")
+Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Tested-on: sun50i-h6-pine-h64
+Tested-on: imx8mn-ddr4-evk
+Tested-on: sun50i-a64-bananapi-m64
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Jessica Yu <jeyu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/module.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/module.c b/kernel/module.c
+index 819c5d3b4c295..45513909b01d5 100644
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -88,8 +88,9 @@ EXPORT_SYMBOL_GPL(module_mutex);
+ static LIST_HEAD(modules);
+
+ /* Work queue for freeing init sections in success case */
+-static struct work_struct init_free_wq;
+-static struct llist_head init_free_list;
++static void do_free_init(struct work_struct *w);
++static DECLARE_WORK(init_free_wq, do_free_init);
++static LLIST_HEAD(init_free_list);
+
+ #ifdef CONFIG_MODULES_TREE_LOOKUP
+
+@@ -3563,14 +3564,6 @@ static void do_free_init(struct work_struct *w)
+ }
+ }
+
+-static int __init modules_wq_init(void)
+-{
+- INIT_WORK(&init_free_wq, do_free_init);
+- init_llist_head(&init_free_list);
+- return 0;
+-}
+-module_init(modules_wq_init);
+-
+ /*
+ * This is where the real work happens.
+ *
+--
+2.25.1
+
--- /dev/null
+From 2d807f39a3953b8197bc86cf2e2e697ff5feb275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 May 2020 16:01:16 +0200
+Subject: mtd: lpddr: fix excessive stack usage with clang
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 3e1b6469f8324bee5927b063e2aca30d3e56b907 ]
+
+Building lpddr2_nvm with clang can result in a giant stack usage
+in one function:
+
+drivers/mtd/lpddr/lpddr2_nvm.c:399:12: error: stack frame size of 1144 bytes in function 'lpddr2_nvm_probe' [-Werror,-Wframe-larger-than=]
+
+The problem is that clang decides to build a copy of the mtd_info
+structure on the stack and then do a memcpy() into the actual version. It
+shouldn't really do it that way, but it's not strictly a bug either.
+
+As a workaround, use a static const version of the structure to assign
+most of the members upfront and then only set the few members that
+require runtime knowledge at probe time.
+
+Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200505140136.263461-1-arnd@arndb.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/lpddr/lpddr2_nvm.c | 35 ++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c
+index 0f1547f09d08b..72f5c7b300790 100644
+--- a/drivers/mtd/lpddr/lpddr2_nvm.c
++++ b/drivers/mtd/lpddr/lpddr2_nvm.c
+@@ -393,6 +393,17 @@ static int lpddr2_nvm_lock(struct mtd_info *mtd, loff_t start_add,
+ return lpddr2_nvm_do_block_op(mtd, start_add, len, LPDDR2_NVM_LOCK);
+ }
+
++static const struct mtd_info lpddr2_nvm_mtd_info = {
++ .type = MTD_RAM,
++ .writesize = 1,
++ .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK),
++ ._read = lpddr2_nvm_read,
++ ._write = lpddr2_nvm_write,
++ ._erase = lpddr2_nvm_erase,
++ ._unlock = lpddr2_nvm_unlock,
++ ._lock = lpddr2_nvm_lock,
++};
++
+ /*
+ * lpddr2_nvm driver probe method
+ */
+@@ -433,6 +444,7 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
+ .pfow_base = OW_BASE_ADDRESS,
+ .fldrv_priv = pcm_data,
+ };
++
+ if (IS_ERR(map->virt))
+ return PTR_ERR(map->virt);
+
+@@ -444,22 +456,13 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
+ return PTR_ERR(pcm_data->ctl_regs);
+
+ /* Populate mtd_info data structure */
+- *mtd = (struct mtd_info) {
+- .dev = { .parent = &pdev->dev },
+- .name = pdev->dev.init_name,
+- .type = MTD_RAM,
+- .priv = map,
+- .size = resource_size(add_range),
+- .erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width,
+- .writesize = 1,
+- .writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width,
+- .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK),
+- ._read = lpddr2_nvm_read,
+- ._write = lpddr2_nvm_write,
+- ._erase = lpddr2_nvm_erase,
+- ._unlock = lpddr2_nvm_unlock,
+- ._lock = lpddr2_nvm_lock,
+- };
++ *mtd = lpddr2_nvm_mtd_info;
++ mtd->dev.parent = &pdev->dev;
++ mtd->name = pdev->dev.init_name;
++ mtd->priv = map;
++ mtd->size = resource_size(add_range);
++ mtd->erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width;
++ mtd->writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width;
+
+ /* Verify the presence of the device looking for PFOW string */
+ if (!lpddr2_nvm_pfow_present(map)) {
+--
+2.25.1
+
--- /dev/null
+From 84b259d45f556c1fc2d8ef673b9f7aee7bfa53b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 15:42:17 +1200
+Subject: mtd: mtdoops: Don't write panic data twice
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+[ Upstream commit c1cf1d57d1492235309111ea6a900940213a9166 ]
+
+If calling mtdoops_write, don't also schedule work to be done later.
+
+Although this appears to not be causing an issue, possibly because the
+scheduled work will never get done, it is confusing.
+
+Fixes: 016c1291ce70 ("mtd: mtdoops: do not use mtd->panic_write directly")
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200903034217.23079-1-mark.tomlinson@alliedtelesis.co.nz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdoops.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
+index 4ced68be7ed7e..774970bfcf859 100644
+--- a/drivers/mtd/mtdoops.c
++++ b/drivers/mtd/mtdoops.c
+@@ -279,12 +279,13 @@ static void mtdoops_do_dump(struct kmsg_dumper *dumper,
+ kmsg_dump_get_buffer(dumper, true, cxt->oops_buf + MTDOOPS_HEADER_SIZE,
+ record_size - MTDOOPS_HEADER_SIZE, NULL);
+
+- /* Panics must be written immediately */
+- if (reason != KMSG_DUMP_OOPS)
++ if (reason != KMSG_DUMP_OOPS) {
++ /* Panics must be written immediately */
+ mtdoops_write(cxt, 1);
+-
+- /* For other cases, schedule work to write it "nicely" */
+- schedule_work(&cxt->work_write);
++ } else {
++ /* For other cases, schedule work to write it "nicely" */
++ schedule_work(&cxt->work_write);
++ }
+ }
+
+ static void mtdoops_notify_add(struct mtd_info *mtd)
+--
+2.25.1
+
--- /dev/null
+From 6f75e139147a653a60a0bb9ee74d0823d2cfcbb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 10:26:34 +0300
+Subject: mtd: rawnand: vf610: disable clk on error handling path in probe
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit cb7dc3178a9862614b1e7567d77f4679f027a074 ]
+
+vf610_nfc_probe() does not invoke clk_disable_unprepare() on one error
+handling path. The patch fixes that.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Fixes: 6f0ce4dfc5a3 ("mtd: rawnand: vf610: Avoid a potential NULL pointer dereference")
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200806072634.23528-1-novikov@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/vf610_nfc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/vf610_nfc.c b/drivers/mtd/nand/raw/vf610_nfc.c
+index 6b399a75f9aec..b6f114da57143 100644
+--- a/drivers/mtd/nand/raw/vf610_nfc.c
++++ b/drivers/mtd/nand/raw/vf610_nfc.c
+@@ -850,8 +850,10 @@ static int vf610_nfc_probe(struct platform_device *pdev)
+ }
+
+ of_id = of_match_device(vf610_nfc_dt_ids, &pdev->dev);
+- if (!of_id)
+- return -ENODEV;
++ if (!of_id) {
++ err = -ENODEV;
++ goto err_disable_clk;
++ }
+
+ nfc->variant = (enum vf610_nfc_variant)of_id->data;
+
+--
+2.25.1
+
--- /dev/null
+From f2058ff2310971f98d4fe823f1bce1ce719cf37c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 18:51:20 +0200
+Subject: mtd: spinand: gigadevice: Add QE Bit
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+[ Upstream commit aea7687e77bebce5b67fab9d03347bd8df7933c7 ]
+
+The following GigaDevice chips have the QE BIT in the feature flags, I
+checked the datasheets, but did not try this.
+* GD5F1GQ4xExxG
+* GD5F1GQ4xFxxG
+* GD5F1GQ4UAYIG
+* GD5F4GQ4UAYIG
+
+The Quad operations like 0xEB mention that the QE bit has to be set.
+
+Fixes: c93c613214ac ("mtd: spinand: add support for GigaDevice GD5FxGQ4xA")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Tested-by: Chuanhong Guo <gch981213@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200820165121.3192-3-hauke@hauke-m.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/spi/gigadevice.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mtd/nand/spi/gigadevice.c b/drivers/mtd/nand/spi/gigadevice.c
+index 45f4c1f4a3d1c..b13b39763a405 100644
+--- a/drivers/mtd/nand/spi/gigadevice.c
++++ b/drivers/mtd/nand/spi/gigadevice.c
+@@ -201,7 +201,7 @@ static const struct spinand_info gigadevice_spinand_table[] = {
+ SPINAND_INFO_OP_VARIANTS(&read_cache_variants,
+ &write_cache_variants,
+ &update_cache_variants),
+- 0,
++ SPINAND_HAS_QE_BIT,
+ SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout,
+ gd5fxgq4xa_ecc_get_status)),
+ SPINAND_INFO("GD5F2GQ4xA", 0xF2,
+@@ -210,7 +210,7 @@ static const struct spinand_info gigadevice_spinand_table[] = {
+ SPINAND_INFO_OP_VARIANTS(&read_cache_variants,
+ &write_cache_variants,
+ &update_cache_variants),
+- 0,
++ SPINAND_HAS_QE_BIT,
+ SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout,
+ gd5fxgq4xa_ecc_get_status)),
+ SPINAND_INFO("GD5F4GQ4xA", 0xF4,
+@@ -219,7 +219,7 @@ static const struct spinand_info gigadevice_spinand_table[] = {
+ SPINAND_INFO_OP_VARIANTS(&read_cache_variants,
+ &write_cache_variants,
+ &update_cache_variants),
+- 0,
++ SPINAND_HAS_QE_BIT,
+ SPINAND_ECCINFO(&gd5fxgq4xa_ooblayout,
+ gd5fxgq4xa_ecc_get_status)),
+ SPINAND_INFO("GD5F1GQ4UExxG", 0xd1,
+@@ -228,7 +228,7 @@ static const struct spinand_info gigadevice_spinand_table[] = {
+ SPINAND_INFO_OP_VARIANTS(&read_cache_variants,
+ &write_cache_variants,
+ &update_cache_variants),
+- 0,
++ SPINAND_HAS_QE_BIT,
+ SPINAND_ECCINFO(&gd5fxgq4_variant2_ooblayout,
+ gd5fxgq4uexxg_ecc_get_status)),
+ SPINAND_INFO("GD5F1GQ4UFxxG", 0xb148,
+@@ -237,7 +237,7 @@ static const struct spinand_info gigadevice_spinand_table[] = {
+ SPINAND_INFO_OP_VARIANTS(&read_cache_variants_f,
+ &write_cache_variants,
+ &update_cache_variants),
+- 0,
++ SPINAND_HAS_QE_BIT,
+ SPINAND_ECCINFO(&gd5fxgq4_variant2_ooblayout,
+ gd5fxgq4ufxxg_ecc_get_status)),
+ };
+--
+2.25.1
+
--- /dev/null
+From f3432197baaf47c16bc01fe26d9ce9c8a77ec448 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 18:51:19 +0200
+Subject: mtd: spinand: gigadevice: Only one dummy byte in QUADIO
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+[ Upstream commit 6387ad9caf8f09747a8569e5876086b72ee9382c ]
+
+The datasheet only lists one dummy byte in the 0xEH operation for the
+following chips:
+* GD5F1GQ4xExxG
+* GD5F1GQ4xFxxG
+* GD5F1GQ4UAYIG
+* GD5F4GQ4UAYIG
+
+Fixes: c93c613214ac ("mtd: spinand: add support for GigaDevice GD5FxGQ4xA")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Tested-by: Chuanhong Guo <gch981213@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200820165121.3192-2-hauke@hauke-m.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/spi/gigadevice.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/spi/gigadevice.c b/drivers/mtd/nand/spi/gigadevice.c
+index e99d425aa93f5..45f4c1f4a3d1c 100644
+--- a/drivers/mtd/nand/spi/gigadevice.c
++++ b/drivers/mtd/nand/spi/gigadevice.c
+@@ -21,7 +21,7 @@
+ #define GD5FXGQ4UXFXXG_STATUS_ECC_UNCOR_ERROR (7 << 4)
+
+ static SPINAND_OP_VARIANTS(read_cache_variants,
+- SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 2, NULL, 0),
++ SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 1, NULL, 0),
+ SPINAND_PAGE_READ_FROM_CACHE_X4_OP(0, 1, NULL, 0),
+ SPINAND_PAGE_READ_FROM_CACHE_DUALIO_OP(0, 1, NULL, 0),
+ SPINAND_PAGE_READ_FROM_CACHE_X2_OP(0, 1, NULL, 0),
+@@ -29,7 +29,7 @@ static SPINAND_OP_VARIANTS(read_cache_variants,
+ SPINAND_PAGE_READ_FROM_CACHE_OP(false, 0, 1, NULL, 0));
+
+ static SPINAND_OP_VARIANTS(read_cache_variants_f,
+- SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 2, NULL, 0),
++ SPINAND_PAGE_READ_FROM_CACHE_QUADIO_OP(0, 1, NULL, 0),
+ SPINAND_PAGE_READ_FROM_CACHE_X4_OP_3A(0, 1, NULL, 0),
+ SPINAND_PAGE_READ_FROM_CACHE_DUALIO_OP(0, 1, NULL, 0),
+ SPINAND_PAGE_READ_FROM_CACHE_X2_OP_3A(0, 1, NULL, 0),
+--
+2.25.1
+
--- /dev/null
+From 3b70ca167d6e5a3e98baaf245559b04f85cd18cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Aug 2020 11:29:06 +0200
+Subject: mwifiex: Do not use GFP_KERNEL in atomic context
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d2ab7f00f4321370a8ee14e5630d4349fdacc42e ]
+
+A possible call chain is as follow:
+ mwifiex_sdio_interrupt (sdio.c)
+ --> mwifiex_main_process (main.c)
+ --> mwifiex_process_cmdresp (cmdevt.c)
+ --> mwifiex_process_sta_cmdresp (sta_cmdresp.c)
+ --> mwifiex_ret_802_11_scan (scan.c)
+ --> mwifiex_parse_single_response_buf (scan.c)
+
+'mwifiex_sdio_interrupt()' is an interrupt function.
+
+Also note that 'mwifiex_ret_802_11_scan()' already uses GFP_ATOMIC.
+
+So use GFP_ATOMIC instead of GFP_KERNEL when memory is allocated in
+'mwifiex_parse_single_response_buf()'.
+
+Fixes: 7c6fa2a843c5 ("mwifiex: use cfg80211 dynamic scan table and cfg80211_get_bss API")
+or
+Fixes: 601216e12c65e ("mwifiex: process RX packets in SDIO IRQ thread directly")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200809092906.744621-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
+index 59f0651d148bb..629af26675cf1 100644
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -1891,7 +1891,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info,
+ chan, CFG80211_BSS_FTYPE_UNKNOWN,
+ bssid, timestamp,
+ cap_info_bitmap, beacon_period,
+- ie_buf, ie_len, rssi, GFP_KERNEL);
++ ie_buf, ie_len, rssi, GFP_ATOMIC);
+ if (bss) {
+ bss_priv = (struct mwifiex_bss_priv *)bss->priv;
+ bss_priv->band = band;
+--
+2.25.1
+
--- /dev/null
+From bac32c1da444913dafe8a19fadc7141478740f5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 17:27:19 +0900
+Subject: mwifiex: don't call del_timer_sync() on uninitialized timer
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 621a3a8b1c0ecf16e1e5667ea5756a76a082b738 ]
+
+syzbot is reporting that del_timer_sync() is called from
+mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without
+checking timer_setup() from mwifiex_usb_tx_init() was called [1].
+
+Ganapathi Bhat proposed a possibly cleaner fix, but it seems that
+that fix was forgotten [2].
+
+"grep -FrB1 'del_timer' drivers/ | grep -FA1 '.function)'" says that
+currently there are 28 locations which call del_timer[_sync]() only if
+that timer's function field was initialized (because timer_setup() sets
+that timer's function field). Therefore, let's use same approach here.
+
+[1] https://syzkaller.appspot.com/bug?id=26525f643f454dd7be0078423e3cdb0d57744959
+[2] https://lkml.kernel.org/r/CA+ASDXMHt2gq9Hy+iP_BYkWXsSreWdp3_bAfMkNcuqJ3K+-jbQ@mail.gmail.com
+
+Reported-by: syzbot <syzbot+dc4127f950da51639216@syzkaller.appspotmail.com>
+Cc: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200821082720.7716-1-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
+index c2365eeb70168..528107d70c1cb 100644
+--- a/drivers/net/wireless/marvell/mwifiex/usb.c
++++ b/drivers/net/wireless/marvell/mwifiex/usb.c
+@@ -1353,7 +1353,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter)
+ skb_dequeue(&port->tx_aggr.aggr_list)))
+ mwifiex_write_data_complete(adapter, skb_tmp,
+ 0, -1);
+- del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer);
++ if (port->tx_aggr.timer_cnxt.hold_timer.function)
++ del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer);
+ port->tx_aggr.timer_cnxt.is_hold_timer_set = false;
+ port->tx_aggr.timer_cnxt.hold_tmo_msecs = 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 20f4dba681ac452cf1707c1447dc8417f93b1cf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Oct 2020 06:19:31 -0700
+Subject: mwifiex: fix double free
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 53708f4fd9cfe389beab5c8daa763bcd0e0b4aef ]
+
+clang static analysis reports this problem:
+
+sdio.c:2403:3: warning: Attempt to free released memory
+ kfree(card->mpa_rx.buf);
+ ^~~~~~~~~~~~~~~~~~~~~~~
+
+When mwifiex_init_sdio() fails in its first call to
+mwifiex_alloc_sdio_mpa_buffer, it falls back to calling it
+again. If the second alloc of mpa_tx.buf fails, the error
+handler will try to free the old, previously freed mpa_rx.buf.
+Reviewing the code, it looks like a second double free would
+happen with mwifiex_cleanup_sdio().
+
+So set both pointers to NULL when they are freed.
+
+Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201004131931.29782-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/sdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
+index fec38b6e86ffd..b322c2755e9a4 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
+@@ -1996,6 +1996,8 @@ static int mwifiex_alloc_sdio_mpa_buffers(struct mwifiex_adapter *adapter,
+ kfree(card->mpa_rx.buf);
+ card->mpa_tx.buf_size = 0;
+ card->mpa_rx.buf_size = 0;
++ card->mpa_tx.buf = NULL;
++ card->mpa_rx.buf = NULL;
+ }
+
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From 2d256c3cd03056079d284f674fac6a93322ba4db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 00:09:34 +0200
+Subject: net: dsa: rtl8366: Check validity of passed VLANs
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 6641a2c42b0a307b7638d10e5d4b90debc61389d ]
+
+The rtl8366_set_vlan() and rtl8366_set_pvid() get invalid
+VLANs tossed at it, especially VLAN0, something the hardware
+and driver cannot handle. Check validity and bail out like
+we do in the other callbacks.
+
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rtl8366.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c
+index 99cdb2f18fa2f..a62d76a048dfa 100644
+--- a/drivers/net/dsa/rtl8366.c
++++ b/drivers/net/dsa/rtl8366.c
+@@ -43,6 +43,9 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member,
+ int ret;
+ int i;
+
++ if (!smi->ops->is_vlan_valid(smi, vid))
++ return -EINVAL;
++
+ dev_dbg(smi->dev,
+ "setting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n",
+ vid, member, untag);
+@@ -118,6 +121,9 @@ int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port,
+ int ret;
+ int i;
+
++ if (!smi->ops->is_vlan_valid(smi, vid))
++ return -EINVAL;
++
+ /* Try to find an existing MC entry for this VID */
+ for (i = 0; i < smi->num_vlan_mc; i++) {
+ ret = smi->ops->get_vlan_mc(smi, i, &vlanmc);
+--
+2.25.1
+
--- /dev/null
+From 85d8612ffacdaa6ac119da3cb580fa85f6e5b1ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 00:09:35 +0200
+Subject: net: dsa: rtl8366: Refactor VLAN/PVID init
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 7e1301ed1881447d2a25f9c6423738c33cbca133 ]
+
+The VLANs and PVIDs on the RTL8366 utilizes a "member
+configuration" (MC) which is largely unexplained in the
+code.
+
+This set-up requires a special ordering: rtl8366_set_pvid()
+must be called first, followed by rtl8366_set_vlan(),
+else the MC will not be properly allocated. Relax this
+by factoring out the code obtaining an MC and reuse
+the helper in both rtl8366_set_pvid() and
+rtl8366_set_vlan() so we remove this strict ordering
+requirement.
+
+In the process, add some better comments and debug prints
+so people who read the code understand what is going on.
+
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/realtek-smi-core.h | 4 +-
+ drivers/net/dsa/rtl8366.c | 273 +++++++++++++++--------------
+ 2 files changed, 146 insertions(+), 131 deletions(-)
+
+diff --git a/drivers/net/dsa/realtek-smi-core.h b/drivers/net/dsa/realtek-smi-core.h
+index 9a63b51e1d82f..6f2dab7e33d65 100644
+--- a/drivers/net/dsa/realtek-smi-core.h
++++ b/drivers/net/dsa/realtek-smi-core.h
+@@ -25,6 +25,9 @@ struct rtl8366_mib_counter {
+ const char *name;
+ };
+
++/**
++ * struct rtl8366_vlan_mc - Virtual LAN member configuration
++ */
+ struct rtl8366_vlan_mc {
+ u16 vid;
+ u16 untag;
+@@ -119,7 +122,6 @@ int realtek_smi_setup_mdio(struct realtek_smi *smi);
+ int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used);
+ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member,
+ u32 untag, u32 fid);
+-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val);
+ int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port,
+ unsigned int vid);
+ int rtl8366_enable_vlan4k(struct realtek_smi *smi, bool enable);
+diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c
+index a62d76a048dfa..b941d45edd641 100644
+--- a/drivers/net/dsa/rtl8366.c
++++ b/drivers/net/dsa/rtl8366.c
+@@ -36,12 +36,110 @@ int rtl8366_mc_is_used(struct realtek_smi *smi, int mc_index, int *used)
+ }
+ EXPORT_SYMBOL_GPL(rtl8366_mc_is_used);
+
++/**
++ * rtl8366_obtain_mc() - retrieve or allocate a VLAN member configuration
++ * @smi: the Realtek SMI device instance
++ * @vid: the VLAN ID to look up or allocate
++ * @vlanmc: the pointer will be assigned to a pointer to a valid member config
++ * if successful
++ * @return: index of a new member config or negative error number
++ */
++static int rtl8366_obtain_mc(struct realtek_smi *smi, int vid,
++ struct rtl8366_vlan_mc *vlanmc)
++{
++ struct rtl8366_vlan_4k vlan4k;
++ int ret;
++ int i;
++
++ /* Try to find an existing member config entry for this VID */
++ for (i = 0; i < smi->num_vlan_mc; i++) {
++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc);
++ if (ret) {
++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n",
++ i, vid);
++ return ret;
++ }
++
++ if (vid == vlanmc->vid)
++ return i;
++ }
++
++ /* We have no MC entry for this VID, try to find an empty one */
++ for (i = 0; i < smi->num_vlan_mc; i++) {
++ ret = smi->ops->get_vlan_mc(smi, i, vlanmc);
++ if (ret) {
++ dev_err(smi->dev, "error searching for VLAN MC %d for VID %d\n",
++ i, vid);
++ return ret;
++ }
++
++ if (vlanmc->vid == 0 && vlanmc->member == 0) {
++ /* Update the entry from the 4K table */
++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k);
++ if (ret) {
++ dev_err(smi->dev, "error looking for 4K VLAN MC %d for VID %d\n",
++ i, vid);
++ return ret;
++ }
++
++ vlanmc->vid = vid;
++ vlanmc->member = vlan4k.member;
++ vlanmc->untag = vlan4k.untag;
++ vlanmc->fid = vlan4k.fid;
++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc);
++ if (ret) {
++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n",
++ i, vid);
++ return ret;
++ }
++
++ dev_dbg(smi->dev, "created new MC at index %d for VID %d\n",
++ i, vid);
++ return i;
++ }
++ }
++
++ /* MC table is full, try to find an unused entry and replace it */
++ for (i = 0; i < smi->num_vlan_mc; i++) {
++ int used;
++
++ ret = rtl8366_mc_is_used(smi, i, &used);
++ if (ret)
++ return ret;
++
++ if (!used) {
++ /* Update the entry from the 4K table */
++ ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k);
++ if (ret)
++ return ret;
++
++ vlanmc->vid = vid;
++ vlanmc->member = vlan4k.member;
++ vlanmc->untag = vlan4k.untag;
++ vlanmc->fid = vlan4k.fid;
++ ret = smi->ops->set_vlan_mc(smi, i, vlanmc);
++ if (ret) {
++ dev_err(smi->dev, "unable to set/update VLAN MC %d for VID %d\n",
++ i, vid);
++ return ret;
++ }
++ dev_dbg(smi->dev, "recycled MC at index %i for VID %d\n",
++ i, vid);
++ return i;
++ }
++ }
++
++ dev_err(smi->dev, "all VLAN member configurations are in use\n");
++ return -ENOSPC;
++}
++
+ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member,
+ u32 untag, u32 fid)
+ {
++ struct rtl8366_vlan_mc vlanmc;
+ struct rtl8366_vlan_4k vlan4k;
++ int mc;
+ int ret;
+- int i;
+
+ if (!smi->ops->is_vlan_valid(smi, vid))
+ return -EINVAL;
+@@ -66,136 +164,58 @@ int rtl8366_set_vlan(struct realtek_smi *smi, int vid, u32 member,
+ "resulting VLAN%d 4k members: 0x%02x, untagged: 0x%02x\n",
+ vid, vlan4k.member, vlan4k.untag);
+
+- /* Try to find an existing MC entry for this VID */
+- for (i = 0; i < smi->num_vlan_mc; i++) {
+- struct rtl8366_vlan_mc vlanmc;
+-
+- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc);
+- if (ret)
+- return ret;
+-
+- if (vid == vlanmc.vid) {
+- /* update the MC entry */
+- vlanmc.member |= member;
+- vlanmc.untag |= untag;
+- vlanmc.fid = fid;
+-
+- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc);
++ /* Find or allocate a member config for this VID */
++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc);
++ if (ret < 0)
++ return ret;
++ mc = ret;
+
+- dev_dbg(smi->dev,
+- "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n",
+- vid, vlanmc.member, vlanmc.untag);
++ /* Update the MC entry */
++ vlanmc.member |= member;
++ vlanmc.untag |= untag;
++ vlanmc.fid = fid;
+
+- break;
+- }
+- }
++ /* Commit updates to the MC entry */
++ ret = smi->ops->set_vlan_mc(smi, mc, &vlanmc);
++ if (ret)
++ dev_err(smi->dev, "failed to commit changes to VLAN MC index %d for VID %d\n",
++ mc, vid);
++ else
++ dev_dbg(smi->dev,
++ "resulting VLAN%d MC members: 0x%02x, untagged: 0x%02x\n",
++ vid, vlanmc.member, vlanmc.untag);
+
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(rtl8366_set_vlan);
+
+-int rtl8366_get_pvid(struct realtek_smi *smi, int port, int *val)
+-{
+- struct rtl8366_vlan_mc vlanmc;
+- int ret;
+- int index;
+-
+- ret = smi->ops->get_mc_index(smi, port, &index);
+- if (ret)
+- return ret;
+-
+- ret = smi->ops->get_vlan_mc(smi, index, &vlanmc);
+- if (ret)
+- return ret;
+-
+- *val = vlanmc.vid;
+- return 0;
+-}
+-EXPORT_SYMBOL_GPL(rtl8366_get_pvid);
+-
+ int rtl8366_set_pvid(struct realtek_smi *smi, unsigned int port,
+ unsigned int vid)
+ {
+ struct rtl8366_vlan_mc vlanmc;
+- struct rtl8366_vlan_4k vlan4k;
++ int mc;
+ int ret;
+- int i;
+
+ if (!smi->ops->is_vlan_valid(smi, vid))
+ return -EINVAL;
+
+- /* Try to find an existing MC entry for this VID */
+- for (i = 0; i < smi->num_vlan_mc; i++) {
+- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc);
+- if (ret)
+- return ret;
+-
+- if (vid == vlanmc.vid) {
+- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc);
+- if (ret)
+- return ret;
+-
+- ret = smi->ops->set_mc_index(smi, port, i);
+- return ret;
+- }
+- }
+-
+- /* We have no MC entry for this VID, try to find an empty one */
+- for (i = 0; i < smi->num_vlan_mc; i++) {
+- ret = smi->ops->get_vlan_mc(smi, i, &vlanmc);
+- if (ret)
+- return ret;
+-
+- if (vlanmc.vid == 0 && vlanmc.member == 0) {
+- /* Update the entry from the 4K table */
+- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k);
+- if (ret)
+- return ret;
+-
+- vlanmc.vid = vid;
+- vlanmc.member = vlan4k.member;
+- vlanmc.untag = vlan4k.untag;
+- vlanmc.fid = vlan4k.fid;
+- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc);
+- if (ret)
+- return ret;
+-
+- ret = smi->ops->set_mc_index(smi, port, i);
+- return ret;
+- }
+- }
+-
+- /* MC table is full, try to find an unused entry and replace it */
+- for (i = 0; i < smi->num_vlan_mc; i++) {
+- int used;
+-
+- ret = rtl8366_mc_is_used(smi, i, &used);
+- if (ret)
+- return ret;
+-
+- if (!used) {
+- /* Update the entry from the 4K table */
+- ret = smi->ops->get_vlan_4k(smi, vid, &vlan4k);
+- if (ret)
+- return ret;
+-
+- vlanmc.vid = vid;
+- vlanmc.member = vlan4k.member;
+- vlanmc.untag = vlan4k.untag;
+- vlanmc.fid = vlan4k.fid;
+- ret = smi->ops->set_vlan_mc(smi, i, &vlanmc);
+- if (ret)
+- return ret;
++ /* Find or allocate a member config for this VID */
++ ret = rtl8366_obtain_mc(smi, vid, &vlanmc);
++ if (ret < 0)
++ return ret;
++ mc = ret;
+
+- ret = smi->ops->set_mc_index(smi, port, i);
+- return ret;
+- }
++ ret = smi->ops->set_mc_index(smi, port, mc);
++ if (ret) {
++ dev_err(smi->dev, "set PVID: failed to set MC index %d for port %d\n",
++ mc, port);
++ return ret;
+ }
+
+- dev_err(smi->dev,
+- "all VLAN member configurations are in use\n");
++ dev_dbg(smi->dev, "set PVID: the PVID for port %d set to %d using existing MC index %d\n",
++ port, vid, mc);
+
+- return -ENOSPC;
++ return 0;
+ }
+ EXPORT_SYMBOL_GPL(rtl8366_set_pvid);
+
+@@ -395,7 +415,8 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port,
+ if (!smi->ops->is_vlan_valid(smi, vid))
+ return;
+
+- dev_info(smi->dev, "add VLAN on port %d, %s, %s\n",
++ dev_info(smi->dev, "add VLAN %d on port %d, %s, %s\n",
++ vlan->vid_begin,
+ port,
+ untagged ? "untagged" : "tagged",
+ pvid ? " PVID" : "no PVID");
+@@ -404,34 +425,26 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port,
+ dev_err(smi->dev, "port is DSA or CPU port\n");
+
+ for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) {
+- int pvid_val = 0;
+-
+- dev_info(smi->dev, "add VLAN %04x\n", vid);
+ member |= BIT(port);
+
+ if (untagged)
+ untag |= BIT(port);
+
+- /* To ensure that we have a valid MC entry for this VLAN,
+- * initialize the port VLAN ID here.
+- */
+- ret = rtl8366_get_pvid(smi, port, &pvid_val);
+- if (ret < 0) {
+- dev_err(smi->dev, "could not lookup PVID for port %d\n",
+- port);
+- return;
+- }
+- if (pvid_val == 0) {
+- ret = rtl8366_set_pvid(smi, port, vid);
+- if (ret < 0)
+- return;
+- }
+-
+ ret = rtl8366_set_vlan(smi, vid, member, untag, 0);
+ if (ret)
+ dev_err(smi->dev,
+ "failed to set up VLAN %04x",
+ vid);
++
++ ret = rtl8366_set_pvid(smi, port, vid);
++ if (ret)
++ dev_err(smi->dev,
++ "failed to set PVID on port %d to VLAN %04x",
++ port, vid);
++
++ if (!ret)
++ dev_dbg(smi->dev, "VLAN add: added VLAN %d with PVID on port %d\n",
++ vid, port);
+ }
+ }
+ EXPORT_SYMBOL_GPL(rtl8366_vlan_add);
+--
+2.25.1
+
--- /dev/null
+From 50a7b8d9dc25b19c0cfdb5599c08f903a4580d30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Sep 2020 00:29:54 +0200
+Subject: net: dsa: rtl8366: Skip PVID setting if not requested
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 3dfe8dde093a07e82fa472c0f8c29a7f6a2006a5 ]
+
+We go to lengths to determine whether the PVID should be set
+for this port or not, and then fail to take it into account.
+Fix this oversight.
+
+Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rtl8366.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c
+index b941d45edd641..49c626a336803 100644
+--- a/drivers/net/dsa/rtl8366.c
++++ b/drivers/net/dsa/rtl8366.c
+@@ -436,6 +436,9 @@ void rtl8366_vlan_add(struct dsa_switch *ds, int port,
+ "failed to set up VLAN %04x",
+ vid);
+
++ if (!pvid)
++ continue;
++
+ ret = rtl8366_set_pvid(smi, port, vid);
+ if (ret)
+ dev_err(smi->dev,
+--
+2.25.1
+
--- /dev/null
+From 990e96862e0917723bc67c4b6754c6f30c0d74e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Sep 2020 22:37:33 +0200
+Subject: net: dsa: rtl8366rb: Support all 4096 VLANs
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit a7920efdd86d8a0d74402dbc80ead03b023294ba ]
+
+There is an off-by-one error in rtl8366rb_is_vlan_valid()
+making VLANs 0..4094 valid while it should be 1..4095.
+Fix it.
+
+Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rtl8366rb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/rtl8366rb.c b/drivers/net/dsa/rtl8366rb.c
+index f5cc8b0a7c74c..7f731bf369980 100644
+--- a/drivers/net/dsa/rtl8366rb.c
++++ b/drivers/net/dsa/rtl8366rb.c
+@@ -1269,7 +1269,7 @@ static bool rtl8366rb_is_vlan_valid(struct realtek_smi *smi, unsigned int vlan)
+ if (smi->vlan4k_enabled)
+ max = RTL8366RB_NUM_VIDS - 1;
+
+- if (vlan == 0 || vlan >= max)
++ if (vlan == 0 || vlan > max)
+ return false;
+
+ return true;
+--
+2.25.1
+
--- /dev/null
+From fcc06f90bb80f97f754385376d5f860aae3ed0f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 22:25:10 +0200
+Subject: net: enic: Cure the enic api locking trainwreck
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit a53b59ece86c86d16d12ccdaa1ad0c78250a9d96 ]
+
+enic_dev_wait() has a BUG_ON(in_interrupt()).
+
+Chasing the callers of enic_dev_wait() revealed the gems of enic_reset()
+and enic_tx_hang_reset() which are both invoked through work queues in
+order to be able to call rtnl_lock(). So far so good.
+
+After locking rtnl both functions acquire enic::enic_api_lock which
+serializes against the (ab)use from infiniband. This is where the
+trainwreck starts.
+
+enic::enic_api_lock is a spin_lock() which implicitly disables preemption,
+but both functions invoke a ton of functions under that lock which can
+sleep. The BUG_ON(in_interrupt()) does not trigger in that case because it
+can't detect the preempt disabled condition.
+
+This clearly has never been tested with any of the mandatory debug options
+for 7+ years, which would have caught that for sure.
+
+Cure it by adding a enic_api_busy member to struct enic, which is modified
+and evaluated with enic::enic_api_lock held.
+
+If enic_api_devcmd_proxy_by_index() observes enic::enic_api_busy as true,
+it drops enic::enic_api_lock and busy waits for enic::enic_api_busy to
+become false.
+
+It would be smarter to wait for a completion of that busy period, but
+enic_api_devcmd_proxy_by_index() is called with other spin locks held which
+obviously can't sleep.
+
+Remove the BUG_ON(in_interrupt()) check as well because it's incomplete and
+with proper debugging enabled the problem would have been caught from the
+debug checks in schedule_timeout().
+
+Fixes: 0b038566c0ea ("drivers/net: enic: Add an interface for USNIC to interact with firmware")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic.h | 1 +
+ drivers/net/ethernet/cisco/enic/enic_api.c | 6 +++++
+ drivers/net/ethernet/cisco/enic/enic_main.c | 27 ++++++++++++++++-----
+ 3 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h
+index 0dd64acd2a3fb..08cac1bfacafb 100644
+--- a/drivers/net/ethernet/cisco/enic/enic.h
++++ b/drivers/net/ethernet/cisco/enic/enic.h
+@@ -171,6 +171,7 @@ struct enic {
+ u16 num_vfs;
+ #endif
+ spinlock_t enic_api_lock;
++ bool enic_api_busy;
+ struct enic_port_profile *pp;
+
+ /* work queue cache line section */
+diff --git a/drivers/net/ethernet/cisco/enic/enic_api.c b/drivers/net/ethernet/cisco/enic/enic_api.c
+index b161f24522b87..b028ea2dec2b9 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_api.c
++++ b/drivers/net/ethernet/cisco/enic/enic_api.c
+@@ -34,6 +34,12 @@ int enic_api_devcmd_proxy_by_index(struct net_device *netdev, int vf,
+ struct vnic_dev *vdev = enic->vdev;
+
+ spin_lock(&enic->enic_api_lock);
++ while (enic->enic_api_busy) {
++ spin_unlock(&enic->enic_api_lock);
++ cpu_relax();
++ spin_lock(&enic->enic_api_lock);
++ }
++
+ spin_lock_bh(&enic->devcmd_lock);
+
+ vnic_dev_cmd_proxy_by_index_start(vdev, vf);
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index 6e2ab10ad2e6f..8314102002b0f 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -2142,8 +2142,6 @@ static int enic_dev_wait(struct vnic_dev *vdev,
+ int done;
+ int err;
+
+- BUG_ON(in_interrupt());
+-
+ err = start(vdev, arg);
+ if (err)
+ return err;
+@@ -2331,6 +2329,13 @@ static int enic_set_rss_nic_cfg(struct enic *enic)
+ rss_hash_bits, rss_base_cpu, rss_enable);
+ }
+
++static void enic_set_api_busy(struct enic *enic, bool busy)
++{
++ spin_lock(&enic->enic_api_lock);
++ enic->enic_api_busy = busy;
++ spin_unlock(&enic->enic_api_lock);
++}
++
+ static void enic_reset(struct work_struct *work)
+ {
+ struct enic *enic = container_of(work, struct enic, reset);
+@@ -2340,7 +2345,9 @@ static void enic_reset(struct work_struct *work)
+
+ rtnl_lock();
+
+- spin_lock(&enic->enic_api_lock);
++ /* Stop any activity from infiniband */
++ enic_set_api_busy(enic, true);
++
+ enic_stop(enic->netdev);
+ enic_dev_soft_reset(enic);
+ enic_reset_addr_lists(enic);
+@@ -2348,7 +2355,10 @@ static void enic_reset(struct work_struct *work)
+ enic_set_rss_nic_cfg(enic);
+ enic_dev_set_ig_vlan_rewrite_mode(enic);
+ enic_open(enic->netdev);
+- spin_unlock(&enic->enic_api_lock);
++
++ /* Allow infiniband to fiddle with the device again */
++ enic_set_api_busy(enic, false);
++
+ call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev);
+
+ rtnl_unlock();
+@@ -2360,7 +2370,9 @@ static void enic_tx_hang_reset(struct work_struct *work)
+
+ rtnl_lock();
+
+- spin_lock(&enic->enic_api_lock);
++ /* Stop any activity from infiniband */
++ enic_set_api_busy(enic, true);
++
+ enic_dev_hang_notify(enic);
+ enic_stop(enic->netdev);
+ enic_dev_hang_reset(enic);
+@@ -2369,7 +2381,10 @@ static void enic_tx_hang_reset(struct work_struct *work)
+ enic_set_rss_nic_cfg(enic);
+ enic_dev_set_ig_vlan_rewrite_mode(enic);
+ enic_open(enic->netdev);
+- spin_unlock(&enic->enic_api_lock);
++
++ /* Allow infiniband to fiddle with the device again */
++ enic_set_api_busy(enic, false);
++
+ call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev);
+
+ rtnl_unlock();
+--
+2.25.1
+
--- /dev/null
+From 39a069b84e5ec13f34b35579ad4230777773f82b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Oct 2020 15:52:53 +0200
+Subject: net: fec: Fix PHY init after phy_reset_after_clk_enable()
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 0da1ccbbefb662915228bc17e1c7d4ad28b3ddab ]
+
+The phy_reset_after_clk_enable() does a PHY reset, which means the PHY
+loses its register settings. The fec_enet_mii_probe() starts the PHY
+and does the necessary calls to configure the PHY via PHY framework,
+and loads the correct register settings into the PHY. Therefore,
+fec_enet_mii_probe() should be called only after the PHY has been
+reset, not before as it is now.
+
+Fixes: 1b0a83ac04e3 ("net: fec: add phy_reset_after_clk_enable() support")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Tested-by: Richard Leitner <richard.leitner@skidata.com>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index fd7fc6f20c9da..7831fc07c9a6f 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3014,6 +3014,11 @@ fec_enet_open(struct net_device *ndev)
+ if (ret)
+ goto err_enet_mii_probe;
+
++ /* Probe and connect to PHY when open the interface */
++ ret = fec_enet_mii_probe(ndev);
++ if (ret)
++ goto err_enet_mii_probe;
++
+ if (fep->quirks & FEC_QUIRK_ERR006687)
+ imx6q_cpuidle_fec_irqs_used();
+
+--
+2.25.1
+
--- /dev/null
+From 344d619cc7e1b630c1587d3e160ec8523ccf2465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 00:03:29 +0200
+Subject: net: korina: fix kfree of rx/tx descriptor array
+
+From: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+
+[ Upstream commit 3af5f0f5c74ecbaf757ef06c3f80d56751277637 ]
+
+kmalloc returns KSEG0 addresses so convert back from KSEG1
+in kfree. Also make sure array is freed when the driver is
+unloaded from the kernel.
+
+Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC")
+Signed-off-by: Valentin Vidic <vvidic@valentin-vidic.from.hr>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/korina.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
+index ae195f8adff58..5bdff77c0ad10 100644
+--- a/drivers/net/ethernet/korina.c
++++ b/drivers/net/ethernet/korina.c
+@@ -1113,7 +1113,7 @@ static int korina_probe(struct platform_device *pdev)
+ return rc;
+
+ probe_err_register:
+- kfree(lp->td_ring);
++ kfree(KSEG0ADDR(lp->td_ring));
+ probe_err_td_ring:
+ iounmap(lp->tx_dma_regs);
+ probe_err_dma_tx:
+@@ -1133,6 +1133,7 @@ static int korina_remove(struct platform_device *pdev)
+ iounmap(lp->eth_regs);
+ iounmap(lp->rx_dma_regs);
+ iounmap(lp->tx_dma_regs);
++ kfree(KSEG0ADDR(lp->td_ring));
+
+ unregister_netdev(bif->dev);
+ free_netdev(bif->dev);
+--
+2.25.1
+
--- /dev/null
+From ec387c1bd47e027bfb0cdee15085356554a4dcd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jun 2020 12:07:10 +0300
+Subject: net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit 0d2ffdc8d4002a62de31ff7aa3bef28c843c3cbe ]
+
+Before calling timecounter_cyc2time(), clock->lock must be taken.
+Use mlx5_timecounter_cyc2time instead which guarantees a safe access.
+
+Fixes: afc98a0b46d8 ("net/mlx5: Update ptp_clock_event foreach PPS event")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+index 75fc283cacc36..492ff2ef9a404 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+@@ -498,8 +498,9 @@ static int mlx5_pps_event(struct notifier_block *nb,
+ switch (clock->ptp_info.pin_config[pin].func) {
+ case PTP_PF_EXTTS:
+ ptp_event.index = pin;
+- ptp_event.timestamp = timecounter_cyc2time(&clock->tc,
+- be64_to_cpu(eqe->data.pps.time_stamp));
++ ptp_event.timestamp =
++ mlx5_timecounter_cyc2time(clock,
++ be64_to_cpu(eqe->data.pps.time_stamp));
+ if (clock->pps_info.enabled) {
+ ptp_event.type = PTP_CLOCK_PPSUSR;
+ ptp_event.pps_times.ts_real =
+--
+2.25.1
+
--- /dev/null
+From 04298b55781ae326923b6cc502248462d55f8abe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 09:28:40 +0800
+Subject: net: stmmac: use netif_tx_start|stop_all_queues() function
+
+From: Ong Boon Leong <boon.leong.ong@intel.com>
+
+[ Upstream commit 9f19306d166688a73356aa636c62e698bf2063cc ]
+
+The current implementation of stmmac_stop_all_queues() and
+stmmac_start_all_queues() will not work correctly when the value of
+tx_queues_to_use is changed through ethtool -L DEVNAME rx N tx M command.
+
+Also, netif_tx_start|stop_all_queues() are only needed in driver open()
+and close() only.
+
+Fixes: c22a3f48 net: stmmac: adding multiple napi mechanism
+
+Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
+Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 33 +------------------
+ 1 file changed, 1 insertion(+), 32 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 982be75fde833..189cdb7633671 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -175,32 +175,6 @@ static void stmmac_enable_all_queues(struct stmmac_priv *priv)
+ }
+ }
+
+-/**
+- * stmmac_stop_all_queues - Stop all queues
+- * @priv: driver private structure
+- */
+-static void stmmac_stop_all_queues(struct stmmac_priv *priv)
+-{
+- u32 tx_queues_cnt = priv->plat->tx_queues_to_use;
+- u32 queue;
+-
+- for (queue = 0; queue < tx_queues_cnt; queue++)
+- netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue));
+-}
+-
+-/**
+- * stmmac_start_all_queues - Start all queues
+- * @priv: driver private structure
+- */
+-static void stmmac_start_all_queues(struct stmmac_priv *priv)
+-{
+- u32 tx_queues_cnt = priv->plat->tx_queues_to_use;
+- u32 queue;
+-
+- for (queue = 0; queue < tx_queues_cnt; queue++)
+- netif_tx_start_queue(netdev_get_tx_queue(priv->dev, queue));
+-}
+-
+ static void stmmac_service_event_schedule(struct stmmac_priv *priv)
+ {
+ if (!test_bit(STMMAC_DOWN, &priv->state) &&
+@@ -2737,7 +2711,7 @@ static int stmmac_open(struct net_device *dev)
+ }
+
+ stmmac_enable_all_queues(priv);
+- stmmac_start_all_queues(priv);
++ netif_tx_start_all_queues(priv->dev);
+
+ return 0;
+
+@@ -2778,8 +2752,6 @@ static int stmmac_release(struct net_device *dev)
+ phylink_stop(priv->phylink);
+ phylink_disconnect_phy(priv->phylink);
+
+- stmmac_stop_all_queues(priv);
+-
+ stmmac_disable_all_queues(priv);
+
+ for (chan = 0; chan < priv->plat->tx_queues_to_use; chan++)
+@@ -4770,7 +4742,6 @@ int stmmac_suspend(struct device *dev)
+ mutex_lock(&priv->lock);
+
+ netif_device_detach(ndev);
+- stmmac_stop_all_queues(priv);
+
+ stmmac_disable_all_queues(priv);
+
+@@ -4883,8 +4854,6 @@ int stmmac_resume(struct device *dev)
+
+ stmmac_enable_all_queues(priv);
+
+- stmmac_start_all_queues(priv);
+-
+ mutex_unlock(&priv->lock);
+
+ if (!device_may_wakeup(priv->device)) {
+--
+2.25.1
+
--- /dev/null
+From b76f2c1560070318e62a1fa1410cf3172c1cd22f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 08:30:19 -0400
+Subject: net: wilc1000: clean up resource in error path of init mon interface
+
+From: Huang Guobin <huangguobin4@huawei.com>
+
+[ Upstream commit 55bd149978679742374c800e56e8f6bc74378bbe ]
+
+The wilc_wfi_init_mon_int() forgets to clean up resource when
+register_netdevice() failed. Add the missed call to fix it.
+And the return value of netdev_priv can't be NULL, so remove
+the unnecessary error handling.
+
+Fixes: 588713006ea4 ("staging: wilc1000: avoid the use of 'wilc_wfi_mon' static variable")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Huang Guobin <huangguobin4@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200917123019.206382-1-huangguobin4@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/wilc1000/wilc_mon.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/staging/wilc1000/wilc_mon.c b/drivers/staging/wilc1000/wilc_mon.c
+index d6f14f69ad64e..017e8e91334f1 100644
+--- a/drivers/staging/wilc1000/wilc_mon.c
++++ b/drivers/staging/wilc1000/wilc_mon.c
+@@ -236,11 +236,10 @@ struct net_device *wilc_wfi_init_mon_interface(struct wilc *wl,
+
+ if (register_netdevice(wl->monitor_dev)) {
+ netdev_err(real_dev, "register_netdevice failed\n");
++ free_netdev(wl->monitor_dev);
+ return NULL;
+ }
+ priv = netdev_priv(wl->monitor_dev);
+- if (!priv)
+- return NULL;
+
+ priv->real_ndev = real_dev;
+
+--
+2.25.1
+
--- /dev/null
+From 7d85fdabe2829470596fb41409385c61126aee2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Oct 2020 12:32:52 -0700
+Subject: netfilter: conntrack: connection timeout after re-register
+
+From: Francesco Ruggeri <fruggeri@arista.com>
+
+[ Upstream commit 4f25434bccc28cf8a07876ef5142a2869a674353 ]
+
+If the first packet conntrack sees after a re-register is an outgoing
+keepalive packet with no data (SEG.SEQ = SND.NXT-1), td_end is set to
+SND.NXT-1.
+When the peer correctly acknowledges SND.NXT, tcp_in_window fails
+check III (Upper bound for valid (s)ack: sack <= receiver.td_end) and
+returns false, which cascades into nf_conntrack_in setting
+skb->_nfct = 0 and in later conntrack iptables rules not matching.
+In cases where iptables are dropping packets that do not match
+conntrack rules this can result in idle tcp connections to time out.
+
+v2: adjust td_end when getting the reply rather than when sending out
+ the keepalive packet.
+
+Fixes: f94e63801ab2 ("netfilter: conntrack: reset tcp maxwin on re-register")
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
+index 1926fd56df56a..848b137151c26 100644
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -541,13 +541,20 @@ static bool tcp_in_window(const struct nf_conn *ct,
+ swin = win << sender->td_scale;
+ sender->td_maxwin = (swin == 0 ? 1 : swin);
+ sender->td_maxend = end + sender->td_maxwin;
+- /*
+- * We haven't seen traffic in the other direction yet
+- * but we have to tweak window tracking to pass III
+- * and IV until that happens.
+- */
+- if (receiver->td_maxwin == 0)
++ if (receiver->td_maxwin == 0) {
++ /* We haven't seen traffic in the other
++ * direction yet but we have to tweak window
++ * tracking to pass III and IV until that
++ * happens.
++ */
+ receiver->td_end = receiver->td_maxend = sack;
++ } else if (sack == receiver->td_end + 1) {
++ /* Likely a reply to a keepalive.
++ * Needed for III.
++ */
++ receiver->td_end++;
++ }
++
+ }
+ } else if (((state->state == TCP_CONNTRACK_SYN_SENT
+ && dir == IP_CT_DIR_ORIGINAL)
+--
+2.25.1
+
--- /dev/null
+From 399aab17023bb83776b53d6f70adbbac9de651ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 12:36:15 +0000
+Subject: netfilter: ebtables: Fixes dropping of small packets in bridge nat
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Timothée COCAULT <timothee.cocault@orange.com>
+
+[ Upstream commit 63137bc5882a1882c553d389fdeeeace86ee1741 ]
+
+Fixes an error causing small packets to get dropped. skb_ensure_writable
+expects the second parameter to be a length in the ethernet payload.=20
+If we want to write the ethernet header (src, dst), we should pass 0.
+Otherwise, packets with small payloads (< ETH_ALEN) will get dropped.
+
+Fixes: c1a831167901 ("netfilter: bridge: convert skb_make_writable to skb_ensure_writable")
+Signed-off-by: Timothée COCAULT <timothee.cocault@orange.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/ebt_dnat.c | 2 +-
+ net/bridge/netfilter/ebt_redirect.c | 2 +-
+ net/bridge/netfilter/ebt_snat.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
+index 12a4f4d936810..3fda71a8579d1 100644
+--- a/net/bridge/netfilter/ebt_dnat.c
++++ b/net/bridge/netfilter/ebt_dnat.c
+@@ -21,7 +21,7 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ {
+ const struct ebt_nat_info *info = par->targinfo;
+
+- if (skb_ensure_writable(skb, ETH_ALEN))
++ if (skb_ensure_writable(skb, 0))
+ return EBT_DROP;
+
+ ether_addr_copy(eth_hdr(skb)->h_dest, info->mac);
+diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
+index 0cad62a4052b9..307790562b492 100644
+--- a/net/bridge/netfilter/ebt_redirect.c
++++ b/net/bridge/netfilter/ebt_redirect.c
+@@ -21,7 +21,7 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ {
+ const struct ebt_redirect_info *info = par->targinfo;
+
+- if (skb_ensure_writable(skb, ETH_ALEN))
++ if (skb_ensure_writable(skb, 0))
+ return EBT_DROP;
+
+ if (xt_hooknum(par) != NF_BR_BROUTING)
+diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
+index 27443bf229a3b..7dfbcdfc30e5d 100644
+--- a/net/bridge/netfilter/ebt_snat.c
++++ b/net/bridge/netfilter/ebt_snat.c
+@@ -22,7 +22,7 @@ ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ {
+ const struct ebt_nat_info *info = par->targinfo;
+
+- if (skb_ensure_writable(skb, ETH_ALEN * 2))
++ if (skb_ensure_writable(skb, 0))
+ return EBT_DROP;
+
+ ether_addr_copy(eth_hdr(skb)->h_source, info->mac);
+--
+2.25.1
+
--- /dev/null
+From ed07639a2b4c1bef9ea0d147fc19dc1564f2a863 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Oct 2020 12:55:52 +0200
+Subject: netfilter: nf_fwd_netdev: clear timestamp in forwarding path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c77761c8a59405cb7aa44188b30fffe13fbdd02d ]
+
+Similar to 7980d2eabde8 ("ipvs: clear skb->tstamp in forwarding path").
+fq qdisc requires tstamp to be cleared in forwarding path.
+
+Fixes: 8203e2d844d3 ("net: clear skb->tstamp in forwarding paths")
+Fixes: fb420d5d91c1 ("tcp/fq: move back to CLOCK_MONOTONIC")
+Fixes: 80b14dee2bea ("net: Add a new socket option for a future transmit time.")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_dup_netdev.c | 1 +
+ net/netfilter/nft_fwd_netdev.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
+index f108a76925dd8..ec6e7d6860163 100644
+--- a/net/netfilter/nf_dup_netdev.c
++++ b/net/netfilter/nf_dup_netdev.c
+@@ -19,6 +19,7 @@ static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev)
+ skb_push(skb, skb->mac_len);
+
+ skb->dev = dev;
++ skb->tstamp = 0;
+ dev_queue_xmit(skb);
+ }
+
+diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
+index 3087e23297dbf..b77985986b24e 100644
+--- a/net/netfilter/nft_fwd_netdev.c
++++ b/net/netfilter/nft_fwd_netdev.c
+@@ -138,6 +138,7 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
+ return;
+
+ skb->dev = dev;
++ skb->tstamp = 0;
+ neigh_xmit(neigh_table, dev, addr, skb);
+ out:
+ regs->verdict.code = verdict;
+--
+2.25.1
+
--- /dev/null
+From af6a380dab03a61af3863672176255ac0b989a02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 17:06:06 +0200
+Subject: netfilter: nf_log: missing vlan offload tag and proto
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 0d9826bc18ce356e8909919ad681ad65d0a6061e ]
+
+Dump vlan tag and proto for the usual vlan offload case if the
+NF_LOG_MACDECODE flag is set on. Without this information the logging is
+misleading as there is no reference to the VLAN header.
+
+[12716.993704] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0800 SRC=192.168.10.2 DST=172.217.168.163 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2548 DF PROTO=TCP SPT=55848 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0
+[12721.157643] test: IN=veth0 OUT= MACSRC=86:6c:92:ea:d6:73 MACDST=0e:3b:eb:86:73:76 VPROTO=8100 VID=10 MACPROTO=0806 ARP HTYPE=1 PTYPE=0x0800 OPCODE=2 MACSRC=86:6c:92:ea:d6:73 IPSRC=192.168.10.2 MACDST=0e:3b:eb:86:73:76 IPDST=192.168.10.1
+
+Fixes: 83e96d443b37 ("netfilter: log: split family specific code to nf_log_{ip,ip6,common}.c files")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_log.h | 1 +
+ net/ipv4/netfilter/nf_log_arp.c | 19 +++++++++++++++++--
+ net/ipv4/netfilter/nf_log_ipv4.c | 6 ++++--
+ net/ipv6/netfilter/nf_log_ipv6.c | 8 +++++---
+ net/netfilter/nf_log_common.c | 12 ++++++++++++
+ 5 files changed, 39 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
+index 0d3920896d502..716db4a0fed89 100644
+--- a/include/net/netfilter/nf_log.h
++++ b/include/net/netfilter/nf_log.h
+@@ -108,6 +108,7 @@ int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb,
+ unsigned int logflags);
+ void nf_log_dump_sk_uid_gid(struct net *net, struct nf_log_buf *m,
+ struct sock *sk);
++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb);
+ void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,
+ unsigned int hooknum, const struct sk_buff *skb,
+ const struct net_device *in,
+diff --git a/net/ipv4/netfilter/nf_log_arp.c b/net/ipv4/netfilter/nf_log_arp.c
+index 7a83f881efa9e..136030ad2e546 100644
+--- a/net/ipv4/netfilter/nf_log_arp.c
++++ b/net/ipv4/netfilter/nf_log_arp.c
+@@ -43,16 +43,31 @@ static void dump_arp_packet(struct nf_log_buf *m,
+ const struct nf_loginfo *info,
+ const struct sk_buff *skb, unsigned int nhoff)
+ {
+- const struct arphdr *ah;
+- struct arphdr _arph;
+ const struct arppayload *ap;
+ struct arppayload _arpp;
++ const struct arphdr *ah;
++ unsigned int logflags;
++ struct arphdr _arph;
+
+ ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph);
+ if (ah == NULL) {
+ nf_log_buf_add(m, "TRUNCATED");
+ return;
+ }
++
++ if (info->type == NF_LOG_TYPE_LOG)
++ logflags = info->u.log.logflags;
++ else
++ logflags = NF_LOG_DEFAULT_MASK;
++
++ if (logflags & NF_LOG_MACDECODE) {
++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
++ nf_log_dump_vlan(m, skb);
++ nf_log_buf_add(m, "MACPROTO=%04x ",
++ ntohs(eth_hdr(skb)->h_proto));
++ }
++
+ nf_log_buf_add(m, "ARP HTYPE=%d PTYPE=0x%04x OPCODE=%d",
+ ntohs(ah->ar_hrd), ntohs(ah->ar_pro), ntohs(ah->ar_op));
+
+diff --git a/net/ipv4/netfilter/nf_log_ipv4.c b/net/ipv4/netfilter/nf_log_ipv4.c
+index 4b2d49cc9f1a1..cb288ffbcfde2 100644
+--- a/net/ipv4/netfilter/nf_log_ipv4.c
++++ b/net/ipv4/netfilter/nf_log_ipv4.c
+@@ -284,8 +284,10 @@ static void dump_ipv4_mac_header(struct nf_log_buf *m,
+
+ switch (dev->type) {
+ case ARPHRD_ETHER:
+- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
+- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
++ nf_log_dump_vlan(m, skb);
++ nf_log_buf_add(m, "MACPROTO=%04x ",
+ ntohs(eth_hdr(skb)->h_proto));
+ return;
+ default:
+diff --git a/net/ipv6/netfilter/nf_log_ipv6.c b/net/ipv6/netfilter/nf_log_ipv6.c
+index 22b80db6d8826..5b40258d3a5e9 100644
+--- a/net/ipv6/netfilter/nf_log_ipv6.c
++++ b/net/ipv6/netfilter/nf_log_ipv6.c
+@@ -297,9 +297,11 @@ static void dump_ipv6_mac_header(struct nf_log_buf *m,
+
+ switch (dev->type) {
+ case ARPHRD_ETHER:
+- nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
+- eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
+- ntohs(eth_hdr(skb)->h_proto));
++ nf_log_buf_add(m, "MACSRC=%pM MACDST=%pM ",
++ eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest);
++ nf_log_dump_vlan(m, skb);
++ nf_log_buf_add(m, "MACPROTO=%04x ",
++ ntohs(eth_hdr(skb)->h_proto));
+ return;
+ default:
+ break;
+diff --git a/net/netfilter/nf_log_common.c b/net/netfilter/nf_log_common.c
+index ae5628ddbe6d7..fd7c5f0f5c25b 100644
+--- a/net/netfilter/nf_log_common.c
++++ b/net/netfilter/nf_log_common.c
+@@ -171,6 +171,18 @@ nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,
+ }
+ EXPORT_SYMBOL_GPL(nf_log_dump_packet_common);
+
++void nf_log_dump_vlan(struct nf_log_buf *m, const struct sk_buff *skb)
++{
++ u16 vid;
++
++ if (!skb_vlan_tag_present(skb))
++ return;
++
++ vid = skb_vlan_tag_get(skb);
++ nf_log_buf_add(m, "VPROTO=%04x VID=%u ", ntohs(skb->vlan_proto), vid);
++}
++EXPORT_SYMBOL_GPL(nf_log_dump_vlan);
++
+ /* bridge and netdev logging families share this code. */
+ void nf_log_l2packet(struct net *net, u_int8_t pf,
+ __be16 protocol,
+--
+2.25.1
+
--- /dev/null
+From cf4809a955cbb259de9645d3177a2c690550c940 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 13:07:18 +0200
+Subject: nl80211: fix non-split wiphy information
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit ab10c22bc3b2024f0c9eafa463899a071eac8d97 ]
+
+When dumping wiphy information, we try to split the data into
+many submessages, but for old userspace we still support the
+old mode where this doesn't happen.
+
+However, in this case we were not resetting our state correctly
+and dumping multiple messages for each wiphy, which would have
+broken such older userspace.
+
+This was broken pretty much immediately afterwards because it
+only worked in the original commit where non-split dumps didn't
+have any more data than split dumps...
+
+Fixes: fe1abafd942f ("nl80211: re-add channel width and extended capa advertising")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20200928130717.3e6d9c6bada2.Ie0f151a8d0d00a8e1e18f6a8c9244dd02496af67@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 3faad3b147376..672b70730e898 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2227,7 +2227,10 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
+ * case we'll continue with more data in the next round,
+ * but break unconditionally so unsplit data stops here.
+ */
+- state->split_start++;
++ if (state->split)
++ state->split_start++;
++ else
++ state->split_start = 0;
+ break;
+ case 9:
+ if (rdev->wiphy.extended_capabilities &&
+--
+2.25.1
+
--- /dev/null
+From 826fa3ecd49d44113d2b3a899f3f32e7cbe45863 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 00:28:10 -0700
+Subject: nl80211: fix OBSS PD min and max offset validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rajkumar Manoharan <rmanohar@codeaurora.org>
+
+[ Upstream commit 6c8b6e4a5f745ec49286ac0a3f1d591a34818f82 ]
+
+The SRG min and max offset won't present when SRG Information Present of
+SR control field of Spatial Reuse Parameter Set element set to 0. Per
+spec. IEEE802.11ax D7.0, SRG OBSS PD Min Offset ≤ SRG OBSS PD Max
+Offset. Hence fix the constrain check to allow same values in both
+offset and also call appropriate nla_get function to read the values.
+
+Fixes: 796e90f42b7e ("cfg80211: add support for parsing OBBS_PD attributes")
+Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
+Link: https://lore.kernel.org/r/1601278091-20313-1-git-send-email-rmanohar@codeaurora.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 7bc4f37655237..3faad3b147376 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4496,16 +4496,14 @@ static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
+ if (err)
+ return err;
+
+- if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] ||
+- !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
+- return -EINVAL;
+-
+- he_obss_pd->min_offset =
+- nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
+- he_obss_pd->max_offset =
+- nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
+-
+- if (he_obss_pd->min_offset >= he_obss_pd->max_offset)
++ if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
++ he_obss_pd->min_offset =
++ nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
++ if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
++ he_obss_pd->max_offset =
++ nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
++
++ if (he_obss_pd->min_offset > he_obss_pd->max_offset)
+ return -EINVAL;
+
+ he_obss_pd->enable = true;
+--
+2.25.1
+
--- /dev/null
+From 9ab0713e844ee16b8f4758ac96edd6d3c0cac95d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 09:59:57 +0800
+Subject: NTB: hw: amd: fix an issue about leak system resources
+
+From: Kaige Li <likaige@loongson.cn>
+
+[ Upstream commit 44a0a3c17919db1498cebb02ecf3cf4abc1ade7b ]
+
+The related system resources were not released when pci_set_dma_mask(),
+pci_set_consistent_dma_mask(), or pci_iomap() return error in the
+amd_ntb_init_pci() function. Add pci_release_regions() to fix it.
+
+Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge")
+Signed-off-by: Kaige Li <likaige@loongson.cn>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/amd/ntb_hw_amd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c
+index 156c2a18a2394..abb37659de343 100644
+--- a/drivers/ntb/hw/amd/ntb_hw_amd.c
++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c
+@@ -1036,6 +1036,7 @@ static int amd_ntb_init_pci(struct amd_ntb_dev *ndev,
+
+ err_dma_mask:
+ pci_clear_master(pdev);
++ pci_release_regions(pdev);
+ err_pci_regions:
+ pci_disable_device(pdev);
+ err_pci_enable:
+--
+2.25.1
+
--- /dev/null
+From df4ac570ecd5523891c958555716170203efa8e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 16:48:17 -0700
+Subject: ntfs: add check for mft record size in superblock
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ]
+
+Number of bytes allocated for mft record should be equal to the mft record
+size stored in ntfs superblock as reported by syzbot, userspace might
+trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find()
+
+Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com
+Acked-by: Anton Altaparmakov <anton@tuxera.com>
+Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e
+Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c
+index d4359a1df3d5e..84933a0af49b6 100644
+--- a/fs/ntfs/inode.c
++++ b/fs/ntfs/inode.c
+@@ -1809,6 +1809,12 @@ int ntfs_read_inode_mount(struct inode *vi)
+ brelse(bh);
+ }
+
++ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) {
++ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.",
++ le32_to_cpu(m->bytes_allocated), vol->mft_record_size);
++ goto err_out;
++ }
++
+ /* Apply the mst fixups. */
+ if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) {
+ /* FIXME: Try to use the $MFTMirr now. */
+--
+2.25.1
+
--- /dev/null
+From d85868b5fbb71c0256d3f0467e396ffbc6ea4655 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 23:44:56 +0300
+Subject: nvmem: core: fix possibly memleak when use
+ nvmem_cell_info_to_nvmem_cell()
+
+From: Vadym Kochan <vadym.kochan@plvision.eu>
+
+[ Upstream commit fc9eec4d643597cf4cb2fef17d48110e677610da ]
+
+Fix missing 'kfree_const(cell->name)' when call to
+nvmem_cell_info_to_nvmem_cell() in several places:
+
+ * after nvmem_cell_info_to_nvmem_cell() failed during
+ nvmem_add_cells()
+
+ * during nvmem_device_cell_{read,write} when cell->name is
+ kstrdup'ed() without calling kfree_const() at the end, but
+ really there is no reason to do that 'dup, because the cell
+ instance is allocated on the stack for some short period to be
+ read/write without exposing it to the caller.
+
+So the new nvmem_cell_info_to_nvmem_cell_nodup() helper is introduced
+which is used to convert cell_info -> cell without name duplication as
+a lighweight version of nvmem_cell_info_to_nvmem_cell().
+
+Fixes: e2a5402ec7c6 ("nvmem: Add nvmem_device based consumer apis.")
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Signed-off-by: Vadym Kochan <vadym.kochan@plvision.eu>
+Link: https://lore.kernel.org/r/20200923204456.14032-1-vadym.kochan@plvision.eu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvmem/core.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
+index 960542dea5adb..84f4078216a36 100644
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -130,16 +130,14 @@ static void nvmem_cell_add(struct nvmem_cell *cell)
+ blocking_notifier_call_chain(&nvmem_notifier, NVMEM_CELL_ADD, cell);
+ }
+
+-static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem,
+- const struct nvmem_cell_info *info,
+- struct nvmem_cell *cell)
++static int nvmem_cell_info_to_nvmem_cell_nodup(struct nvmem_device *nvmem,
++ const struct nvmem_cell_info *info,
++ struct nvmem_cell *cell)
+ {
+ cell->nvmem = nvmem;
+ cell->offset = info->offset;
+ cell->bytes = info->bytes;
+- cell->name = kstrdup_const(info->name, GFP_KERNEL);
+- if (!cell->name)
+- return -ENOMEM;
++ cell->name = info->name;
+
+ cell->bit_offset = info->bit_offset;
+ cell->nbits = info->nbits;
+@@ -151,13 +149,30 @@ static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem,
+ if (!IS_ALIGNED(cell->offset, nvmem->stride)) {
+ dev_err(&nvmem->dev,
+ "cell %s unaligned to nvmem stride %d\n",
+- cell->name, nvmem->stride);
++ cell->name ?: "<unknown>", nvmem->stride);
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
++static int nvmem_cell_info_to_nvmem_cell(struct nvmem_device *nvmem,
++ const struct nvmem_cell_info *info,
++ struct nvmem_cell *cell)
++{
++ int err;
++
++ err = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, cell);
++ if (err)
++ return err;
++
++ cell->name = kstrdup_const(info->name, GFP_KERNEL);
++ if (!cell->name)
++ return -ENOMEM;
++
++ return 0;
++}
++
+ /**
+ * nvmem_add_cells() - Add cell information to an nvmem device
+ *
+@@ -1174,7 +1189,7 @@ ssize_t nvmem_device_cell_read(struct nvmem_device *nvmem,
+ if (!nvmem)
+ return -EINVAL;
+
+- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell);
++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell);
+ if (rc)
+ return rc;
+
+@@ -1204,7 +1219,7 @@ int nvmem_device_cell_write(struct nvmem_device *nvmem,
+ if (!nvmem)
+ return -EINVAL;
+
+- rc = nvmem_cell_info_to_nvmem_cell(nvmem, info, &cell);
++ rc = nvmem_cell_info_to_nvmem_cell_nodup(nvmem, info, &cell);
+ if (rc)
+ return rc;
+
+--
+2.25.1
+
--- /dev/null
+From c56f02d87a10f05cfca89e92e5576f0016379c07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 09:51:40 +0800
+Subject: nvmet: fix uninitialized work for zero kato
+
+From: zhenwei pi <pizhenwei@bytedance.com>
+
+[ Upstream commit 85bd23f3dc09a2ae9e56885420e52c54bf983713 ]
+
+When connecting a controller with a zero kato value using the following
+command line
+
+ nvme connect -t tcp -n NQN -a ADDR -s PORT --keep-alive-tmo=0
+
+the warning below can be reproduced:
+
+WARNING: CPU: 1 PID: 241 at kernel/workqueue.c:1627 __queue_delayed_work+0x6d/0x90
+with trace:
+ mod_delayed_work_on+0x59/0x90
+ nvmet_update_cc+0xee/0x100 [nvmet]
+ nvmet_execute_prop_set+0x72/0x80 [nvmet]
+ nvmet_tcp_try_recv_pdu+0x2f7/0x770 [nvmet_tcp]
+ nvmet_tcp_io_work+0x63f/0xb2d [nvmet_tcp]
+ ...
+
+This is caused by queuing up an uninitialized work. Althrough the
+keep-alive timer is disabled during allocating the controller (fixed in
+0d3b6a8d213a), ka_work still has a chance to run (called by
+nvmet_start_ctrl).
+
+Fixes: 0d3b6a8d213a ("nvmet: Disable keep-alive timer when kato is cleared to 0h")
+Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index 7d7176369edf7..6b2f1e290fa73 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -1048,7 +1048,8 @@ static void nvmet_start_ctrl(struct nvmet_ctrl *ctrl)
+ * in case a host died before it enabled the controller. Hence, simply
+ * reset the keep alive timer when the controller is enabled.
+ */
+- mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ);
++ if (ctrl->kato)
++ mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ);
+ }
+
+ static void nvmet_clear_ctrl(struct nvmet_ctrl *ctrl)
+--
+2.25.1
+
--- /dev/null
+From 6d5a51bbef175b4b5cef9ebf3d1f03332cb8fc01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Aug 2020 11:22:37 +0530
+Subject: opp: Prevent memory leak in dev_pm_opp_attach_genpd()
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit cb60e9602cce1593eb1e9cdc8ee562815078a354 ]
+
+If dev_pm_opp_attach_genpd() is called multiple times (once for each CPU
+sharing the table), then it would result in unwanted behavior like
+memory leak, attaching the domain multiple times, etc.
+
+Handle that by checking and returning earlier if the domains are already
+attached. Now that dev_pm_opp_detach_genpd() can get called multiple
+times as well, we need to protect that too.
+
+Note that the virtual device pointers aren't returned in this case, as
+they may become unavailable to some callers during the middle of the
+operation.
+
+Reported-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/opp/core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/opp/core.c b/drivers/opp/core.c
+index 29dfaa591f8b0..8867bab72e171 100644
+--- a/drivers/opp/core.c
++++ b/drivers/opp/core.c
+@@ -1796,6 +1796,9 @@ static void _opp_detach_genpd(struct opp_table *opp_table)
+ {
+ int index;
+
++ if (!opp_table->genpd_virt_devs)
++ return;
++
+ for (index = 0; index < opp_table->required_opp_count; index++) {
+ if (!opp_table->genpd_virt_devs[index])
+ continue;
+@@ -1842,6 +1845,9 @@ struct opp_table *dev_pm_opp_attach_genpd(struct device *dev,
+ if (!opp_table)
+ return ERR_PTR(-ENOMEM);
+
++ if (opp_table->genpd_virt_devs)
++ return opp_table;
++
+ /*
+ * If the genpd's OPP table isn't already initialized, parsing of the
+ * required-opps fail for dev. We should retry this after genpd's OPP
+--
+2.25.1
+
--- /dev/null
+From d1aae1da2d54a01ed290748ddc06dab464b7f887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Sep 2020 13:29:28 +0300
+Subject: overflow: Include header file with SIZE_MAX declaration
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit a4947e84f23474803b62a2759b5808147e4e15f9 ]
+
+The various array_size functions use SIZE_MAX define, but missed limits.h
+causes to failure to compile code that needs overflow.h.
+
+ In file included from drivers/infiniband/core/uverbs_std_types_device.c:6:
+ ./include/linux/overflow.h: In function 'array_size':
+ ./include/linux/overflow.h:258:10: error: 'SIZE_MAX' undeclared (first use in this function)
+ 258 | return SIZE_MAX;
+ | ^~~~~~~~
+
+Fixes: 610b15c50e86 ("overflow.h: Add allocation size calculation helpers")
+Link: https://lore.kernel.org/r/20200913102928.134985-1-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/overflow.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/overflow.h b/include/linux/overflow.h
+index 659045046468f..50c93ca0c3d6f 100644
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -3,6 +3,7 @@
+ #define __LINUX_OVERFLOW_H
+
+ #include <linux/compiler.h>
++#include <linux/limits.h>
+
+ /*
+ * In the fallback code below, we need to compute the minimum and
+--
+2.25.1
+
--- /dev/null
+From 5aea523422aaa495f48f21991c2706daf8a26f25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 13:10:35 +0200
+Subject: PCI: aardvark: Check for errors from pci_bridge_emul_init() call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 7862a6134456c8b4f8c39e8c94aa97e5c2f7f2b7 ]
+
+Function pci_bridge_emul_init() may fail so correctly check for errors.
+
+Link: https://lore.kernel.org/r/20200907111038.5811-3-pali@kernel.org
+Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Marek Behún <marek.behun@nic.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-aardvark.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c
+index f2481e80e2723..d0e60441dc8f2 100644
+--- a/drivers/pci/controller/pci-aardvark.c
++++ b/drivers/pci/controller/pci-aardvark.c
+@@ -503,7 +503,7 @@ static struct pci_bridge_emul_ops advk_pci_bridge_emul_ops = {
+ * Initialize the configuration space of the PCI-to-PCI bridge
+ * associated with the given PCIe interface.
+ */
+-static void advk_sw_pci_bridge_init(struct advk_pcie *pcie)
++static int advk_sw_pci_bridge_init(struct advk_pcie *pcie)
+ {
+ struct pci_bridge_emul *bridge = &pcie->bridge;
+
+@@ -527,8 +527,7 @@ static void advk_sw_pci_bridge_init(struct advk_pcie *pcie)
+ bridge->data = pcie;
+ bridge->ops = &advk_pci_bridge_emul_ops;
+
+- pci_bridge_emul_init(bridge, 0);
+-
++ return pci_bridge_emul_init(bridge, 0);
+ }
+
+ static bool advk_pcie_valid_device(struct advk_pcie *pcie, struct pci_bus *bus,
+@@ -1027,7 +1026,11 @@ static int advk_pcie_probe(struct platform_device *pdev)
+
+ advk_pcie_setup_hw(pcie);
+
+- advk_sw_pci_bridge_init(pcie);
++ ret = advk_sw_pci_bridge_init(pcie);
++ if (ret) {
++ dev_err(dev, "Failed to register emulated root PCI bridge\n");
++ return ret;
++ }
+
+ ret = advk_pcie_init_irq_domain(pcie);
+ if (ret) {
+--
+2.25.1
+
--- /dev/null
+From 461babcb70fdb70b1ade9fd737bc554128cc3a5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 10:59:55 -0400
+Subject: PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY
+
+From: Matthew Rosato <mjrosato@linux.ibm.com>
+
+[ Upstream commit 12856e7acde4702b7c3238c15fcba86ff6aa507f ]
+
+For VFs, the Memory Space Enable bit in the Command Register is
+hard-wired to 0.
+
+Add a new bit to signify devices where the Command Register Memory
+Space Enable bit does not control the device's response to MMIO
+accesses.
+
+Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory")
+Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/iov.c | 1 +
+ include/linux/pci.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
+index 9c116cbaa95d8..e15220385666f 100644
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -158,6 +158,7 @@ int pci_iov_add_virtfn(struct pci_dev *dev, int id)
+ virtfn->device = iov->vf_device;
+ virtfn->is_virtfn = 1;
+ virtfn->physfn = pci_dev_get(dev);
++ virtfn->no_command_memory = 1;
+
+ if (id == 0)
+ pci_read_vf_config_common(virtfn);
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index e92bd9b32f369..6a6a819c5b49b 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -423,6 +423,7 @@ struct pci_dev {
+ unsigned int is_probed:1; /* Device probing in progress */
+ unsigned int link_active_reporting:1;/* Device capable of reporting link active */
+ unsigned int no_vf_scan:1; /* Don't scan for VFs after IOV enablement */
++ unsigned int no_command_memory:1; /* No PCI_COMMAND_MEMORY */
+ pci_dev_flags_t dev_flags;
+ atomic_t enable_cnt; /* pci_enable_device has been called */
+
+--
+2.25.1
+
--- /dev/null
+From d5488c060bced83e195b68ed72d6391a2f208a9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Aug 2020 15:52:40 +1200
+Subject: PCI: iproc: Set affinity mask on MSI interrupts
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+[ Upstream commit eb7eacaa5b9e4f665bd08d416c8f88e63d2f123c ]
+
+The core interrupt code expects the irq_set_affinity call to update the
+effective affinity for the interrupt. This was not being done, so update
+iproc_msi_irq_set_affinity() to do so.
+
+Link: https://lore.kernel.org/r/20200803035241.7737-1-mark.tomlinson@alliedtelesis.co.nz
+Fixes: 3bc2b2348835 ("PCI: iproc: Add iProc PCIe MSI support")
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Ray Jui <ray.jui@broadcom.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-iproc-msi.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c
+index 0a3f61be5625b..a1298f6784ac9 100644
+--- a/drivers/pci/controller/pcie-iproc-msi.c
++++ b/drivers/pci/controller/pcie-iproc-msi.c
+@@ -209,15 +209,20 @@ static int iproc_msi_irq_set_affinity(struct irq_data *data,
+ struct iproc_msi *msi = irq_data_get_irq_chip_data(data);
+ int target_cpu = cpumask_first(mask);
+ int curr_cpu;
++ int ret;
+
+ curr_cpu = hwirq_to_cpu(msi, data->hwirq);
+ if (curr_cpu == target_cpu)
+- return IRQ_SET_MASK_OK_DONE;
++ ret = IRQ_SET_MASK_OK_DONE;
++ else {
++ /* steer MSI to the target CPU */
++ data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu;
++ ret = IRQ_SET_MASK_OK;
++ }
+
+- /* steer MSI to the target CPU */
+- data->hwirq = hwirq_to_canonical_hwirq(msi, data->hwirq) + target_cpu;
++ irq_data_update_effective_affinity(data, cpumask_of(target_cpu));
+
+- return IRQ_SET_MASK_OK;
++ return ret;
+ }
+
+ static void iproc_msi_irq_compose_msi_msg(struct irq_data *data,
+--
+2.25.1
+
--- /dev/null
+From 328dbae0d669b757e2dc7ea67a1387cc59d43e45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 21:46:37 +0100
+Subject: perf: correct SNOOPX field offset
+
+From: Al Grant <al.grant@foss.arm.com>
+
+[ Upstream commit f3d301c1f2f5676465cdf3259737ea19cc82731f ]
+
+perf_event.h has macros that define the field offsets in the
+data_src bitmask in perf records. The SNOOPX and REMOTE offsets
+were both 37. These are distinct fields, and the bitfield layout
+in perf_mem_data_src confirms that SNOOPX should be at offset 38.
+
+Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings")
+Signed-off-by: Al Grant <al.grant@foss.arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Link: https://lkml.kernel.org/r/4ac9f5cc-4388-b34a-9999-418a4099415d@foss.arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/perf_event.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/perf_event.h b/include/uapi/linux/perf_event.h
+index bb7b271397a66..ceccd980ffcfe 100644
+--- a/include/uapi/linux/perf_event.h
++++ b/include/uapi/linux/perf_event.h
+@@ -1131,7 +1131,7 @@ union perf_mem_data_src {
+
+ #define PERF_MEM_SNOOPX_FWD 0x01 /* forward */
+ /* 1 free */
+-#define PERF_MEM_SNOOPX_SHIFT 37
++#define PERF_MEM_SNOOPX_SHIFT 38
+
+ /* locked instruction */
+ #define PERF_MEM_LOCK_NA 0x01 /* not available */
+--
+2.25.1
+
--- /dev/null
+From 43a0f588151acc11583bb1d2c385466567bd0caa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 11:49:23 +0300
+Subject: perf intel-pt: Fix "context_switch event has no tid" error
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 7d537a8d2e76bc4fc71e34545ceaa463ac2cd928 ]
+
+A context_switch event can have no tid because pids can be detached from
+a task while the task is still running (in do_exit()). Note this won't
+happen with per-task contexts because then tracing stops at
+perf_event_exit_task()
+
+If a task with no tid gets preempted, or a dying task gets preempted and
+its parent releases it, when it subsequently gets switched back in,
+Intel PT will not be able to determine what task is running and prints
+an error "context_switch event has no tid". However, it is not really an
+error because the task is in kernel space and the decoder can continue
+to decode successfully. Fix by changing the error to be only a logged
+message, and make allowance for tid == -1.
+
+Example:
+
+ Using 5.9-rc4 with Preemptible Kernel (Low-Latency Desktop) e.g.
+ $ uname -r
+ 5.9.0-rc4
+ $ grep PREEMPT .config
+ # CONFIG_PREEMPT_NONE is not set
+ # CONFIG_PREEMPT_VOLUNTARY is not set
+ CONFIG_PREEMPT=y
+ CONFIG_PREEMPT_COUNT=y
+ CONFIG_PREEMPTION=y
+ CONFIG_PREEMPT_RCU=y
+ CONFIG_PREEMPT_NOTIFIERS=y
+ CONFIG_DRM_I915_PREEMPT_TIMEOUT=640
+ CONFIG_DEBUG_PREEMPT=y
+ # CONFIG_PREEMPT_TRACER is not set
+ # CONFIG_PREEMPTIRQ_DELAY_TEST is not set
+
+Before:
+
+ $ cat forkit.c
+
+ #include <sys/types.h>
+ #include <unistd.h>
+ #include <sys/wait.h>
+
+ int main()
+ {
+ pid_t child;
+ int status = 0;
+
+ child = fork();
+ if (child == 0)
+ return 123;
+ wait(&status);
+ return 0;
+ }
+
+ $ gcc -o forkit forkit.c
+ $ sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k &
+ [1] 11016
+ $ taskset 2 ./forkit
+ $ sudo pkill perf
+ $ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 17.262 MB perf.data ]
+
+ [1]+ Terminated sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k
+ $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit
+ context_switch event has no tid
+ taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms])
+ taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019
+ forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019)
+ forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020
+ forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019
+ forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms])
+ forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019)
+ forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019
+ forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020
+ forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386)
+
+After:
+
+ $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit
+ taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms])
+ taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019
+ forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019)
+ forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020
+ forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019
+ forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms])
+ forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019)
+ forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019
+ forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020
+ forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms])
+ forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386)
+ forkit 11019 [001] 66663.271688752: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: -1/-1
+ :-1 -1 [001] 66663.271692086: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019
+ :-1 -1 [001] 66663.271707466: 1 instructions:k: ffffffffb18eb096 update_load_avg+0x306 ([kernel.kallsyms])
+
+Fixes: 86c2786994bd7c ("perf intel-pt: Add support for PERF_RECORD_SWITCH")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
+Link: http://lore.kernel.org/lkml/20200909084923.9096-3-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index c5cce3a60476b..8aeaeba48a41f 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -974,6 +974,8 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt,
+
+ if (queue->tid == -1 || pt->have_sched_switch) {
+ ptq->tid = machine__get_current_tid(pt->machine, ptq->cpu);
++ if (ptq->tid == -1)
++ ptq->pid = -1;
+ thread__zput(ptq->thread);
+ }
+
+@@ -2488,10 +2490,8 @@ static int intel_pt_context_switch(struct intel_pt *pt, union perf_event *event,
+ tid = sample->tid;
+ }
+
+- if (tid == -1) {
+- pr_err("context_switch event has no tid\n");
+- return -EINVAL;
+- }
++ if (tid == -1)
++ intel_pt_log("context_switch event has no tid\n");
+
+ intel_pt_log("context_switch: cpu %d pid %d tid %d time %"PRIu64" tsc %#"PRIx64"\n",
+ cpu, pid, tid, sample->time, perf_time_to_tsc(sample->time,
+--
+2.25.1
+
--- /dev/null
+From 01a42027133e240630819952113e74c3c329ff1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 09:50:04 +0800
+Subject: perf stat: Skip duration_time in setup_system_wide
+
+From: Jin Yao <yao.jin@linux.intel.com>
+
+[ Upstream commit 002a3d690f95804bdef6b70b26154103518e13d9 ]
+
+Some metrics (such as DRAM_BW_Use) consists of uncore events and
+duration_time. For uncore events, counter->core.system_wide is true. But
+for duration_time, counter->core.system_wide is false so
+target.system_wide is set to false.
+
+Then 'enable_on_exec' is set in perf_event_attr of uncore event. Kernel
+will return error when trying to open the uncore event.
+
+This patch skips the duration_time in setup_system_wide then
+target.system_wide will be set to true for the evlist of uncore events +
+duration_time.
+
+Before (tested on skylake desktop):
+
+ # perf stat -M DRAM_BW_Use -- sleep 1
+ Error:
+ The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (arb/event=0x84,umask=0x1/).
+ /bin/dmesg | grep -i perf may provide additional information.
+
+After:
+
+ # perf stat -M DRAM_BW_Use -- sleep 1
+
+ Performance counter stats for 'system wide':
+
+ 169 arb/event=0x84,umask=0x1/ # 0.00 DRAM_BW_Use
+ 40,427 arb/event=0x81,umask=0x1/
+ 1,000,902,197 ns duration_time
+
+ 1.000902197 seconds time elapsed
+
+Fixes: e3ba76deef23064f ("perf tools: Force uncore events to system wide monitoring")
+Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jin Yao <yao.jin@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/20200922015004.30114-1-yao.jin@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-stat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
+index ac2feddc75fdd..ea183922c4ef1 100644
+--- a/tools/perf/builtin-stat.c
++++ b/tools/perf/builtin-stat.c
+@@ -1671,8 +1671,10 @@ static void setup_system_wide(int forks)
+ struct evsel *counter;
+
+ evlist__for_each_entry(evsel_list, counter) {
+- if (!counter->core.system_wide)
++ if (!counter->core.system_wide &&
++ strcmp(counter->name, "duration_time")) {
+ return;
++ }
+ }
+
+ if (evsel_list->core.nr_entries)
+--
+2.25.1
+
--- /dev/null
+From b29ebe8e5e1888bc7b85470ed4608ff712192090 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 14:06:49 -0700
+Subject: perf/x86/intel/ds: Fix x86_pmu_stop warning for large PEBS
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 35d1ce6bec133679ff16325d335217f108b84871 ]
+
+A warning as below may be triggered when sampling with large PEBS.
+
+[ 410.411250] perf: interrupt took too long (72145 > 71975), lowering
+kernel.perf_event_max_sample_rate to 2000
+[ 410.724923] ------------[ cut here ]------------
+[ 410.729822] WARNING: CPU: 0 PID: 16397 at arch/x86/events/core.c:1422
+x86_pmu_stop+0x95/0xa0
+[ 410.933811] x86_pmu_del+0x50/0x150
+[ 410.937304] event_sched_out.isra.0+0xbc/0x210
+[ 410.941751] group_sched_out.part.0+0x53/0xd0
+[ 410.946111] ctx_sched_out+0x193/0x270
+[ 410.949862] __perf_event_task_sched_out+0x32c/0x890
+[ 410.954827] ? set_next_entity+0x98/0x2d0
+[ 410.958841] __schedule+0x592/0x9c0
+[ 410.962332] schedule+0x5f/0xd0
+[ 410.965477] exit_to_usermode_loop+0x73/0x120
+[ 410.969837] prepare_exit_to_usermode+0xcd/0xf0
+[ 410.974369] ret_from_intr+0x2a/0x3a
+[ 410.977946] RIP: 0033:0x40123c
+[ 411.079661] ---[ end trace bc83adaea7bb664a ]---
+
+In the non-overflow context, e.g., context switch, with large PEBS, perf
+may stop an event twice. An example is below.
+
+ //max_samples_per_tick is adjusted to 2
+ //NMI is triggered
+ intel_pmu_handle_irq()
+ handle_pmi_common()
+ drain_pebs()
+ __intel_pmu_pebs_event()
+ perf_event_overflow()
+ __perf_event_account_interrupt()
+ hwc->interrupts = 1
+ return 0
+ //A context switch happens right after the NMI.
+ //In the same tick, the perf_throttled_seq is not changed.
+ perf_event_task_sched_out()
+ perf_pmu_sched_task()
+ intel_pmu_drain_pebs_buffer()
+ __intel_pmu_pebs_event()
+ perf_event_overflow()
+ __perf_event_account_interrupt()
+ ++hwc->interrupts >= max_samples_per_tick
+ return 1
+ x86_pmu_stop(); # First stop
+ perf_event_context_sched_out()
+ task_ctx_sched_out()
+ ctx_sched_out()
+ event_sched_out()
+ x86_pmu_del()
+ x86_pmu_stop(); # Second stop and trigger the warning
+
+Perf should only invoke the perf_event_overflow() in the overflow
+context.
+
+Current drain_pebs() is called from:
+- handle_pmi_common() -- overflow context
+- intel_pmu_pebs_sched_task() -- non-overflow context
+- intel_pmu_pebs_disable() -- non-overflow context
+- intel_pmu_auto_reload_read() -- possible overflow context
+ With PERF_SAMPLE_READ + PERF_FORMAT_GROUP, the function may be
+ invoked in the NMI handler. But, before calling the function, the
+ PEBS buffer has already been drained. The __intel_pmu_pebs_event()
+ will not be called in the possible overflow context.
+
+To fix the issue, an indicator is required to distinguish between the
+overflow context aka handle_pmi_common() and other cases.
+The dummy regs pointer can be used as the indicator.
+
+In the non-overflow context, perf should treat the last record the same
+as other PEBS records, and doesn't invoke the generic overflow handler.
+
+Fixes: 21509084f999 ("perf/x86/intel: Handle multiple records in the PEBS buffer")
+Reported-by: Like Xu <like.xu@linux.intel.com>
+Suggested-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Like Xu <like.xu@linux.intel.com>
+Link: https://lkml.kernel.org/r/20200902210649.2743-1-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/ds.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
+index e5ad97a823426..1aaba2c8a9ba6 100644
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -669,9 +669,7 @@ int intel_pmu_drain_bts_buffer(void)
+
+ static inline void intel_pmu_drain_pebs_buffer(void)
+ {
+- struct pt_regs regs;
+-
+- x86_pmu.drain_pebs(®s);
++ x86_pmu.drain_pebs(NULL);
+ }
+
+ /*
+@@ -1736,6 +1734,7 @@ static void __intel_pmu_pebs_event(struct perf_event *event,
+ struct x86_perf_regs perf_regs;
+ struct pt_regs *regs = &perf_regs.regs;
+ void *at = get_next_pebs_record_by_bit(base, top, bit);
++ struct pt_regs dummy_iregs;
+
+ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) {
+ /*
+@@ -1748,6 +1747,9 @@ static void __intel_pmu_pebs_event(struct perf_event *event,
+ } else if (!intel_pmu_save_and_restart(event))
+ return;
+
++ if (!iregs)
++ iregs = &dummy_iregs;
++
+ while (count > 1) {
+ setup_sample(event, iregs, at, &data, regs);
+ perf_event_output(event, &data, regs);
+@@ -1757,16 +1759,22 @@ static void __intel_pmu_pebs_event(struct perf_event *event,
+ }
+
+ setup_sample(event, iregs, at, &data, regs);
+-
+- /*
+- * All but the last records are processed.
+- * The last one is left to be able to call the overflow handler.
+- */
+- if (perf_event_overflow(event, &data, regs)) {
+- x86_pmu_stop(event, 0);
+- return;
++ if (iregs == &dummy_iregs) {
++ /*
++ * The PEBS records may be drained in the non-overflow context,
++ * e.g., large PEBS + context switch. Perf should treat the
++ * last record the same as other PEBS records, and doesn't
++ * invoke the generic overflow handler.
++ */
++ perf_event_output(event, &data, regs);
++ } else {
++ /*
++ * All but the last records are processed.
++ * The last one is left to be able to call the overflow handler.
++ */
++ if (perf_event_overflow(event, &data, regs))
++ x86_pmu_stop(event, 0);
+ }
+-
+ }
+
+ static void intel_pmu_drain_pebs_core(struct pt_regs *iregs)
+--
+2.25.1
+
--- /dev/null
+From a6c0dac9498f8b2a44e9b95212448df474a39066 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 06:49:05 -0700
+Subject: perf/x86/intel/uncore: Reduce the number of CBOX counters
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit ee139385432e919f4d1f59b80edbc073cdae1391 ]
+
+An oops is triggered by the fuzzy test.
+
+[ 327.853081] unchecked MSR access error: RDMSR from 0x70c at rIP:
+0xffffffffc082c820 (uncore_msr_read_counter+0x10/0x50 [intel_uncore])
+[ 327.853083] Call Trace:
+[ 327.853085] <IRQ>
+[ 327.853089] uncore_pmu_event_start+0x85/0x170 [intel_uncore]
+[ 327.853093] uncore_pmu_event_add+0x1a4/0x410 [intel_uncore]
+[ 327.853097] ? event_sched_in.isra.118+0xca/0x240
+
+There are 2 GP counters for each CBOX, but the current code claims 4
+counters. Accessing the invalid registers triggers the oops.
+
+Fixes: 6e394376ee89 ("perf/x86/intel/uncore: Add Intel Icelake uncore support")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200925134905.8839-3-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
+index ad9798bd89cf6..aec6e63c6a04a 100644
+--- a/arch/x86/events/intel/uncore_snb.c
++++ b/arch/x86/events/intel/uncore_snb.c
+@@ -309,7 +309,7 @@ static struct intel_uncore_ops icl_uncore_msr_ops = {
+
+ static struct intel_uncore_type icl_uncore_cbox = {
+ .name = "cbox",
+- .num_counters = 4,
++ .num_counters = 2,
+ .perf_ctr_bits = 44,
+ .perf_ctr = ICL_UNC_CBO_0_PER_CTR0,
+ .event_ctl = SNB_UNC_CBO_0_PERFEVTSEL0,
+--
+2.25.1
+
--- /dev/null
+From e8fc727d2aa5b6da37f6287bcfeae778967b3add Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 06:49:04 -0700
+Subject: perf/x86/intel/uncore: Update Ice Lake uncore units
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 8f5d41f3a0f495435c88ebba8fc150c931c10fef ]
+
+There are some updates for the Icelake model specific uncore performance
+monitors. (The update can be found at 10th generation intel core
+processors families specification update Revision 004, ICL068)
+
+1) Counter 0 of ARB uncore unit is not available for software use
+2) The global 'enable bit' (bit 29) and 'freeze bit' (bit 31) of
+ MSR_UNC_PERF_GLOBAL_CTRL cannot be used to control counter behavior.
+ Needs to use local enable in event select MSR.
+
+Accessing the modified bit/registers will be ignored by HW. Users may
+observe inaccurate results with the current code.
+
+The changes of the MSR_UNC_PERF_GLOBAL_CTRL imply that groups cannot be
+read atomically anymore. Although the error of the result for a group
+becomes a bit bigger, it still far lower than not using a group. The
+group support is still kept. Only Remove the *_box() related
+implementation.
+
+Since the counter 0 of ARB uncore unit is not available, update the MSR
+address for the ARB uncore unit.
+
+There is no change for IMC uncore unit, which only include free-running
+counters.
+
+Fixes: 6e394376ee89 ("perf/x86/intel/uncore: Add Intel Icelake uncore support")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20200925134905.8839-2-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/uncore_snb.c | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
+index c37cb12d0ef68..ad9798bd89cf6 100644
+--- a/arch/x86/events/intel/uncore_snb.c
++++ b/arch/x86/events/intel/uncore_snb.c
+@@ -110,6 +110,10 @@
+ #define ICL_UNC_CBO_0_PER_CTR0 0x702
+ #define ICL_UNC_CBO_MSR_OFFSET 0x8
+
++/* ICL ARB register */
++#define ICL_UNC_ARB_PER_CTR 0x3b1
++#define ICL_UNC_ARB_PERFEVTSEL 0x3b3
++
+ DEFINE_UNCORE_FORMAT_ATTR(event, event, "config:0-7");
+ DEFINE_UNCORE_FORMAT_ATTR(umask, umask, "config:8-15");
+ DEFINE_UNCORE_FORMAT_ATTR(edge, edge, "config:18");
+@@ -297,6 +301,12 @@ void skl_uncore_cpu_init(void)
+ snb_uncore_arb.ops = &skl_uncore_msr_ops;
+ }
+
++static struct intel_uncore_ops icl_uncore_msr_ops = {
++ .disable_event = snb_uncore_msr_disable_event,
++ .enable_event = snb_uncore_msr_enable_event,
++ .read_counter = uncore_msr_read_counter,
++};
++
+ static struct intel_uncore_type icl_uncore_cbox = {
+ .name = "cbox",
+ .num_counters = 4,
+@@ -305,7 +315,7 @@ static struct intel_uncore_type icl_uncore_cbox = {
+ .event_ctl = SNB_UNC_CBO_0_PERFEVTSEL0,
+ .event_mask = SNB_UNC_RAW_EVENT_MASK,
+ .msr_offset = ICL_UNC_CBO_MSR_OFFSET,
+- .ops = &skl_uncore_msr_ops,
++ .ops = &icl_uncore_msr_ops,
+ .format_group = &snb_uncore_format_group,
+ };
+
+@@ -334,13 +344,25 @@ static struct intel_uncore_type icl_uncore_clockbox = {
+ .single_fixed = 1,
+ .event_mask = SNB_UNC_CTL_EV_SEL_MASK,
+ .format_group = &icl_uncore_clock_format_group,
+- .ops = &skl_uncore_msr_ops,
++ .ops = &icl_uncore_msr_ops,
+ .event_descs = icl_uncore_events,
+ };
+
++static struct intel_uncore_type icl_uncore_arb = {
++ .name = "arb",
++ .num_counters = 1,
++ .num_boxes = 1,
++ .perf_ctr_bits = 44,
++ .perf_ctr = ICL_UNC_ARB_PER_CTR,
++ .event_ctl = ICL_UNC_ARB_PERFEVTSEL,
++ .event_mask = SNB_UNC_RAW_EVENT_MASK,
++ .ops = &icl_uncore_msr_ops,
++ .format_group = &snb_uncore_format_group,
++};
++
+ static struct intel_uncore_type *icl_msr_uncores[] = {
+ &icl_uncore_cbox,
+- &snb_uncore_arb,
++ &icl_uncore_arb,
+ &icl_uncore_clockbox,
+ NULL,
+ };
+@@ -358,7 +380,6 @@ void icl_uncore_cpu_init(void)
+ {
+ uncore_msr_uncores = icl_msr_uncores;
+ icl_uncore_cbox.num_boxes = icl_get_cbox_num();
+- snb_uncore_arb.ops = &skl_uncore_msr_ops;
+ }
+
+ enum {
+--
+2.25.1
+
--- /dev/null
+From 9140ca8f4d4d945316e2e432950d00c23140d8c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 17:40:26 +0300
+Subject: pinctrl: bcm: fix kconfig dependency warning when !GPIOLIB
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+[ Upstream commit 513034d8b089b9a49dab57845aee70e830fe7334 ]
+
+When PINCTRL_BCM2835 is enabled and GPIOLIB is disabled, it results in the
+following Kbuild warning:
+
+WARNING: unmet direct dependencies detected for GPIOLIB_IRQCHIP
+ Depends on [n]: GPIOLIB [=n]
+ Selected by [y]:
+ - PINCTRL_BCM2835 [=y] && PINCTRL [=y] && OF [=y] && (ARCH_BCM2835 [=n] || ARCH_BRCMSTB [=n] || COMPILE_TEST [=y])
+
+The reason is that PINCTRL_BCM2835 selects GPIOLIB_IRQCHIP without
+depending on or selecting GPIOLIB while GPIOLIB_IRQCHIP is subordinate to
+GPIOLIB.
+
+Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
+
+Fixes: 85ae9e512f43 ("pinctrl: bcm2835: switch to GPIOLIB_IRQCHIP")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Link: https://lore.kernel.org/r/20200914144025.371370-1-fazilyildiran@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/bcm/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/bcm/Kconfig b/drivers/pinctrl/bcm/Kconfig
+index dcf7df797af75..0ed14de0134cf 100644
+--- a/drivers/pinctrl/bcm/Kconfig
++++ b/drivers/pinctrl/bcm/Kconfig
+@@ -23,6 +23,7 @@ config PINCTRL_BCM2835
+ select PINMUX
+ select PINCONF
+ select GENERIC_PINCONF
++ select GPIOLIB
+ select GPIOLIB_IRQCHIP
+ default ARCH_BCM2835 || ARCH_BRCMSTB
+ help
+--
+2.25.1
+
--- /dev/null
+From dbb52b51b5f645106c060a0f737721734d3c2e96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 22:32:26 +0100
+Subject: pinctrl: mcp23s08: Fix mcp23x17 precious range
+
+From: Thomas Preston <thomas.preston@codethink.co.uk>
+
+[ Upstream commit b9b7fb29433b906635231d0a111224efa009198c ]
+
+On page 23 of the datasheet [0] it says "The register remains unchanged
+until the interrupt is cleared via a read of INTCAP or GPIO." Include
+INTCAPA and INTCAPB registers in precious range, so that they aren't
+accidentally cleared when we read via debugfs.
+
+[0] https://ww1.microchip.com/downloads/en/DeviceDoc/20001952C.pdf
+
+Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching")
+Signed-off-by: Thomas Preston <thomas.preston@codethink.co.uk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20200828213226.1734264-3-thomas.preston@codethink.co.uk
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index 676ff9a4459e3..d8bcbefcba890 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -144,7 +144,7 @@ static const struct regmap_access_table mcp23x17_volatile_table = {
+ };
+
+ static const struct regmap_range mcp23x17_precious_range = {
+- .range_min = MCP_GPIO << 1,
++ .range_min = MCP_INTCAP << 1,
+ .range_max = MCP_GPIO << 1,
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 1cd3d9ca8386cc3cbaa31955d879d7cb9b9b0b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 22:32:25 +0100
+Subject: pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser
+
+From: Thomas Preston <thomas.preston@codethink.co.uk>
+
+[ Upstream commit b445f6237744df5e8d4f56f8733b2108c611220a ]
+
+The mcp23x17_regmap is initialised with structs named "mcp23x16".
+However, the mcp23s08 driver doesn't support the MCP23016 device yet, so
+this appears to be a typo.
+
+Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching")
+Signed-off-by: Thomas Preston <thomas.preston@codethink.co.uk>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20200828213226.1734264-2-thomas.preston@codethink.co.uk
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index 3a235487e38d7..676ff9a4459e3 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -122,7 +122,7 @@ static const struct regmap_config mcp23x08_regmap = {
+ .max_register = MCP_OLAT,
+ };
+
+-static const struct reg_default mcp23x16_defaults[] = {
++static const struct reg_default mcp23x17_defaults[] = {
+ {.reg = MCP_IODIR << 1, .def = 0xffff},
+ {.reg = MCP_IPOL << 1, .def = 0x0000},
+ {.reg = MCP_GPINTEN << 1, .def = 0x0000},
+@@ -133,23 +133,23 @@ static const struct reg_default mcp23x16_defaults[] = {
+ {.reg = MCP_OLAT << 1, .def = 0x0000},
+ };
+
+-static const struct regmap_range mcp23x16_volatile_range = {
++static const struct regmap_range mcp23x17_volatile_range = {
+ .range_min = MCP_INTF << 1,
+ .range_max = MCP_GPIO << 1,
+ };
+
+-static const struct regmap_access_table mcp23x16_volatile_table = {
+- .yes_ranges = &mcp23x16_volatile_range,
++static const struct regmap_access_table mcp23x17_volatile_table = {
++ .yes_ranges = &mcp23x17_volatile_range,
+ .n_yes_ranges = 1,
+ };
+
+-static const struct regmap_range mcp23x16_precious_range = {
++static const struct regmap_range mcp23x17_precious_range = {
+ .range_min = MCP_GPIO << 1,
+ .range_max = MCP_GPIO << 1,
+ };
+
+-static const struct regmap_access_table mcp23x16_precious_table = {
+- .yes_ranges = &mcp23x16_precious_range,
++static const struct regmap_access_table mcp23x17_precious_table = {
++ .yes_ranges = &mcp23x17_precious_range,
+ .n_yes_ranges = 1,
+ };
+
+@@ -159,10 +159,10 @@ static const struct regmap_config mcp23x17_regmap = {
+
+ .reg_stride = 2,
+ .max_register = MCP_OLAT << 1,
+- .volatile_table = &mcp23x16_volatile_table,
+- .precious_table = &mcp23x16_precious_table,
+- .reg_defaults = mcp23x16_defaults,
+- .num_reg_defaults = ARRAY_SIZE(mcp23x16_defaults),
++ .volatile_table = &mcp23x17_volatile_table,
++ .precious_table = &mcp23x17_precious_table,
++ .reg_defaults = mcp23x17_defaults,
++ .num_reg_defaults = ARRAY_SIZE(mcp23x17_defaults),
+ .cache_type = REGCACHE_FLAT,
+ .val_format_endian = REGMAP_ENDIAN_LITTLE,
+ };
+--
+2.25.1
+
--- /dev/null
+From e1219fd1a053df00f4a4fd1edea37c78dfa7e185 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 20:20:49 +0300
+Subject: platform/x86: mlx-platform: Remove PSU EEPROM configuration
+
+From: Vadim Pasternak <vadimp@nvidia.com>
+
+[ Upstream commit c071afcea6ecf24a3c119f25ce9f71ffd55b5dc2 ]
+
+Remove PSU EEPROM configuration for systems class equipped with
+Mellanox chip Spectrume-2. Till now all the systems from this class
+used few types of power units, all equipped with EEPROM device with
+address space two bytes. Thus, all these devices have been handled by
+EEPROM driver "24c32".
+There is a new requirement is to support power unit replacement by "off
+the shelf" device, matching electrical required parameters. Such device
+could be equipped with different EEPROM type, which could be one byte
+address space addressing or even could be not equipped with EEPROM.
+In such case "24c32" will not work.
+
+Fixes: 1bd42d94ccab ("platform/x86: mlx-platform: Add support for new 200G IB and Ethernet systems")
+Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20200923172053.26296-2-vadimp@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/mlx-platform.c | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/platform/x86/mlx-platform.c b/drivers/platform/x86/mlx-platform.c
+index 8fe51e43f1bc1..59b5b7eebb05a 100644
+--- a/drivers/platform/x86/mlx-platform.c
++++ b/drivers/platform/x86/mlx-platform.c
+@@ -243,15 +243,6 @@ static struct i2c_board_info mlxplat_mlxcpld_psu[] = {
+ },
+ };
+
+-static struct i2c_board_info mlxplat_mlxcpld_ng_psu[] = {
+- {
+- I2C_BOARD_INFO("24c32", 0x51),
+- },
+- {
+- I2C_BOARD_INFO("24c32", 0x50),
+- },
+-};
+-
+ static struct i2c_board_info mlxplat_mlxcpld_pwr[] = {
+ {
+ I2C_BOARD_INFO("dps460", 0x59),
+@@ -611,15 +602,13 @@ static struct mlxreg_core_data mlxplat_mlxcpld_default_ng_psu_items_data[] = {
+ .label = "psu1",
+ .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET,
+ .mask = BIT(0),
+- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[0],
+- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR,
++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE,
+ },
+ {
+ .label = "psu2",
+ .reg = MLXPLAT_CPLD_LPC_REG_PSU_OFFSET,
+ .mask = BIT(1),
+- .hpdev.brdinfo = &mlxplat_mlxcpld_ng_psu[1],
+- .hpdev.nr = MLXPLAT_CPLD_PSU_MSNXXXX_NR,
++ .hpdev.nr = MLXPLAT_CPLD_NR_NONE,
+ },
+ };
+
+--
+2.25.1
+
--- /dev/null
+From 1556ee657e3d83395a49cf1cbb4013bf18bd5211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 18:14:47 +0200
+Subject: PM: hibernate: remove the bogus call to get_gendisk() in
+ software_resume()
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ]
+
+get_gendisk grabs a reference on the disk and file operation, so this
+code will leak both of them while having absolutely no use for the
+gendisk itself.
+
+This effectively reverts commit 2df83fa4bce421f ("PM / Hibernate: Use
+get_gendisk to verify partition if resume_file is integer format")
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/hibernate.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index b6c5895ced36b..69c4cd472def3 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -839,17 +839,6 @@ static int software_resume(void)
+
+ /* Check if the device is there */
+ swsusp_resume_device = name_to_dev_t(resume_file);
+-
+- /*
+- * name_to_dev_t is ineffective to verify parition if resume_file is in
+- * integer format. (e.g. major:minor)
+- */
+- if (isdigit(resume_file[0]) && resume_wait) {
+- int partno;
+- while (!get_gendisk(swsusp_resume_device, &partno))
+- msleep(10);
+- }
+-
+ if (!swsusp_resume_device) {
+ /*
+ * Some device discovery might still be in progress; we need
+--
+2.25.1
+
--- /dev/null
+From 1930f7ff98bac2c0fb05b788451c2469b7f46df5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 14:52:19 +1000
+Subject: powerpc/64s/radix: Fix mm_cpumask trimming race vs kthread_use_mm
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit a665eec0a22e11cdde708c1c256a465ebe768047 ]
+
+Commit 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of
+single-threaded mm_cpumask") added a mechanism to trim the mm_cpumask of
+a process under certain conditions. One of the assumptions is that
+mm_users would not be incremented via a reference outside the process
+context with mmget_not_zero() then go on to kthread_use_mm() via that
+reference.
+
+That invariant was broken by io_uring code (see previous sparc64 fix),
+but I'll point Fixes: to the original powerpc commit because we are
+changing that assumption going forward, so this will make backports
+match up.
+
+Fix this by no longer relying on that assumption, but by having each CPU
+check the mm is not being used, and clearing their own bit from the mask
+only if it hasn't been switched-to by the time the IPI is processed.
+
+This relies on commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB
+invalidate") and ARCH_WANT_IRQS_OFF_ACTIVATE_MM to disable irqs over mm
+switch sequences.
+
+Fixes: 0cef77c7798a7 ("powerpc/64s/radix: flush remote CPUs out of single-threaded mm_cpumask")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
+Depends-on: 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB invalidate")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200914045219.3736466-5-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/tlb.h | 13 -------------
+ arch/powerpc/mm/book3s64/radix_tlb.c | 23 ++++++++++++++++-------
+ 2 files changed, 16 insertions(+), 20 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/tlb.h b/arch/powerpc/include/asm/tlb.h
+index 7f3a8b9023254..02a1c18cdba3d 100644
+--- a/arch/powerpc/include/asm/tlb.h
++++ b/arch/powerpc/include/asm/tlb.h
+@@ -67,19 +67,6 @@ static inline int mm_is_thread_local(struct mm_struct *mm)
+ return false;
+ return cpumask_test_cpu(smp_processor_id(), mm_cpumask(mm));
+ }
+-static inline void mm_reset_thread_local(struct mm_struct *mm)
+-{
+- WARN_ON(atomic_read(&mm->context.copros) > 0);
+- /*
+- * It's possible for mm_access to take a reference on mm_users to
+- * access the remote mm from another thread, but it's not allowed
+- * to set mm_cpumask, so mm_users may be > 1 here.
+- */
+- WARN_ON(current->mm != mm);
+- atomic_set(&mm->context.active_cpus, 1);
+- cpumask_clear(mm_cpumask(mm));
+- cpumask_set_cpu(smp_processor_id(), mm_cpumask(mm));
+-}
+ #else /* CONFIG_PPC_BOOK3S_64 */
+ static inline int mm_is_thread_local(struct mm_struct *mm)
+ {
+diff --git a/arch/powerpc/mm/book3s64/radix_tlb.c b/arch/powerpc/mm/book3s64/radix_tlb.c
+index 67af871190c6d..b0f240afffa22 100644
+--- a/arch/powerpc/mm/book3s64/radix_tlb.c
++++ b/arch/powerpc/mm/book3s64/radix_tlb.c
+@@ -639,19 +639,29 @@ static void do_exit_flush_lazy_tlb(void *arg)
+ struct mm_struct *mm = arg;
+ unsigned long pid = mm->context.id;
+
++ /*
++ * A kthread could have done a mmget_not_zero() after the flushing CPU
++ * checked mm_is_singlethreaded, and be in the process of
++ * kthread_use_mm when interrupted here. In that case, current->mm will
++ * be set to mm, because kthread_use_mm() setting ->mm and switching to
++ * the mm is done with interrupts off.
++ */
+ if (current->mm == mm)
+- return; /* Local CPU */
++ goto out_flush;
+
+ if (current->active_mm == mm) {
+- /*
+- * Must be a kernel thread because sender is single-threaded.
+- */
+- BUG_ON(current->mm);
++ WARN_ON_ONCE(current->mm != NULL);
++ /* Is a kernel thread and is using mm as the lazy tlb */
+ mmgrab(&init_mm);
+- switch_mm(mm, &init_mm, current);
+ current->active_mm = &init_mm;
++ switch_mm_irqs_off(mm, &init_mm, current);
+ mmdrop(mm);
+ }
++
++ atomic_dec(&mm->context.active_cpus);
++ cpumask_clear_cpu(smp_processor_id(), mm_cpumask(mm));
++
++out_flush:
+ _tlbiel_pid(pid, RIC_FLUSH_ALL);
+ }
+
+@@ -666,7 +676,6 @@ static void exit_flush_lazy_tlbs(struct mm_struct *mm)
+ */
+ smp_call_function_many(mm_cpumask(mm), do_exit_flush_lazy_tlb,
+ (void *)mm, 1);
+- mm_reset_thread_local(mm);
+ }
+
+ void radix__flush_tlb_mm(struct mm_struct *mm)
+--
+2.25.1
+
--- /dev/null
+From 469f1f23653cff7bfe63d44c758e607e7f43b297 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Jun 2020 12:39:03 +0530
+Subject: powerpc/book3s64/hash/4k: Support large linear mapping range with 4K
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+[ Upstream commit 7746406baa3bc9e23fdd7b7da2f04d86e25ab837 ]
+
+With commit: 0034d395f89d ("powerpc/mm/hash64: Map all the kernel
+regions in the same 0xc range"), we now split the 64TB address range
+into 4 contexts each of 16TB. That implies we can do only 16TB linear
+mapping.
+
+On some systems, eg. Power9, memory attached to nodes > 0 will appear
+above 16TB in the linear mapping. This resulted in kernel crash when
+we boot such systems in hash translation mode with 4K PAGE_SIZE.
+
+This patch updates the kernel mapping such that we now start supporting upto
+61TB of memory with 4K. The kernel mapping now looks like below 4K PAGE_SIZE
+and hash translation.
+
+ vmalloc start = 0xc0003d0000000000
+ IO start = 0xc0003e0000000000
+ vmemmap start = 0xc0003f0000000000
+
+Our MAX_PHYSMEM_BITS for 4K is still 64TB even though we can only map 61TB.
+We prevent bolt mapping anything outside 61TB range by checking against
+H_VMALLOC_START.
+
+Fixes: 0034d395f89d ("powerpc/mm/hash64: Map all the kernel regions in the same 0xc range")
+Reported-by: Cameron Berkenpas <cam@neo-zeon.de>
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200608070904.387440-3-aneesh.kumar@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/book3s/64/hash-4k.h | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/book3s/64/hash-4k.h b/arch/powerpc/include/asm/book3s/64/hash-4k.h
+index 3f9ae3585ab98..80c9534148821 100644
+--- a/arch/powerpc/include/asm/book3s/64/hash-4k.h
++++ b/arch/powerpc/include/asm/book3s/64/hash-4k.h
+@@ -13,20 +13,19 @@
+ */
+ #define MAX_EA_BITS_PER_CONTEXT 46
+
+-#define REGION_SHIFT (MAX_EA_BITS_PER_CONTEXT - 2)
+
+ /*
+- * Our page table limit us to 64TB. Hence for the kernel mapping,
+- * each MAP area is limited to 16 TB.
+- * The four map areas are: linear mapping, vmap, IO and vmemmap
++ * Our page table limit us to 64TB. For 64TB physical memory, we only need 64GB
++ * of vmemmap space. To better support sparse memory layout, we use 61TB
++ * linear map range, 1TB of vmalloc, 1TB of I/O and 1TB of vmememmap.
+ */
++#define REGION_SHIFT (40)
+ #define H_KERN_MAP_SIZE (ASM_CONST(1) << REGION_SHIFT)
+
+ /*
+- * Define the address range of the kernel non-linear virtual area
+- * 16TB
++ * Define the address range of the kernel non-linear virtual area (61TB)
+ */
+-#define H_KERN_VIRT_START ASM_CONST(0xc000100000000000)
++#define H_KERN_VIRT_START ASM_CONST(0xc0003d0000000000)
+
+ #ifndef __ASSEMBLY__
+ #define H_PTE_TABLE_SIZE (sizeof(pte_t) << H_PTE_INDEX_SIZE)
+--
+2.25.1
+
--- /dev/null
+From f70fe0826c5dddffcd95e1fe62fef99cd5465130 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jul 2018 10:03:27 +0200
+Subject: powerpc/icp-hv: Fix missing of_node_put() in success path
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit d3e669f31ec35856f5e85df9224ede5bdbf1bc7b ]
+
+Both of_find_compatible_node() and of_find_node_by_type() will return
+a refcounted node on success - thus for the success path the node must
+be explicitly released with a of_node_put().
+
+Fixes: 0b05ac6e2480 ("powerpc/xics: Rewrite XICS driver")
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1530691407-3991-1-git-send-email-hofrat@osadl.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xics/icp-hv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/sysdev/xics/icp-hv.c b/arch/powerpc/sysdev/xics/icp-hv.c
+index ad8117148ea3b..21b9d1bf39ff6 100644
+--- a/arch/powerpc/sysdev/xics/icp-hv.c
++++ b/arch/powerpc/sysdev/xics/icp-hv.c
+@@ -174,6 +174,7 @@ int icp_hv_init(void)
+
+ icp_ops = &icp_hv_ops;
+
++ of_node_put(np);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From a891f78d295d75a246068957d482f4660c210dbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 03:10:04 -0400
+Subject: powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group
+ constraints
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit 3b6c3adbb2fa42749c3d38cfc4d4d0b7e096bb7b ]
+
+PMU counter support functions enforces event constraints for group of
+events to check if all events in a group can be monitored. Incase of
+event codes using PMC5 and PMC6 ( 500fa and 600f4 respectively ), not
+all constraints are applicable, say the threshold or sample bits. But
+current code includes pmc5 and pmc6 in some group constraints (like
+IC_DC Qualifier bits) which is actually not applicable and hence
+results in those events not getting counted when scheduled along with
+group of other events. Patch fixes this by excluding PMC5/6 from
+constraints which are not relevant for it.
+
+Fixes: 7ffd948 ("powerpc/perf: factor out power8 pmu functions")
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Reviewed-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1600672204-1610-1-git-send-email-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/isa207-common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c
+index 4c86da5eb28ab..0b5c8f4fbdbfd 100644
+--- a/arch/powerpc/perf/isa207-common.c
++++ b/arch/powerpc/perf/isa207-common.c
+@@ -269,6 +269,15 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp)
+
+ mask |= CNST_PMC_MASK(pmc);
+ value |= CNST_PMC_VAL(pmc);
++
++ /*
++ * PMC5 and PMC6 are used to count cycles and instructions and
++ * they do not support most of the constraint bits. Add a check
++ * to exclude PMC5/6 from most of the constraints except for
++ * EBB/BHRB.
++ */
++ if (pmc >= 5)
++ goto ebb_bhrb;
+ }
+
+ if (pmc <= 4) {
+@@ -335,6 +344,7 @@ int isa207_get_constraint(u64 event, unsigned long *maskp, unsigned long *valp)
+ }
+ }
+
++ebb_bhrb:
+ if (!pmc && ebb)
+ /* EBB events must specify the PMC */
+ return -1;
+--
+2.25.1
+
--- /dev/null
+From 231b6d3162eb0602c6f56ec6f43872d2be0c5bf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Oct 2020 13:19:39 +0530
+Subject: powerpc/perf/hv-gpci: Fix starting index value
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 0f9866f7e85765bbda86666df56c92f377c3bc10 ]
+
+Commit 9e9f60108423f ("powerpc/perf/{hv-gpci, hv-common}: generate
+requests with counters annotated") adds a framework for defining
+gpci counters.
+In this patch, they adds starting_index value as '0xffffffffffffffff'.
+which is wrong as starting_index is of size 32 bits.
+
+Because of this, incase we try to run hv-gpci event we get error.
+
+In power9 machine:
+
+command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+ -C 0 -I 1000
+event syntax error: '..bie_count_and_time_tlbie_instructions_issued/'
+ \___ value too big for format, maximum is 4294967295
+
+This patch fix this issue and changes starting_index value to '0xffffffff'
+
+After this patch:
+
+command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000
+ 1.000085786 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+ 2.000287818 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+ 2.439113909 17,408 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/
+
+Fixes: 9e9f60108423 ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated")
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201003074943.338618-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/hv-gpci-requests.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h
+index e608f9db12ddc..8965b4463d433 100644
+--- a/arch/powerpc/perf/hv-gpci-requests.h
++++ b/arch/powerpc/perf/hv-gpci-requests.h
+@@ -95,7 +95,7 @@ REQUEST(__field(0, 8, partition_id)
+
+ #define REQUEST_NAME system_performance_capabilities
+ #define REQUEST_NUM 0x40
+-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
+ #include I(REQUEST_BEGIN)
+ REQUEST(__field(0, 1, perf_collect_privileged)
+ __field(0x1, 1, capability_mask)
+@@ -223,7 +223,7 @@ REQUEST(__field(0, 2, partition_id)
+
+ #define REQUEST_NAME system_hypervisor_times
+ #define REQUEST_NUM 0xF0
+-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
+ #include I(REQUEST_BEGIN)
+ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors)
+ __count(0x8, 8, time_spent_processing_virtual_processor_timers)
+@@ -234,7 +234,7 @@ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors)
+
+ #define REQUEST_NAME system_tlbie_count_and_time
+ #define REQUEST_NUM 0xF4
+-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff"
++#define REQUEST_IDX_KIND "starting_index=0xffffffff"
+ #include I(REQUEST_BEGIN)
+ REQUEST(__count(0, 8, tlbie_instructions_issued)
+ /*
+--
+2.25.1
+
--- /dev/null
+From 89e9bbe045769400eedaae2fc5253a6f7f816fd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Oct 2020 22:12:10 +0530
+Subject: powerpc/powernv/dump: Fix race while processing OPAL dump
+
+From: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+
+[ Upstream commit 0a43ae3e2beb77e3481d812834d33abe270768ab ]
+
+Every dump reported by OPAL is exported to userspace through a sysfs
+interface and notified using kobject_uevent(). The userspace daemon
+(opal_errd) then reads the dump and acknowledges that the dump is
+saved safely to disk. Once acknowledged the kernel removes the
+respective sysfs file entry causing respective resources to be
+released including kobject.
+
+However it's possible the userspace daemon may already be scanning
+dump entries when a new sysfs dump entry is created by the kernel.
+User daemon may read this new entry and ack it even before kernel can
+notify userspace about it through kobject_uevent() call. If that
+happens then we have a potential race between
+dump_ack_store->kobject_put() and kobject_uevent which can lead to
+use-after-free of a kernfs object resulting in a kernel crash.
+
+This patch fixes this race by protecting the sysfs file
+creation/notification by holding a reference count on kobject until we
+safely send kobject_uevent().
+
+The function create_dump_obj() returns the dump object which if used
+by caller function will end up in use-after-free problem again.
+However, the return value of create_dump_obj() function isn't being
+used today and there is no need as well. Hence change it to return
+void to make this fix complete.
+
+Fixes: c7e64b9ce04a ("powerpc/powernv Platform dump interface")
+Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201017164210.264619-1-hegdevasant@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal-dump.c | 41 +++++++++++++++-------
+ 1 file changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/arch/powerpc/platforms/powernv/opal-dump.c b/arch/powerpc/platforms/powernv/opal-dump.c
+index 543c816fa99ef..0e6693bacb7e7 100644
+--- a/arch/powerpc/platforms/powernv/opal-dump.c
++++ b/arch/powerpc/platforms/powernv/opal-dump.c
+@@ -318,15 +318,14 @@ static ssize_t dump_attr_read(struct file *filep, struct kobject *kobj,
+ return count;
+ }
+
+-static struct dump_obj *create_dump_obj(uint32_t id, size_t size,
+- uint32_t type)
++static void create_dump_obj(uint32_t id, size_t size, uint32_t type)
+ {
+ struct dump_obj *dump;
+ int rc;
+
+ dump = kzalloc(sizeof(*dump), GFP_KERNEL);
+ if (!dump)
+- return NULL;
++ return;
+
+ dump->kobj.kset = dump_kset;
+
+@@ -346,21 +345,39 @@ static struct dump_obj *create_dump_obj(uint32_t id, size_t size,
+ rc = kobject_add(&dump->kobj, NULL, "0x%x-0x%x", type, id);
+ if (rc) {
+ kobject_put(&dump->kobj);
+- return NULL;
++ return;
+ }
+
++ /*
++ * As soon as the sysfs file for this dump is created/activated there is
++ * a chance the opal_errd daemon (or any userspace) might read and
++ * acknowledge the dump before kobject_uevent() is called. If that
++ * happens then there is a potential race between
++ * dump_ack_store->kobject_put() and kobject_uevent() which leads to a
++ * use-after-free of a kernfs object resulting in a kernel crash.
++ *
++ * To avoid that, we need to take a reference on behalf of the bin file,
++ * so that our reference remains valid while we call kobject_uevent().
++ * We then drop our reference before exiting the function, leaving the
++ * bin file to drop the last reference (if it hasn't already).
++ */
++
++ /* Take a reference for the bin file */
++ kobject_get(&dump->kobj);
+ rc = sysfs_create_bin_file(&dump->kobj, &dump->dump_attr);
+- if (rc) {
++ if (rc == 0) {
++ kobject_uevent(&dump->kobj, KOBJ_ADD);
++
++ pr_info("%s: New platform dump. ID = 0x%x Size %u\n",
++ __func__, dump->id, dump->size);
++ } else {
++ /* Drop reference count taken for bin file */
+ kobject_put(&dump->kobj);
+- return NULL;
+ }
+
+- pr_info("%s: New platform dump. ID = 0x%x Size %u\n",
+- __func__, dump->id, dump->size);
+-
+- kobject_uevent(&dump->kobj, KOBJ_ADD);
+-
+- return dump;
++ /* Drop our reference */
++ kobject_put(&dump->kobj);
++ return;
+ }
+
+ static irqreturn_t process_dump(int irq, void *data)
+--
+2.25.1
+
--- /dev/null
+From 7b1bc27c26c13644c53d52382640dabb0a20d0ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 12:09:46 +0530
+Subject: powerpc/pseries: Avoid using addr_to_pfn in real mode
+
+From: Ganesh Goudar <ganeshgr@linux.ibm.com>
+
+[ Upstream commit 4ff753feab021242144818b9a3ba011238218145 ]
+
+When an UE or memory error exception is encountered the MCE handler
+tries to find the pfn using addr_to_pfn() which takes effective
+address as an argument, later pfn is used to poison the page where
+memory error occurred, recent rework in this area made addr_to_pfn
+to run in real mode, which can be fatal as it may try to access
+memory outside RMO region.
+
+Have two helper functions to separate things to be done in real mode
+and virtual mode without changing any functionality. This also fixes
+the following error as the use of addr_to_pfn is now moved to virtual
+mode.
+
+Without this change following kernel crash is seen on hitting UE.
+
+[ 485.128036] Oops: Kernel access of bad area, sig: 11 [#1]
+[ 485.128040] LE SMP NR_CPUS=2048 NUMA pSeries
+[ 485.128047] Modules linked in:
+[ 485.128067] CPU: 15 PID: 6536 Comm: insmod Kdump: loaded Tainted: G OE 5.7.0 #22
+[ 485.128074] NIP: c00000000009b24c LR: c0000000000398d8 CTR: c000000000cd57c0
+[ 485.128078] REGS: c000000003f1f970 TRAP: 0300 Tainted: G OE (5.7.0)
+[ 485.128082] MSR: 8000000000001003 <SF,ME,RI,LE> CR: 28008284 XER: 00000001
+[ 485.128088] CFAR: c00000000009b190 DAR: c0000001fab00000 DSISR: 40000000 IRQMASK: 1
+[ 485.128088] GPR00: 0000000000000001 c000000003f1fbf0 c000000001634300 0000b0fa01000000
+[ 485.128088] GPR04: d000000002220000 0000000000000000 00000000fab00000 0000000000000022
+[ 485.128088] GPR08: c0000001fab00000 0000000000000000 c0000001fab00000 c000000003f1fc14
+[ 485.128088] GPR12: 0000000000000008 c000000003ff5880 d000000002100008 0000000000000000
+[ 485.128088] GPR16: 000000000000ff20 000000000000fff1 000000000000fff2 d0000000021a1100
+[ 485.128088] GPR20: d000000002200000 c00000015c893c50 c000000000d49b28 c00000015c893c50
+[ 485.128088] GPR24: d0000000021a0d08 c0000000014e5da8 d0000000021a0818 000000000000000a
+[ 485.128088] GPR28: 0000000000000008 000000000000000a c0000000017e2970 000000000000000a
+[ 485.128125] NIP [c00000000009b24c] __find_linux_pte+0x11c/0x310
+[ 485.128130] LR [c0000000000398d8] addr_to_pfn+0x138/0x170
+[ 485.128133] Call Trace:
+[ 485.128135] Instruction dump:
+[ 485.128138] 3929ffff 7d4a3378 7c883c36 7d2907b4 794a1564 7d294038 794af082 3900ffff
+[ 485.128144] 79291f24 790af00e 78e70020 7d095214 <7c69502a> 2fa30000 419e011c 70690040
+[ 485.128152] ---[ end trace d34b27e29ae0e340 ]---
+
+Fixes: 9ca766f9891d ("powerpc/64s/pseries: machine check convert to use common event code")
+Signed-off-by: Ganesh Goudar <ganeshgr@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200724063946.21378-1-ganeshgr@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/ras.c | 118 ++++++++++++++++-----------
+ 1 file changed, 69 insertions(+), 49 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/ras.c b/arch/powerpc/platforms/pseries/ras.c
+index b3c4848869e52..b658fa627a34b 100644
+--- a/arch/powerpc/platforms/pseries/ras.c
++++ b/arch/powerpc/platforms/pseries/ras.c
+@@ -494,18 +494,55 @@ int pSeries_system_reset_exception(struct pt_regs *regs)
+ return 0; /* need to perform reset */
+ }
+
++static int mce_handle_err_realmode(int disposition, u8 error_type)
++{
++#ifdef CONFIG_PPC_BOOK3S_64
++ if (disposition == RTAS_DISP_NOT_RECOVERED) {
++ switch (error_type) {
++ case MC_ERROR_TYPE_SLB:
++ case MC_ERROR_TYPE_ERAT:
++ /*
++ * Store the old slb content in paca before flushing.
++ * Print this when we go to virtual mode.
++ * There are chances that we may hit MCE again if there
++ * is a parity error on the SLB entry we trying to read
++ * for saving. Hence limit the slb saving to single
++ * level of recursion.
++ */
++ if (local_paca->in_mce == 1)
++ slb_save_contents(local_paca->mce_faulty_slbs);
++ flush_and_reload_slb();
++ disposition = RTAS_DISP_FULLY_RECOVERED;
++ break;
++ default:
++ break;
++ }
++ } else if (disposition == RTAS_DISP_LIMITED_RECOVERY) {
++ /* Platform corrected itself but could be degraded */
++ pr_err("MCE: limited recovery, system may be degraded\n");
++ disposition = RTAS_DISP_FULLY_RECOVERED;
++ }
++#endif
++ return disposition;
++}
+
+-static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp)
++static int mce_handle_err_virtmode(struct pt_regs *regs,
++ struct rtas_error_log *errp,
++ struct pseries_mc_errorlog *mce_log,
++ int disposition)
+ {
+ struct mce_error_info mce_err = { 0 };
+- unsigned long eaddr = 0, paddr = 0;
+- struct pseries_errorlog *pseries_log;
+- struct pseries_mc_errorlog *mce_log;
+- int disposition = rtas_error_disposition(errp);
+ int initiator = rtas_error_initiator(errp);
+ int severity = rtas_error_severity(errp);
++ unsigned long eaddr = 0, paddr = 0;
+ u8 error_type, err_sub_type;
+
++ if (!mce_log)
++ goto out;
++
++ error_type = mce_log->error_type;
++ err_sub_type = rtas_mc_error_sub_type(mce_log);
++
+ if (initiator == RTAS_INITIATOR_UNKNOWN)
+ mce_err.initiator = MCE_INITIATOR_UNKNOWN;
+ else if (initiator == RTAS_INITIATOR_CPU)
+@@ -544,18 +581,7 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp)
+ mce_err.error_type = MCE_ERROR_TYPE_UNKNOWN;
+ mce_err.error_class = MCE_ECLASS_UNKNOWN;
+
+- if (!rtas_error_extended(errp))
+- goto out;
+-
+- pseries_log = get_pseries_errorlog(errp, PSERIES_ELOG_SECT_ID_MCE);
+- if (pseries_log == NULL)
+- goto out;
+-
+- mce_log = (struct pseries_mc_errorlog *)pseries_log->data;
+- error_type = mce_log->error_type;
+- err_sub_type = rtas_mc_error_sub_type(mce_log);
+-
+- switch (mce_log->error_type) {
++ switch (error_type) {
+ case MC_ERROR_TYPE_UE:
+ mce_err.error_type = MCE_ERROR_TYPE_UE;
+ switch (err_sub_type) {
+@@ -652,37 +678,31 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp)
+ mce_err.error_type = MCE_ERROR_TYPE_UNKNOWN;
+ break;
+ }
++out:
++ save_mce_event(regs, disposition == RTAS_DISP_FULLY_RECOVERED,
++ &mce_err, regs->nip, eaddr, paddr);
++ return disposition;
++}
+
+-#ifdef CONFIG_PPC_BOOK3S_64
+- if (disposition == RTAS_DISP_NOT_RECOVERED) {
+- switch (error_type) {
+- case MC_ERROR_TYPE_SLB:
+- case MC_ERROR_TYPE_ERAT:
+- /*
+- * Store the old slb content in paca before flushing.
+- * Print this when we go to virtual mode.
+- * There are chances that we may hit MCE again if there
+- * is a parity error on the SLB entry we trying to read
+- * for saving. Hence limit the slb saving to single
+- * level of recursion.
+- */
+- if (local_paca->in_mce == 1)
+- slb_save_contents(local_paca->mce_faulty_slbs);
+- flush_and_reload_slb();
+- disposition = RTAS_DISP_FULLY_RECOVERED;
+- break;
+- default:
+- break;
+- }
+- } else if (disposition == RTAS_DISP_LIMITED_RECOVERY) {
+- /* Platform corrected itself but could be degraded */
+- printk(KERN_ERR "MCE: limited recovery, system may "
+- "be degraded\n");
+- disposition = RTAS_DISP_FULLY_RECOVERED;
+- }
+-#endif
++static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp)
++{
++ struct pseries_errorlog *pseries_log;
++ struct pseries_mc_errorlog *mce_log = NULL;
++ int disposition = rtas_error_disposition(errp);
++ u8 error_type;
++
++ if (!rtas_error_extended(errp))
++ goto out;
++
++ pseries_log = get_pseries_errorlog(errp, PSERIES_ELOG_SECT_ID_MCE);
++ if (!pseries_log)
++ goto out;
++
++ mce_log = (struct pseries_mc_errorlog *)pseries_log->data;
++ error_type = mce_log->error_type;
++
++ disposition = mce_handle_err_realmode(disposition, error_type);
+
+-out:
+ /*
+ * Enable translation as we will be accessing per-cpu variables
+ * in save_mce_event() which may fall outside RMO region, also
+@@ -693,10 +713,10 @@ static int mce_handle_error(struct pt_regs *regs, struct rtas_error_log *errp)
+ * Note: All the realmode handling like flushing SLB entries for
+ * SLB multihit is done by now.
+ */
++out:
+ mtmsr(mfmsr() | MSR_IR | MSR_DR);
+- save_mce_event(regs, disposition == RTAS_DISP_FULLY_RECOVERED,
+- &mce_err, regs->nip, eaddr, paddr);
+-
++ disposition = mce_handle_err_virtmode(regs, errp, mce_log,
++ disposition);
+ return disposition;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From d592f4eb98122ad5c37e8a039ada2aa98d080d70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 10:11:31 -0500
+Subject: powerpc/pseries: explicitly reschedule during drmem_lmb list
+ traversal
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 9d6792ffe140240ae54c881cc4183f9acc24b4df ]
+
+The drmem lmb list can have hundreds of thousands of entries, and
+unfortunately lookups take the form of linear searches. As long as
+this is the case, traversals have the potential to monopolize the CPU
+and provoke lockup reports, workqueue stalls, and the like unless
+they explicitly yield.
+
+Rather than placing cond_resched() calls within various
+for_each_drmem_lmb() loop blocks in the code, put it in the iteration
+expression of the loop macro itself so users can't omit it.
+
+Introduce a drmem_lmb_next() iteration helper function which calls
+cond_resched() at a regular interval during array traversal. Each
+iteration of the loop in DLPAR code paths can involve around ten RTAS
+calls which can each take up to 250us, so this ensures the check is
+performed at worst every few milliseconds.
+
+Fixes: 6c6ea53725b3 ("powerpc/mm: Separate ibm, dynamic-memory data from DT format")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200813151131.2070161-1-nathanl@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/drmem.h | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/drmem.h b/arch/powerpc/include/asm/drmem.h
+index 28c3d936fdf32..dcd6ac098a6e4 100644
+--- a/arch/powerpc/include/asm/drmem.h
++++ b/arch/powerpc/include/asm/drmem.h
+@@ -8,6 +8,8 @@
+ #ifndef _ASM_POWERPC_LMB_H
+ #define _ASM_POWERPC_LMB_H
+
++#include <linux/sched.h>
++
+ struct drmem_lmb {
+ u64 base_addr;
+ u32 drc_index;
+@@ -26,8 +28,22 @@ struct drmem_lmb_info {
+
+ extern struct drmem_lmb_info *drmem_info;
+
++static inline struct drmem_lmb *drmem_lmb_next(struct drmem_lmb *lmb,
++ const struct drmem_lmb *start)
++{
++ /*
++ * DLPAR code paths can take several milliseconds per element
++ * when interacting with firmware. Ensure that we don't
++ * unfairly monopolize the CPU.
++ */
++ if (((++lmb - start) % 16) == 0)
++ cond_resched();
++
++ return lmb;
++}
++
+ #define for_each_drmem_lmb_in_range(lmb, start, end) \
+- for ((lmb) = (start); (lmb) < (end); (lmb)++)
++ for ((lmb) = (start); (lmb) < (end); lmb = drmem_lmb_next(lmb, start))
+
+ #define for_each_drmem_lmb(lmb) \
+ for_each_drmem_lmb_in_range((lmb), \
+--
+2.25.1
+
--- /dev/null
+From bd29023d16d0723cec8ab5feb02cae919f7fc966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jul 2018 11:08:16 +0200
+Subject: powerpc/pseries: Fix missing of_node_put() in rng_init()
+
+From: Nicholas Mc Guire <hofrat@osadl.org>
+
+[ Upstream commit 67c3e59443f5fc77be39e2ce0db75fbfa78c7965 ]
+
+The call to of_find_compatible_node() returns a node pointer with
+refcount incremented thus it must be explicitly decremented here
+before returning.
+
+Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM")
+Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1530522496-14816-1-git-send-email-hofrat@osadl.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/rng.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c
+index bbb97169bf63e..6268545947b83 100644
+--- a/arch/powerpc/platforms/pseries/rng.c
++++ b/arch/powerpc/platforms/pseries/rng.c
+@@ -36,6 +36,7 @@ static __init int rng_init(void)
+
+ ppc_md.get_random_seed = pseries_get_random_long;
+
++ of_node_put(dn);
+ return 0;
+ }
+ machine_subsys_initcall(pseries, rng_init);
+--
+2.25.1
+
--- /dev/null
+From 97fe1f031a630ecedd0913c6fe1e0cd98a79a38b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Check processor type before enabling TAU interrupt
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 5e3119e15fed5b9a9a7e528665ff098a4a8dbdbc ]
+
+According to Freescale's documentation, MPC74XX processors have an
+erratum that prevents the TAU interrupt from working, so don't try to
+use it when running on those processors.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/c281611544768e758bd58fe812cf702a5bd2d042.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/tau_6xx.c | 33 ++++++++++++++-------------------
+ arch/powerpc/platforms/Kconfig | 5 ++---
+ 2 files changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index b8d7e7d498e0a..614b5b272d9c6 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -40,6 +40,8 @@ static struct tau_temp
+ unsigned char grew;
+ } tau[NR_CPUS];
+
++static bool tau_int_enable;
++
+ #undef DEBUG
+
+ /* TODO: put these in a /proc interface, with some sanity checks, and maybe
+@@ -54,22 +56,13 @@ static struct tau_temp
+
+ static void set_thresholds(unsigned long cpu)
+ {
+-#ifdef CONFIG_TAU_INT
+- /*
+- * setup THRM1,
+- * threshold, valid bit, enable interrupts, interrupt when below threshold
+- */
+- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TIE | THRM1_TID);
++ u32 maybe_tie = tau_int_enable ? THRM1_TIE : 0;
+
+- /* setup THRM2,
+- * threshold, valid bit, enable interrupts, interrupt when above threshold
+- */
+- mtspr (SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | THRM1_TIE);
+-#else
+- /* same thing but don't enable interrupts */
+- mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | THRM1_TID);
+- mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V);
+-#endif
++ /* setup THRM1, threshold, valid bit, interrupt when below threshold */
++ mtspr(SPRN_THRM1, THRM1_THRES(tau[cpu].low) | THRM1_V | maybe_tie | THRM1_TID);
++
++ /* setup THRM2, threshold, valid bit, interrupt when above threshold */
++ mtspr(SPRN_THRM2, THRM1_THRES(tau[cpu].high) | THRM1_V | maybe_tie);
+ }
+
+ static void TAUupdate(int cpu)
+@@ -142,9 +135,8 @@ static void tau_timeout(void * info)
+ local_irq_save(flags);
+ cpu = smp_processor_id();
+
+-#ifndef CONFIG_TAU_INT
+- TAUupdate(cpu);
+-#endif
++ if (!tau_int_enable)
++ TAUupdate(cpu);
+
+ size = tau[cpu].high - tau[cpu].low;
+ if (size > min_window && ! tau[cpu].grew) {
+@@ -225,6 +217,9 @@ static int __init TAU_init(void)
+ return 1;
+ }
+
++ tau_int_enable = IS_ENABLED(CONFIG_TAU_INT) &&
++ !strcmp(cur_cpu_spec->platform, "ppc750");
++
+ tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0);
+ if (!tau_workq)
+ return -ENOMEM;
+@@ -234,7 +229,7 @@ static int __init TAU_init(void)
+ queue_work(tau_workq, &tau_work);
+
+ pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n",
+- IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer);
++ tau_int_enable ? "interrupts" : "workqueue", shrink_timer);
+ tau_initialized = 1;
+
+ return 0;
+diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig
+index d82e3664ffdf8..92d7f2a7936e7 100644
+--- a/arch/powerpc/platforms/Kconfig
++++ b/arch/powerpc/platforms/Kconfig
+@@ -219,9 +219,8 @@ config TAU
+ temperature within 2-4 degrees Celsius. This option shows the current
+ on-die temperature in /proc/cpuinfo if the cpu supports it.
+
+- Unfortunately, on some chip revisions, this sensor is very inaccurate
+- and in many cases, does not work at all, so don't assume the cpu
+- temp is actually what /proc/cpuinfo says it is.
++ Unfortunately, this sensor is very inaccurate when uncalibrated, so
++ don't assume the cpu temp is actually what /proc/cpuinfo says it is.
+
+ config TAU_INT
+ bool "Interrupt driven TAU driver (DANGEROUS)"
+--
+2.25.1
+
--- /dev/null
+From 3b19a6fb3286614403f619927c3c3c326a9c59b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Convert from timer to workqueue
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit b1c6a0a10bfaf36ec82fde6f621da72407fa60a1 ]
+
+Since commit 19dbdcb8039cf ("smp: Warn on function calls from softirq
+context") the Thermal Assist Unit driver causes a warning like the
+following when CONFIG_SMP is enabled.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 0 at kernel/smp.c:428 smp_call_function_many_cond+0xf4/0x38c
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac #3
+ NIP: c00b37a8 LR: c00b3abc CTR: c001218c
+ REGS: c0799c60 TRAP: 0700 Not tainted (5.7.0-pmac)
+ MSR: 00029032 <EE,ME,IR,DR,RI> CR: 42000224 XER: 00000000
+ GPR00: c00b3abc c0799d18 c076e300 c079ef5c c0011fec 00000000 00000000 00000000
+ GPR08: 00000100 00000100 00008000 ffffffff 42000224 00000000 c079d040 c079d044
+ GPR16: 00000001 00000000 00000004 c0799da0 c079f054 c07a0000 c07a0000 00000000
+ GPR24: c0011fec 00000000 c079ef5c c079ef5c 00000000 00000000 00000000 00000000
+ NIP [c00b37a8] smp_call_function_many_cond+0xf4/0x38c
+ LR [c00b3abc] on_each_cpu+0x38/0x68
+ Call Trace:
+ [c0799d18] [ffffffff] 0xffffffff (unreliable)
+ [c0799d68] [c00b3abc] on_each_cpu+0x38/0x68
+ [c0799d88] [c0096704] call_timer_fn.isra.26+0x20/0x7c
+ [c0799d98] [c0096b40] run_timer_softirq+0x1d4/0x3fc
+ [c0799df8] [c05b4368] __do_softirq+0x118/0x240
+ [c0799e58] [c0039c44] irq_exit+0xc4/0xcc
+ [c0799e68] [c000ade8] timer_interrupt+0x1b0/0x230
+ [c0799ea8] [c0013520] ret_from_except+0x0/0x14
+ --- interrupt: 901 at arch_cpu_idle+0x24/0x6c
+ LR = arch_cpu_idle+0x24/0x6c
+ [c0799f70] [00000001] 0x1 (unreliable)
+ [c0799f80] [c0060990] do_idle+0xd8/0x17c
+ [c0799fa0] [c0060ba8] cpu_startup_entry+0x24/0x28
+ [c0799fb0] [c072d220] start_kernel+0x434/0x44c
+ [c0799ff0] [00003860] 0x3860
+ Instruction dump:
+ 8129f204 2f890000 40beff98 3d20c07a 8929eec4 2f890000 40beff88 0fe00000
+ 81220000 552805de 550802ef 4182ff84 <0fe00000> 3860ffff 7f65db78 7f44d378
+ ---[ end trace 34a886e47819c2eb ]---
+
+Don't call on_each_cpu() from a timer callback, call it from a worker
+thread instead.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/bb61650bea4f4c91fb8e24b9a6f130a1438651a7.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/tau_6xx.c | 38 +++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 20 deletions(-)
+
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index 976d5bc1b5176..268205cc347da 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -13,13 +13,14 @@
+ */
+
+ #include <linux/errno.h>
+-#include <linux/jiffies.h>
+ #include <linux/kernel.h>
+ #include <linux/param.h>
+ #include <linux/string.h>
+ #include <linux/mm.h>
+ #include <linux/interrupt.h>
+ #include <linux/init.h>
++#include <linux/delay.h>
++#include <linux/workqueue.h>
+
+ #include <asm/io.h>
+ #include <asm/reg.h>
+@@ -39,8 +40,6 @@ static struct tau_temp
+ unsigned char grew;
+ } tau[NR_CPUS];
+
+-struct timer_list tau_timer;
+-
+ #undef DEBUG
+
+ /* TODO: put these in a /proc interface, with some sanity checks, and maybe
+@@ -50,7 +49,7 @@ struct timer_list tau_timer;
+ #define step_size 2 /* step size when temp goes out of range */
+ #define window_expand 1 /* expand the window by this much */
+ /* configurable values for shrinking the window */
+-#define shrink_timer 2*HZ /* period between shrinking the window */
++#define shrink_timer 2000 /* period between shrinking the window */
+ #define min_window 2 /* minimum window size, degrees C */
+
+ static void set_thresholds(unsigned long cpu)
+@@ -187,14 +186,18 @@ static void tau_timeout(void * info)
+ local_irq_restore(flags);
+ }
+
+-static void tau_timeout_smp(struct timer_list *unused)
+-{
++static struct workqueue_struct *tau_workq;
+
+- /* schedule ourselves to be run again */
+- mod_timer(&tau_timer, jiffies + shrink_timer) ;
++static void tau_work_func(struct work_struct *work)
++{
++ msleep(shrink_timer);
+ on_each_cpu(tau_timeout, NULL, 0);
++ /* schedule ourselves to be run again */
++ queue_work(tau_workq, work);
+ }
+
++DECLARE_WORK(tau_work, tau_work_func);
++
+ /*
+ * setup the TAU
+ *
+@@ -227,21 +230,16 @@ static int __init TAU_init(void)
+ return 1;
+ }
+
+-
+- /* first, set up the window shrinking timer */
+- timer_setup(&tau_timer, tau_timeout_smp, 0);
+- tau_timer.expires = jiffies + shrink_timer;
+- add_timer(&tau_timer);
++ tau_workq = alloc_workqueue("tau", WQ_UNBOUND, 1, 0);
++ if (!tau_workq)
++ return -ENOMEM;
+
+ on_each_cpu(TAU_init_smp, NULL, 0);
+
+- printk("Thermal assist unit ");
+-#ifdef CONFIG_TAU_INT
+- printk("using interrupts, ");
+-#else
+- printk("using timers, ");
+-#endif
+- printk("shrink_timer: %d jiffies\n", shrink_timer);
++ queue_work(tau_workq, &tau_work);
++
++ pr_info("Thermal assist unit using %s, shrink_timer: %d ms\n",
++ IS_ENABLED(CONFIG_TAU_INT) ? "interrupts" : "workqueue", shrink_timer);
+ tau_initialized = 1;
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 4ca6542c6e5fc0fddda5e8f5cc867650eaa98f39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Disable TAU between measurements
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit e63d6fb5637e92725cf143559672a34b706bca4f ]
+
+Enabling CONFIG_TAU_INT causes random crashes:
+
+Unrecoverable exception 1700 at c0009414 (msr=1000)
+Oops: Unrecoverable exception, sig: 6 [#1]
+BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac
+Modules linked in:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac-00043-gd5f545e1a8593 #5
+NIP: c0009414 LR: c0009414 CTR: c00116fc
+REGS: c0799eb8 TRAP: 1700 Not tainted (5.7.0-pmac-00043-gd5f545e1a8593)
+MSR: 00001000 <ME> CR: 22000228 XER: 00000100
+
+GPR00: 00000000 c0799f70 c076e300 00800000 0291c0ac 00e00000 c076e300 00049032
+GPR08: 00000001 c00116fc 00000000 dfbd3200 ffffffff 007f80a8 00000000 00000000
+GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c075ce04
+GPR24: c075ce04 dfff8880 c07b0000 c075ce04 00080000 00000001 c079ef98 c079ef5c
+NIP [c0009414] arch_cpu_idle+0x24/0x6c
+LR [c0009414] arch_cpu_idle+0x24/0x6c
+Call Trace:
+[c0799f70] [00000001] 0x1 (unreliable)
+[c0799f80] [c0060990] do_idle+0xd8/0x17c
+[c0799fa0] [c0060ba4] cpu_startup_entry+0x20/0x28
+[c0799fb0] [c072d220] start_kernel+0x434/0x44c
+[c0799ff0] [00003860] 0x3860
+Instruction dump:
+XXXXXXXX XXXXXXXX XXXXXXXX 3d20c07b XXXXXXXX XXXXXXXX XXXXXXXX 7c0802a6
+XXXXXXXX XXXXXXXX XXXXXXXX 4e800421 XXXXXXXX XXXXXXXX XXXXXXXX 7d2000a6
+---[ end trace 3a0c9b5cb216db6b ]---
+
+Resolve this problem by disabling each THRMn comparator when handling
+the associated THRMn interrupt and by disabling the TAU entirely when
+updating THRMn thresholds.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/5a0ba3dc5612c7aac596727331284a3676c08472.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/tau_6xx.c | 65 +++++++++++++---------------------
+ arch/powerpc/platforms/Kconfig | 9 ++---
+ 2 files changed, 26 insertions(+), 48 deletions(-)
+
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index 614b5b272d9c6..0b4694b8d2482 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -42,8 +42,6 @@ static struct tau_temp
+
+ static bool tau_int_enable;
+
+-#undef DEBUG
+-
+ /* TODO: put these in a /proc interface, with some sanity checks, and maybe
+ * dynamic adjustment to minimize # of interrupts */
+ /* configurable values for step size and how much to expand the window when
+@@ -67,42 +65,33 @@ static void set_thresholds(unsigned long cpu)
+
+ static void TAUupdate(int cpu)
+ {
+- unsigned thrm;
+-
+-#ifdef DEBUG
+- printk("TAUupdate ");
+-#endif
++ u32 thrm;
++ u32 bits = THRM1_TIV | THRM1_TIN | THRM1_V;
+
+ /* if both thresholds are crossed, the step_sizes cancel out
+ * and the window winds up getting expanded twice. */
+- if((thrm = mfspr(SPRN_THRM1)) & THRM1_TIV){ /* is valid? */
+- if(thrm & THRM1_TIN){ /* crossed low threshold */
+- if (tau[cpu].low >= step_size){
+- tau[cpu].low -= step_size;
+- tau[cpu].high -= (step_size - window_expand);
+- }
+- tau[cpu].grew = 1;
+-#ifdef DEBUG
+- printk("low threshold crossed ");
+-#endif
++ thrm = mfspr(SPRN_THRM1);
++ if ((thrm & bits) == bits) {
++ mtspr(SPRN_THRM1, 0);
++
++ if (tau[cpu].low >= step_size) {
++ tau[cpu].low -= step_size;
++ tau[cpu].high -= (step_size - window_expand);
+ }
++ tau[cpu].grew = 1;
++ pr_debug("%s: low threshold crossed\n", __func__);
+ }
+- if((thrm = mfspr(SPRN_THRM2)) & THRM1_TIV){ /* is valid? */
+- if(thrm & THRM1_TIN){ /* crossed high threshold */
+- if (tau[cpu].high <= 127-step_size){
+- tau[cpu].low += (step_size - window_expand);
+- tau[cpu].high += step_size;
+- }
+- tau[cpu].grew = 1;
+-#ifdef DEBUG
+- printk("high threshold crossed ");
+-#endif
++ thrm = mfspr(SPRN_THRM2);
++ if ((thrm & bits) == bits) {
++ mtspr(SPRN_THRM2, 0);
++
++ if (tau[cpu].high <= 127 - step_size) {
++ tau[cpu].low += (step_size - window_expand);
++ tau[cpu].high += step_size;
+ }
++ tau[cpu].grew = 1;
++ pr_debug("%s: high threshold crossed\n", __func__);
+ }
+-
+-#ifdef DEBUG
+- printk("grew = %d\n", tau[cpu].grew);
+-#endif
+ }
+
+ #ifdef CONFIG_TAU_INT
+@@ -127,17 +116,17 @@ void TAUException(struct pt_regs * regs)
+ static void tau_timeout(void * info)
+ {
+ int cpu;
+- unsigned long flags;
+ int size;
+ int shrink;
+
+- /* disabling interrupts *should* be okay */
+- local_irq_save(flags);
+ cpu = smp_processor_id();
+
+ if (!tau_int_enable)
+ TAUupdate(cpu);
+
++ /* Stop thermal sensor comparisons and interrupts */
++ mtspr(SPRN_THRM3, 0);
++
+ size = tau[cpu].high - tau[cpu].low;
+ if (size > min_window && ! tau[cpu].grew) {
+ /* do an exponential shrink of half the amount currently over size */
+@@ -159,18 +148,12 @@ static void tau_timeout(void * info)
+
+ set_thresholds(cpu);
+
+- /*
+- * Do the enable every time, since otherwise a bunch of (relatively)
+- * complex sleep code needs to be added. One mtspr every time
+- * tau_timeout is called is probably not a big deal.
+- *
++ /* Restart thermal sensor comparisons and interrupts.
+ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet"
+ * recommends that "the maximum value be set in THRM3 under all
+ * conditions."
+ */
+ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E);
+-
+- local_irq_restore(flags);
+ }
+
+ static struct workqueue_struct *tau_workq;
+diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig
+index 92d7f2a7936e7..18792a5b003a0 100644
+--- a/arch/powerpc/platforms/Kconfig
++++ b/arch/powerpc/platforms/Kconfig
+@@ -223,7 +223,7 @@ config TAU
+ don't assume the cpu temp is actually what /proc/cpuinfo says it is.
+
+ config TAU_INT
+- bool "Interrupt driven TAU driver (DANGEROUS)"
++ bool "Interrupt driven TAU driver (EXPERIMENTAL)"
+ depends on TAU
+ ---help---
+ The TAU supports an interrupt driven mode which causes an interrupt
+@@ -231,12 +231,7 @@ config TAU_INT
+ to get notified the temp has exceeded a range. With this option off,
+ a timer is used to re-check the temperature periodically.
+
+- However, on some cpus it appears that the TAU interrupt hardware
+- is buggy and can cause a situation which would lead unexplained hard
+- lockups.
+-
+- Unless you are extending the TAU driver, or enjoy kernel/hardware
+- debugging, leave this option off.
++ If in doubt, say N here.
+
+ config TAU_AVERAGE
+ bool "Average high and low temp"
+--
+2.25.1
+
--- /dev/null
+From 93d752018bcd630ab92d8db6539824a304c01af1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Remove duplicated set_thresholds() call
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 420ab2bc7544d978a5d0762ee736412fe9c796ab ]
+
+The commentary at the call site seems to disagree with the code. The
+conditional prevents calling set_thresholds() via the exception handler,
+which appears to crash. Perhaps that's because it immediately triggers
+another TAU exception. Anyway, calling set_thresholds() from TAUupdate()
+is redundant because tau_timeout() does so.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/d7c7ee33232cf72a6a6bbb6ef05838b2e2b113c0.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/tau_6xx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index 268205cc347da..b8d7e7d498e0a 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -110,11 +110,6 @@ static void TAUupdate(int cpu)
+ #ifdef DEBUG
+ printk("grew = %d\n", tau[cpu].grew);
+ #endif
+-
+-#ifndef CONFIG_TAU_INT /* tau_timeout will do this if not using interrupts */
+- set_thresholds(cpu);
+-#endif
+-
+ }
+
+ #ifdef CONFIG_TAU_INT
+--
+2.25.1
+
--- /dev/null
+From 2d3ba5ee0b190dbb8a6a6755c95fa64ebe9739b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Sep 2020 09:02:20 +1000
+Subject: powerpc/tau: Use appropriate temperature sample interval
+
+From: Finn Thain <fthain@telegraphics.com.au>
+
+[ Upstream commit 66943005cc41f48e4d05614e8f76c0ca1812f0fd ]
+
+According to the MPC750 Users Manual, the SITV value in Thermal
+Management Register 3 is 13 bits long. The present code calculates the
+SITV value as 60 * 500 cycles. This would overflow to give 10 us on
+a 500 MHz CPU rather than the intended 60 us. (But according to the
+Microprocessor Datasheet, there is also a factor of 266 that has to be
+applied to this value on certain parts i.e. speed sort above 266 MHz.)
+Always use the maximum cycle count, as recommended by the Datasheet.
+
+Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/896f542e5f0f1d6cf8218524c2b67d79f3d69b3c.1599260540.git.fthain@telegraphics.com.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/reg.h | 2 +-
+ arch/powerpc/kernel/tau_6xx.c | 12 ++++--------
+ 2 files changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
+index b3cbb1136bce0..34d08ff21b988 100644
+--- a/arch/powerpc/include/asm/reg.h
++++ b/arch/powerpc/include/asm/reg.h
+@@ -796,7 +796,7 @@
+ #define THRM1_TIN (1 << 31)
+ #define THRM1_TIV (1 << 30)
+ #define THRM1_THRES(x) ((x&0x7f)<<23)
+-#define THRM3_SITV(x) ((x&0x3fff)<<1)
++#define THRM3_SITV(x) ((x & 0x1fff) << 1)
+ #define THRM1_TID (1<<2)
+ #define THRM1_TIE (1<<1)
+ #define THRM1_V (1<<0)
+diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c
+index e2ab8a111b693..976d5bc1b5176 100644
+--- a/arch/powerpc/kernel/tau_6xx.c
++++ b/arch/powerpc/kernel/tau_6xx.c
+@@ -178,15 +178,11 @@ static void tau_timeout(void * info)
+ * complex sleep code needs to be added. One mtspr every time
+ * tau_timeout is called is probably not a big deal.
+ *
+- * Enable thermal sensor and set up sample interval timer
+- * need 20 us to do the compare.. until a nice 'cpu_speed' function
+- * call is implemented, just assume a 500 mhz clock. It doesn't really
+- * matter if we take too long for a compare since it's all interrupt
+- * driven anyway.
+- *
+- * use a extra long time.. (60 us @ 500 mhz)
++ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet"
++ * recommends that "the maximum value be set in THRM3 under all
++ * conditions."
+ */
+- mtspr(SPRN_THRM3, THRM3_SITV(500*60) | THRM3_E);
++ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E);
+
+ local_irq_restore(flags);
+ }
+--
+2.25.1
+
--- /dev/null
+From cf56d5b1f30d61c2c2ec995e31bf70c4d27bfa03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Aug 2020 20:51:15 -0500
+Subject: pseries/drmem: don't cache node id in drmem_lmb struct
+
+From: Scott Cheloha <cheloha@linux.ibm.com>
+
+[ Upstream commit e5e179aa3a39c818db8fbc2dce8d2cd24adaf657 ]
+
+At memory hot-remove time we can retrieve an LMB's nid from its
+corresponding memory_block. There is no need to store the nid
+in multiple locations.
+
+Note that lmb_to_memblock() uses find_memory_block() to get the
+corresponding memory_block. As find_memory_block() runs in sub-linear
+time this approach is negligibly slower than what we do at present.
+
+In exchange for this lookup at hot-remove time we no longer need to
+call memory_add_physaddr_to_nid() during drmem_init() for each LMB.
+On powerpc, memory_add_physaddr_to_nid() is a linear search, so this
+spares us an O(n^2) initialization during boot.
+
+On systems with many LMBs that initialization overhead is palpable and
+disruptive. For example, on a box with 249854 LMBs we're seeing
+drmem_init() take upwards of 30 seconds to complete:
+
+[ 53.721639] drmem: initializing drmem v2
+[ 80.604346] watchdog: BUG: soft lockup - CPU#65 stuck for 23s! [swapper/0:1]
+[ 80.604377] Modules linked in:
+[ 80.604389] CPU: 65 PID: 1 Comm: swapper/0 Not tainted 5.6.0-rc2+ #4
+[ 80.604397] NIP: c0000000000a4980 LR: c0000000000a4940 CTR: 0000000000000000
+[ 80.604407] REGS: c0002dbff8493830 TRAP: 0901 Not tainted (5.6.0-rc2+)
+[ 80.604412] MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 44000248 XER: 0000000d
+[ 80.604431] CFAR: c0000000000a4a38 IRQMASK: 0
+[ 80.604431] GPR00: c0000000000a4940 c0002dbff8493ac0 c000000001904400 c0003cfffffede30
+[ 80.604431] GPR04: 0000000000000000 c000000000f4095a 000000000000002f 0000000010000000
+[ 80.604431] GPR08: c0000bf7ecdb7fb8 c0000bf7ecc2d3c8 0000000000000008 c00c0002fdfb2001
+[ 80.604431] GPR12: 0000000000000000 c00000001e8ec200
+[ 80.604477] NIP [c0000000000a4980] hot_add_scn_to_nid+0xa0/0x3e0
+[ 80.604486] LR [c0000000000a4940] hot_add_scn_to_nid+0x60/0x3e0
+[ 80.604492] Call Trace:
+[ 80.604498] [c0002dbff8493ac0] [c0000000000a4940] hot_add_scn_to_nid+0x60/0x3e0 (unreliable)
+[ 80.604509] [c0002dbff8493b20] [c000000000087c10] memory_add_physaddr_to_nid+0x20/0x60
+[ 80.604521] [c0002dbff8493b40] [c0000000010d4880] drmem_init+0x25c/0x2f0
+[ 80.604530] [c0002dbff8493c10] [c000000000010154] do_one_initcall+0x64/0x2c0
+[ 80.604540] [c0002dbff8493ce0] [c0000000010c4aa0] kernel_init_freeable+0x2d8/0x3a0
+[ 80.604550] [c0002dbff8493db0] [c000000000010824] kernel_init+0x2c/0x148
+[ 80.604560] [c0002dbff8493e20] [c00000000000b648] ret_from_kernel_thread+0x5c/0x74
+[ 80.604567] Instruction dump:
+[ 80.604574] 392918e8 e9490000 e90a000a e92a0000 80ea000c 1d080018 3908ffe8 7d094214
+[ 80.604586] 7fa94040 419d00dc e9490010 714a0088 <2faa0008> 409e00ac e9490000 7fbe5040
+[ 89.047390] drmem: 249854 LMB(s)
+
+With a patched kernel on the same machine we're no longer seeing the
+soft lockup. drmem_init() now completes in negligible time, even when
+the LMB count is large.
+
+Fixes: b2d3b5ee66f2 ("powerpc/pseries: Track LMB nid instead of using device tree")
+Signed-off-by: Scott Cheloha <cheloha@linux.ibm.com>
+Reviewed-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200811015115.63677-1-cheloha@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/drmem.h | 21 ----------------
+ arch/powerpc/mm/drmem.c | 6 +----
+ .../platforms/pseries/hotplug-memory.c | 24 ++++++++++++-------
+ 3 files changed, 17 insertions(+), 34 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/drmem.h b/arch/powerpc/include/asm/drmem.h
+index dcd6ac098a6e4..bea7a2405ba5d 100644
+--- a/arch/powerpc/include/asm/drmem.h
++++ b/arch/powerpc/include/asm/drmem.h
+@@ -15,9 +15,6 @@ struct drmem_lmb {
+ u32 drc_index;
+ u32 aa_index;
+ u32 flags;
+-#ifdef CONFIG_MEMORY_HOTPLUG
+- int nid;
+-#endif
+ };
+
+ struct drmem_lmb_info {
+@@ -119,22 +116,4 @@ static inline void invalidate_lmb_associativity_index(struct drmem_lmb *lmb)
+ lmb->aa_index = 0xffffffff;
+ }
+
+-#ifdef CONFIG_MEMORY_HOTPLUG
+-static inline void lmb_set_nid(struct drmem_lmb *lmb)
+-{
+- lmb->nid = memory_add_physaddr_to_nid(lmb->base_addr);
+-}
+-static inline void lmb_clear_nid(struct drmem_lmb *lmb)
+-{
+- lmb->nid = -1;
+-}
+-#else
+-static inline void lmb_set_nid(struct drmem_lmb *lmb)
+-{
+-}
+-static inline void lmb_clear_nid(struct drmem_lmb *lmb)
+-{
+-}
+-#endif
+-
+ #endif /* _ASM_POWERPC_LMB_H */
+diff --git a/arch/powerpc/mm/drmem.c b/arch/powerpc/mm/drmem.c
+index 59327cefbc6a6..873fcfc7b8756 100644
+--- a/arch/powerpc/mm/drmem.c
++++ b/arch/powerpc/mm/drmem.c
+@@ -362,10 +362,8 @@ static void __init init_drmem_v1_lmbs(const __be32 *prop)
+ if (!drmem_info->lmbs)
+ return;
+
+- for_each_drmem_lmb(lmb) {
++ for_each_drmem_lmb(lmb)
+ read_drconf_v1_cell(lmb, &prop);
+- lmb_set_nid(lmb);
+- }
+ }
+
+ static void __init init_drmem_v2_lmbs(const __be32 *prop)
+@@ -410,8 +408,6 @@ static void __init init_drmem_v2_lmbs(const __be32 *prop)
+
+ lmb->aa_index = dr_cell.aa_index;
+ lmb->flags = dr_cell.flags;
+-
+- lmb_set_nid(lmb);
+ }
+ }
+ }
+diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
+index e7d23a933a0d3..66b32f46702de 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -376,25 +376,32 @@ static int dlpar_add_lmb(struct drmem_lmb *);
+
+ static int dlpar_remove_lmb(struct drmem_lmb *lmb)
+ {
++ struct memory_block *mem_block;
+ unsigned long block_sz;
+ int rc;
+
+ if (!lmb_is_removable(lmb))
+ return -EINVAL;
+
++ mem_block = lmb_to_memblock(lmb);
++ if (mem_block == NULL)
++ return -EINVAL;
++
+ rc = dlpar_offline_lmb(lmb);
+- if (rc)
++ if (rc) {
++ put_device(&mem_block->dev);
+ return rc;
++ }
+
+ block_sz = pseries_memory_block_size();
+
+- __remove_memory(lmb->nid, lmb->base_addr, block_sz);
++ __remove_memory(mem_block->nid, lmb->base_addr, block_sz);
++ put_device(&mem_block->dev);
+
+ /* Update memory regions for memory remove */
+ memblock_remove(lmb->base_addr, block_sz);
+
+ invalidate_lmb_associativity_index(lmb);
+- lmb_clear_nid(lmb);
+ lmb->flags &= ~DRCONF_MEM_ASSIGNED;
+
+ return 0;
+@@ -651,7 +658,7 @@ static int dlpar_memory_remove_by_ic(u32 lmbs_to_remove, u32 drc_index)
+ static int dlpar_add_lmb(struct drmem_lmb *lmb)
+ {
+ unsigned long block_sz;
+- int rc;
++ int nid, rc;
+
+ if (lmb->flags & DRCONF_MEM_ASSIGNED)
+ return -EINVAL;
+@@ -662,11 +669,13 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb)
+ return rc;
+ }
+
+- lmb_set_nid(lmb);
+ block_sz = memory_block_size_bytes();
+
++ /* Find the node id for this address. */
++ nid = memory_add_physaddr_to_nid(lmb->base_addr);
++
+ /* Add the memory */
+- rc = __add_memory(lmb->nid, lmb->base_addr, block_sz);
++ rc = __add_memory(nid, lmb->base_addr, block_sz);
+ if (rc) {
+ invalidate_lmb_associativity_index(lmb);
+ return rc;
+@@ -674,9 +683,8 @@ static int dlpar_add_lmb(struct drmem_lmb *lmb)
+
+ rc = dlpar_online_lmb(lmb);
+ if (rc) {
+- __remove_memory(lmb->nid, lmb->base_addr, block_sz);
++ __remove_memory(nid, lmb->base_addr, block_sz);
+ invalidate_lmb_associativity_index(lmb);
+- lmb_clear_nid(lmb);
+ } else {
+ lmb->flags |= DRCONF_MEM_ASSIGNED;
+ }
+--
+2.25.1
+
--- /dev/null
+From 6adff8244b8ac706bdea56354b88064a88b8ef4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 14:00:45 +0200
+Subject: pty: do tty_flip_buffer_push without port->lock in pty_write
+
+From: Artem Savkov <asavkov@redhat.com>
+
+[ Upstream commit 71a174b39f10b4b93223d374722aa894b5d8a82e ]
+
+b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag"
+puts tty_flip_buffer_push under port->lock introducing the following
+possible circular locking dependency:
+
+[30129.876566] ======================================================
+[30129.876566] WARNING: possible circular locking dependency detected
+[30129.876567] 5.9.0-rc2+ #3 Tainted: G S W
+[30129.876568] ------------------------------------------------------
+[30129.876568] sysrq.sh/1222 is trying to acquire lock:
+[30129.876569] ffffffff92c39480 (console_owner){....}-{0:0}, at: console_unlock+0x3fe/0xa90
+
+[30129.876572] but task is already holding lock:
+[30129.876572] ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca
+
+[30129.876576] which lock already depends on the new lock.
+
+[30129.876577] the existing dependency chain (in reverse order) is:
+
+[30129.876578] -> #3 (&pool->lock/1){-.-.}-{2:2}:
+[30129.876581] _raw_spin_lock+0x30/0x70
+[30129.876581] __queue_work+0x1a3/0x10f0
+[30129.876582] queue_work_on+0x78/0x80
+[30129.876582] pty_write+0x165/0x1e0
+[30129.876583] n_tty_write+0x47f/0xf00
+[30129.876583] tty_write+0x3d6/0x8d0
+[30129.876584] vfs_write+0x1a8/0x650
+
+[30129.876588] -> #2 (&port->lock#2){-.-.}-{2:2}:
+[30129.876590] _raw_spin_lock_irqsave+0x3b/0x80
+[30129.876591] tty_port_tty_get+0x1d/0xb0
+[30129.876592] tty_port_default_wakeup+0xb/0x30
+[30129.876592] serial8250_tx_chars+0x3d6/0x970
+[30129.876593] serial8250_handle_irq.part.12+0x216/0x380
+[30129.876593] serial8250_default_handle_irq+0x82/0xe0
+[30129.876594] serial8250_interrupt+0xdd/0x1b0
+[30129.876595] __handle_irq_event_percpu+0xfc/0x850
+
+[30129.876602] -> #1 (&port->lock){-.-.}-{2:2}:
+[30129.876605] _raw_spin_lock_irqsave+0x3b/0x80
+[30129.876605] serial8250_console_write+0x12d/0x900
+[30129.876606] console_unlock+0x679/0xa90
+[30129.876606] register_console+0x371/0x6e0
+[30129.876607] univ8250_console_init+0x24/0x27
+[30129.876607] console_init+0x2f9/0x45e
+
+[30129.876609] -> #0 (console_owner){....}-{0:0}:
+[30129.876611] __lock_acquire+0x2f70/0x4e90
+[30129.876612] lock_acquire+0x1ac/0xad0
+[30129.876612] console_unlock+0x460/0xa90
+[30129.876613] vprintk_emit+0x130/0x420
+[30129.876613] printk+0x9f/0xc5
+[30129.876614] show_pwq+0x154/0x618
+[30129.876615] show_workqueue_state.cold.55+0x193/0x6ca
+[30129.876615] __handle_sysrq+0x244/0x460
+[30129.876616] write_sysrq_trigger+0x48/0x4a
+[30129.876616] proc_reg_write+0x1a6/0x240
+[30129.876617] vfs_write+0x1a8/0x650
+
+[30129.876619] other info that might help us debug this:
+
+[30129.876620] Chain exists of:
+[30129.876621] console_owner --> &port->lock#2 --> &pool->lock/1
+
+[30129.876625] Possible unsafe locking scenario:
+
+[30129.876626] CPU0 CPU1
+[30129.876626] ---- ----
+[30129.876627] lock(&pool->lock/1);
+[30129.876628] lock(&port->lock#2);
+[30129.876630] lock(&pool->lock/1);
+[30129.876631] lock(console_owner);
+
+[30129.876633] *** DEADLOCK ***
+
+[30129.876634] 5 locks held by sysrq.sh/1222:
+[30129.876634] #0: ffff8881d3ce0470 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x359/0x650
+[30129.876637] #1: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: __handle_sysrq+0x4d/0x460
+[30129.876640] #2: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: show_workqueue_state+0x5/0xf0
+[30129.876642] #3: ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca
+[30129.876645] #4: ffffffff92c39980 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x123/0x420
+
+[30129.876648] stack backtrace:
+[30129.876649] CPU: 3 PID: 1222 Comm: sysrq.sh Tainted: G S W 5.9.0-rc2+ #3
+[30129.876649] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012
+[30129.876650] Call Trace:
+[30129.876650] dump_stack+0x9d/0xe0
+[30129.876651] check_noncircular+0x34f/0x410
+[30129.876653] __lock_acquire+0x2f70/0x4e90
+[30129.876656] lock_acquire+0x1ac/0xad0
+[30129.876658] console_unlock+0x460/0xa90
+[30129.876660] vprintk_emit+0x130/0x420
+[30129.876660] printk+0x9f/0xc5
+[30129.876661] show_pwq+0x154/0x618
+[30129.876662] show_workqueue_state.cold.55+0x193/0x6ca
+[30129.876664] __handle_sysrq+0x244/0x460
+[30129.876665] write_sysrq_trigger+0x48/0x4a
+[30129.876665] proc_reg_write+0x1a6/0x240
+[30129.876666] vfs_write+0x1a8/0x650
+
+It looks like the commit was aimed to protect tty_insert_flip_string and
+there is no need for tty_flip_buffer_push to be under this lock.
+
+Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag")
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20200902120045.3693075-1-asavkov@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/pty.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index 00099a8439d21..c6a1d8c4e6894 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -120,10 +120,10 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c)
+ spin_lock_irqsave(&to->port->lock, flags);
+ /* Stuff the data into the input queue of the other end */
+ c = tty_insert_flip_string(to->port, buf, c);
++ spin_unlock_irqrestore(&to->port->lock, flags);
+ /* And shovel */
+ if (c)
+ tty_flip_buffer_push(to->port);
+- spin_unlock_irqrestore(&to->port->lock, flags);
+ }
+ return c;
+ }
+--
+2.25.1
+
--- /dev/null
+From b261b53539d8070d58dce7597a01d2067d5327ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 19:14:25 +0200
+Subject: pwm: img: Fix null pointer access in probe
+
+From: Hauke Mehrtens <hauke@hauke-m.de>
+
+[ Upstream commit b39c0615d0667b3a6f2f5c4bf99ffadf3b518bb1 ]
+
+dev_get_drvdata() is called in img_pwm_runtime_resume() before the
+driver data is set.
+When pm_runtime_enabled() returns false in img_pwm_probe() it calls
+img_pwm_runtime_resume() which results in a null pointer access.
+
+This patch fixes the problem by setting the driver data earlier in the
+img_pwm_probe() function.
+
+This crash was seen when booting the Imagination Technologies Creator
+Ci40 (Marduk) with kernel 5.4 in OpenWrt.
+
+Fixes: e690ae526216 ("pwm: img: Add runtime PM")
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-img.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-img.c b/drivers/pwm/pwm-img.c
+index 599a0f66a3845..a34d95ed70b20 100644
+--- a/drivers/pwm/pwm-img.c
++++ b/drivers/pwm/pwm-img.c
+@@ -277,6 +277,8 @@ static int img_pwm_probe(struct platform_device *pdev)
+ return PTR_ERR(pwm->pwm_clk);
+ }
+
++ platform_set_drvdata(pdev, pwm);
++
+ pm_runtime_set_autosuspend_delay(&pdev->dev, IMG_PWM_PM_TIMEOUT);
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+@@ -313,7 +315,6 @@ static int img_pwm_probe(struct platform_device *pdev)
+ goto err_suspend;
+ }
+
+- platform_set_drvdata(pdev, pwm);
+ return 0;
+
+ err_suspend:
+--
+2.25.1
+
--- /dev/null
+From 59b34eac5b50006e0bb7bef5bdc4f9fe1e430962 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 13:23:24 +0200
+Subject: pwm: lpss: Add range limit check for the base_unit register value
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit ef9f60daab309558c8bb3e086a9a11ee40bd6061 ]
+
+When the user requests a high enough period ns value, then the
+calculations in pwm_lpss_prepare() might result in a base_unit value of 0.
+
+But according to the data-sheet the way the PWM controller works is that
+each input clock-cycle the base_unit gets added to a N bit counter and
+that counter overflowing determines the PWM output frequency. Adding 0
+to the counter is a no-op. The data-sheet even explicitly states that
+writing 0 to the base_unit bits will result in the PWM outputting a
+continuous 0 signal.
+
+When the user requestes a low enough period ns value, then the
+calculations in pwm_lpss_prepare() might result in a base_unit value
+which is bigger then base_unit_range - 1. Currently the codes for this
+deals with this by applying a mask:
+
+ base_unit &= (base_unit_range - 1);
+
+But this means that we let the value overflow the range, we throw away the
+higher bits and store whatever value is left in the lower bits into the
+register leading to a random output frequency, rather then clamping the
+output frequency to the highest frequency which the hardware can do.
+
+This commit fixes both issues by clamping the base_unit value to be
+between 1 and (base_unit_range - 1).
+
+Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-5-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpss.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c
+index 16f32576b320c..d77cec2769b76 100644
+--- a/drivers/pwm/pwm-lpss.c
++++ b/drivers/pwm/pwm-lpss.c
+@@ -97,6 +97,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ freq *= base_unit_range;
+
+ base_unit = DIV_ROUND_CLOSEST_ULL(freq, c);
++ /* base_unit must not be 0 and we also want to avoid overflowing it */
++ base_unit = clamp_val(base_unit, 1, base_unit_range - 1);
+
+ on_time_div = 255ULL * duty_ns;
+ do_div(on_time_div, period_ns);
+@@ -105,7 +107,6 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ orig_ctrl = ctrl = pwm_lpss_read(pwm);
+ ctrl &= ~PWM_ON_TIME_DIV_MASK;
+ ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT);
+- base_unit &= (base_unit_range - 1);
+ ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT;
+ ctrl |= on_time_div;
+
+--
+2.25.1
+
--- /dev/null
+From 9cf5c9b70a6cbe1af424abee0c45e78c07aee7d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Sep 2020 13:23:23 +0200
+Subject: pwm: lpss: Fix off by one error in base_unit math in
+ pwm_lpss_prepare()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 181f4d2f44463fe09fe4df02e03095cb87151c29 ]
+
+According to the data-sheet the way the PWM controller works is that
+each input clock-cycle the base_unit gets added to a N bit counter and
+that counter overflowing determines the PWM output frequency.
+
+So assuming e.g. a 16 bit counter this means that if base_unit is set to 1,
+after 65535 input clock-cycles the counter has been increased from 0 to
+65535 and it will overflow on the next cycle, so it will overflow after
+every 65536 clock cycles and thus the calculations done in
+pwm_lpss_prepare() should use 65536 and not 65535.
+
+This commit fixes this. Note this also aligns the calculations in
+pwm_lpss_prepare() with those in pwm_lpss_get_state().
+
+Note this effectively reverts commit 684309e5043e ("pwm: lpss: Avoid
+potential overflow of base_unit"). The next patch in this series really
+fixes the potential overflow of the base_unit value.
+
+Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit")
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-4-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpss.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c
+index 75bbfe5f3bc29..16f32576b320c 100644
+--- a/drivers/pwm/pwm-lpss.c
++++ b/drivers/pwm/pwm-lpss.c
+@@ -93,7 +93,7 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+ * The equation is:
+ * base_unit = round(base_unit_range * freq / c)
+ */
+- base_unit_range = BIT(lpwm->info->base_unit_bits) - 1;
++ base_unit_range = BIT(lpwm->info->base_unit_bits);
+ freq *= base_unit_range;
+
+ base_unit = DIV_ROUND_CLOSEST_ULL(freq, c);
+@@ -104,8 +104,8 @@ static void pwm_lpss_prepare(struct pwm_lpss_chip *lpwm, struct pwm_device *pwm,
+
+ orig_ctrl = ctrl = pwm_lpss_read(pwm);
+ ctrl &= ~PWM_ON_TIME_DIV_MASK;
+- ctrl &= ~(base_unit_range << PWM_BASE_UNIT_SHIFT);
+- base_unit &= base_unit_range;
++ ctrl &= ~((base_unit_range - 1) << PWM_BASE_UNIT_SHIFT);
++ base_unit &= (base_unit_range - 1);
+ ctrl |= (u32) base_unit << PWM_BASE_UNIT_SHIFT;
+ ctrl |= on_time_div;
+
+--
+2.25.1
+
--- /dev/null
+From fe4fc84ca95f1e7250b12adeb344df4fe70b4bd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:22:24 +0100
+Subject: qtnfmac: fix resource leaks on unsupported iftype error return path
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ]
+
+Currently if an unsupported iftype is detected the error return path
+does not free the cmd_skb leading to a resource leak. Fix this by
+free'ing cmd_skb.
+
+Addresses-Coverity: ("Resource leak")
+Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/quantenna/qtnfmac/commands.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c
+index c0c32805fb8de..106f1a846f499 100644
+--- a/drivers/net/wireless/quantenna/qtnfmac/commands.c
++++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c
+@@ -834,6 +834,7 @@ int qtnf_cmd_send_del_intf(struct qtnf_vif *vif)
+ default:
+ pr_warn("VIF%u.%u: unsupported iftype %d\n", vif->mac->macid,
+ vif->vifid, vif->wdev.iftype);
++ dev_kfree_skb(cmd_skb);
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -1996,6 +1997,7 @@ int qtnf_cmd_send_change_sta(struct qtnf_vif *vif, const u8 *mac,
+ break;
+ default:
+ pr_err("unsupported iftype %d\n", vif->wdev.iftype);
++ dev_kfree_skb(cmd_skb);
+ ret = -EINVAL;
+ goto out;
+ }
+--
+2.25.1
+
--- /dev/null
+From ada0f5d7359b35714383b46fedf43b7f6f2735da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 11:36:19 -0700
+Subject: quota: clear padding in v2r1_mem2diskdqb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3d3dc274ce736227e3197868ff749cff2f175f63 ]
+
+Freshly allocated memory contains garbage, better make sure
+to init all struct v2r1_disk_dqblk fields to avoid KMSAN report:
+
+BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
+CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219
+ qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218
+ v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285
+ qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394
+ v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
+ dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
+ ext4_write_dquot fs/ext4/super.c:5934 [inline]
+ ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
+ mark_dquot_dirty fs/quota/dquot.c:347 [inline]
+ mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
+ dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
+ __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
+ ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
+ vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
+ do_tmpfile fs/namei.c:3316 [inline]
+ path_openat+0x4035/0x6a90 fs/namei.c:3359
+ do_filp_open+0x2b8/0x710 fs/namei.c:3395
+ do_sys_openat2+0xa88/0x1140 fs/open.c:1168
+ do_sys_open fs/open.c:1184 [inline]
+ __do_compat_sys_openat fs/open.c:1242 [inline]
+ __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
+ __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
+ do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
+ __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
+ do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
+ do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+RIP: 0023:0xf7ff4549
+Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127
+RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000
+RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80
+ slab_alloc_node mm/slub.c:2907 [inline]
+ slab_alloc mm/slub.c:2916 [inline]
+ __kmalloc+0x2bb/0x4b0 mm/slub.c:3982
+ kmalloc include/linux/slab.h:559 [inline]
+ getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52
+ qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378
+ v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333
+ dquot_commit+0x4af/0x600 fs/quota/dquot.c:482
+ ext4_write_dquot fs/ext4/super.c:5934 [inline]
+ ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985
+ mark_dquot_dirty fs/quota/dquot.c:347 [inline]
+ mark_all_dquot_dirty fs/quota/dquot.c:385 [inline]
+ dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755
+ __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155
+ ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686
+ vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283
+ do_tmpfile fs/namei.c:3316 [inline]
+ path_openat+0x4035/0x6a90 fs/namei.c:3359
+ do_filp_open+0x2b8/0x710 fs/namei.c:3395
+ do_sys_openat2+0xa88/0x1140 fs/open.c:1168
+ do_sys_open fs/open.c:1184 [inline]
+ __do_compat_sys_openat fs/open.c:1242 [inline]
+ __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240
+ __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240
+ do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline]
+ __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139
+ do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162
+ do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+
+Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits")
+Link: https://lore.kernel.org/r/20200924183619.4176790-1-edumazet@google.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jan Kara <jack@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/quota_v2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c
+index 53429c29c7842..276c27fb99280 100644
+--- a/fs/quota/quota_v2.c
++++ b/fs/quota/quota_v2.c
+@@ -284,6 +284,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot)
+ d->dqb_curspace = cpu_to_le64(m->dqb_curspace);
+ d->dqb_btime = cpu_to_le64(m->dqb_btime);
+ d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id));
++ d->dqb_pad = 0;
+ if (qtree_entry_unused(info, dp))
+ d->dqb_itime = cpu_to_le64(1);
+ }
+--
+2.25.1
+
--- /dev/null
+From 64a9365e3ac6f68aea032fbcba8407ec432eb411 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:13:04 -0700
+Subject: ramfs: fix nommu mmap with gaps in the page cache
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 50b7d85680086126d7bd91dae81d57d4cb1ab6b7 ]
+
+ramfs needs to check that pages are both physically contiguous and
+contiguous in the file. If the page cache happens to have, eg, page A for
+index 0 of the file, no page for index 1, and page A+1 for index 2, then
+an mmap of the first two pages of the file will succeed when it should
+fail.
+
+Fixes: 642fb4d1f1dd ("[PATCH] NOMMU: Provide shared-writable mmap support on ramfs")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: David Howells <dhowells@redhat.com>
+Link: https://lkml.kernel.org/r/20200914122239.GO6583@casper.infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ramfs/file-nommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c
+index 4146954549560..355523f4a4bf3 100644
+--- a/fs/ramfs/file-nommu.c
++++ b/fs/ramfs/file-nommu.c
+@@ -224,7 +224,7 @@ static unsigned long ramfs_nommu_get_unmapped_area(struct file *file,
+ if (!pages)
+ goto out_free;
+
+- nr = find_get_pages(inode->i_mapping, &pgoff, lpages, pages);
++ nr = find_get_pages_contig(inode->i_mapping, pgoff, lpages, pages);
+ if (nr != lpages)
+ goto out_free_pages; /* leave if some pages were missing */
+
+--
+2.25.1
+
--- /dev/null
+From 8f729c0209e5a3c43f80c2edf96e1aeafd4c307f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:13:15 -0700
+Subject: rapidio: fix error handling path
+
+From: Souptick Joarder <jrdr.linux@gmail.com>
+
+[ Upstream commit fa63f083b3492b5ed5332b8d7c90b03b5ef24a1d ]
+
+rio_dma_transfer() attempts to clamp the return value of
+pin_user_pages_fast() to be >= 0. However, the attempt fails because
+nr_pages is overridden a few lines later, and restored to the undesirable
+-ERRNO value.
+
+The return value is ultimately stored in nr_pages, which in turn is passed
+to unpin_user_pages(), which expects nr_pages >= 0, else, disaster.
+
+Fix this by fixing the nesting of the assignment to nr_pages: nr_pages
+should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or set
+to the return value of pin_user_pages_fast(), otherwise.
+
+[jhubbard@nvidia.com: new changelog]
+
+Fixes: e8de370188d09 ("rapidio: add mport char device driver")
+Signed-off-by: Souptick Joarder <jrdr.linux@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
+Cc: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lkml.kernel.org/r/1600227737-20785-1-git-send-email-jrdr.linux@gmail.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index 0b85a80ae7ef6..1222522b4ae76 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -873,15 +873,16 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
+ rmcd_error("get_user_pages_unlocked err=%ld",
+ pinned);
+ nr_pages = 0;
+- } else
++ } else {
+ rmcd_error("pinned %ld out of %ld pages",
+ pinned, nr_pages);
++ /*
++ * Set nr_pages up to mean "how many pages to unpin, in
++ * the error handler:
++ */
++ nr_pages = pinned;
++ }
+ ret = -EFAULT;
+- /*
+- * Set nr_pages up to mean "how many pages to unpin, in
+- * the error handler:
+- */
+- nr_pages = pinned;
+ goto err_pg;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 1d7e77ad8938276756b9f8bff1048a7db82aebc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 20:13:18 -0700
+Subject: rapidio: fix the missed put_device() for rio_mport_add_riodev
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit 85094c05eeb47d195a74a25366a2db066f1c9d47 ]
+
+rio_mport_add_riodev() misses to call put_device() when the device already
+exists. Add the missed function call to fix it.
+
+Fixes: e8de370188d0 ("rapidio: add mport char device driver")
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
+Link: https://lkml.kernel.org/r/20200922072525.42330-1-jingxiangfeng@huawei.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rapidio/devices/rio_mport_cdev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
+index 1222522b4ae76..2b08fdeb87c18 100644
+--- a/drivers/rapidio/devices/rio_mport_cdev.c
++++ b/drivers/rapidio/devices/rio_mport_cdev.c
+@@ -1683,6 +1683,7 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
+ struct rio_dev *rdev;
+ struct rio_switch *rswitch = NULL;
+ struct rio_mport *mport;
++ struct device *dev;
+ size_t size;
+ u32 rval;
+ u32 swpinfo = 0;
+@@ -1697,8 +1698,10 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
+ rmcd_debug(RDEV, "name:%s ct:0x%x did:0x%x hc:0x%x", dev_info.name,
+ dev_info.comptag, dev_info.destid, dev_info.hopcount);
+
+- if (bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name)) {
++ dev = bus_find_device_by_name(&rio_bus_type, NULL, dev_info.name);
++ if (dev) {
+ rmcd_debug(RDEV, "device %s already exists", dev_info.name);
++ put_device(dev);
+ return -EEXIST;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From dd77768ad1a1ce3c3fd0908bcd72071b04e6a151 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 11:11:21 +0300
+Subject: RDMA/cma: Consolidate the destruction of a cma_multicast in one place
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 3788d2997bc0150ea911a964d5b5a2e11808a936 ]
+
+Two places were open coding this sequence, and also pull in
+cma_leave_roce_mc_group() which was called only once.
+
+Link: https://lore.kernel.org/r/20200902081122.745412-8-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 63 +++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 10525c91cac6c..98d2d74b96f78 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1803,19 +1803,30 @@ static void cma_release_port(struct rdma_id_private *id_priv)
+ mutex_unlock(&lock);
+ }
+
+-static void cma_leave_roce_mc_group(struct rdma_id_private *id_priv,
+- struct cma_multicast *mc)
++static void destroy_mc(struct rdma_id_private *id_priv,
++ struct cma_multicast *mc)
+ {
+- struct rdma_dev_addr *dev_addr = &id_priv->id.route.addr.dev_addr;
+- struct net_device *ndev = NULL;
++ if (rdma_cap_ib_mcast(id_priv->id.device, id_priv->id.port_num)) {
++ ib_sa_free_multicast(mc->multicast.ib);
++ kfree(mc);
++ return;
++ }
+
+- if (dev_addr->bound_dev_if)
+- ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if);
+- if (ndev) {
+- cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false);
+- dev_put(ndev);
++ if (rdma_protocol_roce(id_priv->id.device,
++ id_priv->id.port_num)) {
++ struct rdma_dev_addr *dev_addr =
++ &id_priv->id.route.addr.dev_addr;
++ struct net_device *ndev = NULL;
++
++ if (dev_addr->bound_dev_if)
++ ndev = dev_get_by_index(dev_addr->net,
++ dev_addr->bound_dev_if);
++ if (ndev) {
++ cma_igmp_send(ndev, &mc->multicast.ib->rec.mgid, false);
++ dev_put(ndev);
++ }
++ kref_put(&mc->mcref, release_mc);
+ }
+- kref_put(&mc->mcref, release_mc);
+ }
+
+ static void cma_leave_mc_groups(struct rdma_id_private *id_priv)
+@@ -1823,16 +1834,10 @@ static void cma_leave_mc_groups(struct rdma_id_private *id_priv)
+ struct cma_multicast *mc;
+
+ while (!list_empty(&id_priv->mc_list)) {
+- mc = container_of(id_priv->mc_list.next,
+- struct cma_multicast, list);
++ mc = list_first_entry(&id_priv->mc_list, struct cma_multicast,
++ list);
+ list_del(&mc->list);
+- if (rdma_cap_ib_mcast(id_priv->cma_dev->device,
+- id_priv->id.port_num)) {
+- ib_sa_free_multicast(mc->multicast.ib);
+- kfree(mc);
+- } else {
+- cma_leave_roce_mc_group(id_priv, mc);
+- }
++ destroy_mc(id_priv, mc);
+ }
+ }
+
+@@ -4490,20 +4495,14 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr)
+ id_priv = container_of(id, struct rdma_id_private, id);
+ spin_lock_irq(&id_priv->lock);
+ list_for_each_entry(mc, &id_priv->mc_list, list) {
+- if (!memcmp(&mc->addr, addr, rdma_addr_size(addr))) {
+- list_del(&mc->list);
+- spin_unlock_irq(&id_priv->lock);
+-
+- BUG_ON(id_priv->cma_dev->device != id->device);
++ if (memcmp(&mc->addr, addr, rdma_addr_size(addr)) != 0)
++ continue;
++ list_del(&mc->list);
++ spin_unlock_irq(&id_priv->lock);
+
+- if (rdma_cap_ib_mcast(id->device, id->port_num)) {
+- ib_sa_free_multicast(mc->multicast.ib);
+- kfree(mc);
+- } else if (rdma_protocol_roce(id->device, id->port_num)) {
+- cma_leave_roce_mc_group(id_priv, mc);
+- }
+- return;
+- }
++ WARN_ON(id_priv->cma_dev->device != id->device);
++ destroy_mc(id_priv, mc);
++ return;
+ }
+ spin_unlock_irq(&id_priv->lock);
+ }
+--
+2.25.1
+
--- /dev/null
+From 256baf2bf04f5ae11ca89b6b97954ff5ca2f3920 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 11:11:20 +0300
+Subject: RDMA/cma: Remove dead code for kernel rdmacm multicast
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 1bb5091def706732c749df9aae45fbca003696f2 ]
+
+There is no kernel user of RDMA CM multicast so this code managing the
+multicast subscription of the kernel-only internal QP is dead. Remove it.
+
+This makes the bug fixes in the next patches much simpler.
+
+Link: https://lore.kernel.org/r/20200902081122.745412-7-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 19 ++++---------------
+ 1 file changed, 4 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index e3cd9d2b0dd2b..10525c91cac6c 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -4182,16 +4182,6 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast)
+ else
+ pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n",
+ status);
+- mutex_lock(&id_priv->qp_mutex);
+- if (!status && id_priv->id.qp) {
+- status = ib_attach_mcast(id_priv->id.qp, &multicast->rec.mgid,
+- be16_to_cpu(multicast->rec.mlid));
+- if (status)
+- pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to attach QP. status %d\n",
+- status);
+- }
+- mutex_unlock(&id_priv->qp_mutex);
+-
+ event.status = status;
+ event.param.ud.private_data = mc->context;
+ if (!status) {
+@@ -4446,6 +4436,10 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr,
+ struct cma_multicast *mc;
+ int ret;
+
++ /* Not supported for kernel QPs */
++ if (WARN_ON(id->qp))
++ return -EINVAL;
++
+ if (!id->device)
+ return -EINVAL;
+
+@@ -4500,11 +4494,6 @@ void rdma_leave_multicast(struct rdma_cm_id *id, struct sockaddr *addr)
+ list_del(&mc->list);
+ spin_unlock_irq(&id_priv->lock);
+
+- if (id->qp)
+- ib_detach_mcast(id->qp,
+- &mc->multicast.ib->rec.mgid,
+- be16_to_cpu(mc->multicast.ib->rec.mlid));
+-
+ BUG_ON(id_priv->cma_dev->device != id->device);
+
+ if (rdma_cap_ib_mcast(id->device, id->port_num)) {
+--
+2.25.1
+
--- /dev/null
+From 39a52745de943c72c9ce7488cef9e3cafe962d31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 19:41:48 -0300
+Subject: RDMA/efa: Use ib_umem_num_dma_pages()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 1f9b6827c85f9d9786f31a1434a16c917aae23b2 ]
+
+If ib_umem_find_best_pgsz() returns > PAGE_SIZE then the equation here is
+not correct. 'start' should be 'virt'. Change it to use the core code for
+page_num and the canonical calculation of page_shift.
+
+Fixes: 40ddb3f02083 ("RDMA/efa: Use API to get contiguous memory blocks aligned to device supported page size")
+Link: https://lore.kernel.org/r/7-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com
+Tested-by: Gal Pressman <galpress@amazon.com>
+Acked-by: Gal Pressman <galpress@amazon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 4edae89e8e3ca..4a8830d3a9599 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -4,6 +4,7 @@
+ */
+
+ #include <linux/vmalloc.h>
++#include <linux/log2.h>
+
+ #include <rdma/ib_addr.h>
+ #include <rdma/ib_umem.h>
+@@ -1446,9 +1447,8 @@ struct ib_mr *efa_reg_mr(struct ib_pd *ibpd, u64 start, u64 length,
+ goto err_unmap;
+ }
+
+- params.page_shift = __ffs(pg_sz);
+- params.page_num = DIV_ROUND_UP(length + (start & (pg_sz - 1)),
+- pg_sz);
++ params.page_shift = order_base_2(pg_sz);
++ params.page_num = ib_umem_num_dma_blocks(mr->umem, pg_sz);
+
+ ibdev_dbg(&dev->ibdev,
+ "start %#llx length %#llx params.page_shift %u params.page_num %u\n",
+--
+2.25.1
+
--- /dev/null
+From 7e9b9f02dbf326d38a1bf505d2f6cba53b52e357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 19:07:54 +0800
+Subject: RDMA/hns: Add a check for current state before modifying QP
+
+From: Lang Cheng <chenglang@huawei.com>
+
+[ Upstream commit e0ef0f68c4c0d85b1eb63f38d5d10324361280e8 ]
+
+It should be considered an illegal operation if the ULP attempts to modify
+a QP from another state to the current hardware state. Otherwise, the ULP
+can modify some fields of QPC at any time. For example, for a QP in state
+of RTS, modify it from RTR to RTS can change the PSN, which is always not
+as expected.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Link: https://lore.kernel.org/r/1598353674-24270-1-git-send-email-liweihang@huawei.com
+Signed-off-by: Lang Cheng <chenglang@huawei.com>
+Signed-off-by: Weihang Li <liweihang@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_qp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c
+index 8dd2d666f6875..730e50c87a760 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_qp.c
++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c
+@@ -1181,8 +1181,10 @@ int hns_roce_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+
+ mutex_lock(&hr_qp->mutex);
+
+- cur_state = attr_mask & IB_QP_CUR_STATE ?
+- attr->cur_qp_state : (enum ib_qp_state)hr_qp->state;
++ if (attr_mask & IB_QP_CUR_STATE && attr->cur_qp_state != hr_qp->state)
++ goto out;
++
++ cur_state = hr_qp->state;
+ new_state = attr_mask & IB_QP_STATE ? attr->qp_state : cur_state;
+
+ if (ibqp->uobject &&
+--
+2.25.1
+
--- /dev/null
+From 3aabce0535fcc94cdbe869162fc0899daf85ed7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Sep 2020 18:03:22 +0800
+Subject: RDMA/hns: Fix missing sq_sig_type when querying QP
+
+From: Weihang Li <liweihang@huawei.com>
+
+[ Upstream commit 05df49279f8926178ecb3ce88e61b63104cd6293 ]
+
+The sq_sig_type field should be filled when querying QP, or the users may
+get a wrong value.
+
+Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC")
+Link: https://lore.kernel.org/r/1600509802-44382-9-git-send-email-liweihang@huawei.com
+Signed-off-by: Weihang Li <liweihang@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index def266626223a..bb75328193957 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -4634,6 +4634,7 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+ }
+
+ qp_init_attr->cap = qp_attr->cap;
++ qp_init_attr->sq_sig_type = hr_qp->sq_signal_bits;
+
+ out:
+ mutex_unlock(&hr_qp->mutex);
+--
+2.25.1
+
--- /dev/null
+From 5874cec461d147a4137c597f94880c5a337e2798 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Sep 2020 18:03:20 +0800
+Subject: RDMA/hns: Fix the wrong value of rnr_retry when querying qp
+
+From: Wenpeng Liang <liangwenpeng@huawei.com>
+
+[ Upstream commit 99fcf82521d91468ee6115a3c253aa032dc63cbc ]
+
+The rnr_retry returned to the user is not correct, it should be got from
+another fields in QPC.
+
+Fixes: bfe860351e31 ("RDMA/hns: Fix cast from or to restricted __le32 for driver")
+Link: https://lore.kernel.org/r/1600509802-44382-7-git-send-email-liweihang@huawei.com
+Signed-off-by: Wenpeng Liang <liangwenpeng@huawei.com>
+Signed-off-by: Weihang Li <liweihang@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 0502c90c83edd..def266626223a 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -4616,7 +4616,9 @@ static int hns_roce_v2_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *qp_attr,
+ qp_attr->retry_cnt = roce_get_field(context.byte_212_lsn,
+ V2_QPC_BYTE_212_RETRY_CNT_M,
+ V2_QPC_BYTE_212_RETRY_CNT_S);
+- qp_attr->rnr_retry = le32_to_cpu(context.rq_rnr_timer);
++ qp_attr->rnr_retry = roce_get_field(context.byte_244_rnr_rxack,
++ V2_QPC_BYTE_244_RNR_CNT_M,
++ V2_QPC_BYTE_244_RNR_CNT_S);
+
+ done:
+ qp_attr->cur_qp_state = qp_attr->qp_state;
+--
+2.25.1
+
--- /dev/null
+From c409516f0e5b22f413a2c7ca76c18af1af2591ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 21:50:15 +0800
+Subject: RDMA/hns: Set the unsupported wr opcode
+
+From: Lijun Ou <oulijun@huawei.com>
+
+[ Upstream commit 22d3e1ed2cc837af87f76c3c8a4ccf4455e225c5 ]
+
+hip06 does not support IB_WR_LOCAL_INV, so the ps_opcode should be set to
+an invalid value instead of being left uninitialized.
+
+Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
+Fixes: a2f3d4479fe9 ("RDMA/hns: Avoid unncessary initialization")
+Link: https://lore.kernel.org/r/1600350615-115217-1-git-send-email-oulijun@huawei.com
+Signed-off-by: Lijun Ou <oulijun@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+index a79fa67df8715..a405c64d2a82b 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c
+@@ -271,7 +271,6 @@ static int hns_roce_v1_post_send(struct ib_qp *ibqp,
+ ps_opcode = HNS_ROCE_WQE_OPCODE_SEND;
+ break;
+ case IB_WR_LOCAL_INV:
+- break;
+ case IB_WR_ATOMIC_CMP_AND_SWP:
+ case IB_WR_ATOMIC_FETCH_AND_ADD:
+ case IB_WR_LSO:
+--
+2.25.1
+
--- /dev/null
+From 581677fc633e10c0ebec1febf5c0cbb3ddb8109b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Oct 2020 16:29:48 +0300
+Subject: RDMA/ipoib: Set rtnl_link_ops for ipoib interfaces
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit 5ce2dced8e95e76ff7439863a118a053a7fc6f91 ]
+
+Report the "ipoib pkey", "mode" and "umcast" netlink attributes for every
+IPoiB interface type, not just children created with 'ip link add'.
+
+After setting the rtnl_link_ops for the parent interface, implement the
+dellink() callback to block users from trying to remove it.
+
+Fixes: 862096a8bbf8 ("IB/ipoib: Add more rtnl_link_ops callbacks")
+Link: https://lore.kernel.org/r/20201004132948.26669-1-kamalheib1@gmail.com
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 ++
+ drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 11 +++++++++++
+ drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 2 ++
+ 3 files changed, 15 insertions(+)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index 044bcacad6e48..69ecf37053a81 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -2463,6 +2463,8 @@ static struct net_device *ipoib_add_port(const char *format,
+ /* call event handler to ensure pkey in sync */
+ queue_work(ipoib_workqueue, &priv->flush_heavy);
+
++ ndev->rtnl_link_ops = ipoib_get_link_ops();
++
+ result = register_netdev(ndev);
+ if (result) {
+ pr_warn("%s: couldn't register ipoib port %d; error %d\n",
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+index 38c984d16996d..d5a90a66b45cf 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+@@ -144,6 +144,16 @@ static int ipoib_new_child_link(struct net *src_net, struct net_device *dev,
+ return 0;
+ }
+
++static void ipoib_del_child_link(struct net_device *dev, struct list_head *head)
++{
++ struct ipoib_dev_priv *priv = ipoib_priv(dev);
++
++ if (!priv->parent)
++ return;
++
++ unregister_netdevice_queue(dev, head);
++}
++
+ static size_t ipoib_get_size(const struct net_device *dev)
+ {
+ return nla_total_size(2) + /* IFLA_IPOIB_PKEY */
+@@ -158,6 +168,7 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
+ .priv_size = sizeof(struct ipoib_dev_priv),
+ .setup = ipoib_setup_common,
+ .newlink = ipoib_new_child_link,
++ .dellink = ipoib_del_child_link,
+ .changelink = ipoib_changelink,
+ .get_size = ipoib_get_size,
+ .fill_info = ipoib_fill_info,
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+index 8ac8e18fbe0c3..58ca5e9c6079c 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+@@ -192,6 +192,8 @@ int ipoib_vlan_add(struct net_device *pdev, unsigned short pkey)
+ }
+ priv = ipoib_priv(ndev);
+
++ ndev->rtnl_link_ops = ipoib_get_link_ops();
++
+ result = __ipoib_vlan_add(ppriv, priv, pkey, IPOIB_LEGACY_CHILD);
+
+ if (result && ndev->reg_state == NETREG_UNINITIALIZED)
+--
+2.25.1
+
--- /dev/null
+From 2d9779e77b2821d1a0dce99e8dcdd86a8dac11e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 14:26:52 +0300
+Subject: RDMA/mlx5: Disable IB_DEVICE_MEM_MGT_EXTENSIONS if IB_WR_REG_MR can't
+ work
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 0ec52f0194638e2d284ad55eba5a7aff753de1b9 ]
+
+set_reg_wr() always fails if !umr_modify_entity_size_disabled because
+mlx5_ib_can_use_umr() always fails. Without set_reg_wr() IB_WR_REG_MR
+doesn't work and that means the device should not advertise
+IB_DEVICE_MEM_MGT_EXTENSIONS.
+
+Fixes: 841b07f99a47 ("IB/mlx5: Block MR WR if UMR is not possible")
+Link: https://lore.kernel.org/r/20200914112653.345244-5-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index b781ad74e6de4..40c1a05c2445d 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -888,7 +888,9 @@ static int mlx5_ib_query_device(struct ib_device *ibdev,
+ /* We support 'Gappy' memory registration too */
+ props->device_cap_flags |= IB_DEVICE_SG_GAPS_REG;
+ }
+- props->device_cap_flags |= IB_DEVICE_MEM_MGT_EXTENSIONS;
++ /* IB_WR_REG_MR always requires changing the entity size with UMR */
++ if (!MLX5_CAP_GEN(dev->mdev, umr_modify_entity_size_disabled))
++ props->device_cap_flags |= IB_DEVICE_MEM_MGT_EXTENSIONS;
+ if (MLX5_CAP_GEN(mdev, sho)) {
+ props->device_cap_flags |= IB_DEVICE_INTEGRITY_HANDOVER;
+ /* At this stage no support for signature handover */
+--
+2.25.1
+
--- /dev/null
+From 510c422f48ae8a4fc506ff208d29b13857e4388a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Aug 2020 11:40:04 +0300
+Subject: RDMA/mlx5: Fix potential race between destroy and CQE poll
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit 4b916ed9f9e85f705213ca8d69771d3c1cd6ee5a ]
+
+The SRQ can be destroyed right before mlx5_cmd_get_srq is called.
+In such case the latter will return NULL instead of expected SRQ.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Link: https://lore.kernel.org/r/20200830084010.102381-5-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/cq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
+index ff664355de550..73d5b8dc74d86 100644
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -167,7 +167,7 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe,
+ {
+ enum rdma_link_layer ll = rdma_port_get_link_layer(qp->ibqp.device, 1);
+ struct mlx5_ib_dev *dev = to_mdev(qp->ibqp.device);
+- struct mlx5_ib_srq *srq;
++ struct mlx5_ib_srq *srq = NULL;
+ struct mlx5_ib_wq *wq;
+ u16 wqe_ctr;
+ u8 roce_packet_type;
+@@ -179,7 +179,8 @@ static void handle_responder(struct ib_wc *wc, struct mlx5_cqe64 *cqe,
+
+ if (qp->ibqp.xrcd) {
+ msrq = mlx5_cmd_get_srq(dev, be32_to_cpu(cqe->srqn));
+- srq = to_mibsrq(msrq);
++ if (msrq)
++ srq = to_mibsrq(msrq);
+ } else {
+ srq = to_msrq(qp->ibqp.srq);
+ }
+--
+2.25.1
+
--- /dev/null
+From 53229cf0071f90359c0a75e6e2381adec5db943c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 19:57:40 +0300
+Subject: RDMA/qedr: Fix inline size returned for iWARP
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit fbf58026b2256e9cd5f241a4801d79d3b2b7b89d ]
+
+commit 59e8970b3798 ("RDMA/qedr: Return max inline data in QP query
+result") changed query_qp max_inline size to return the max roce inline
+size. When iwarp was introduced, this should have been modified to return
+the max inline size based on protocol. This size is cached in the device
+attributes
+
+Fixes: 69ad0e7fe845 ("RDMA/qedr: Add support for iWARP in user space")
+Link: https://lore.kernel.org/r/20200902165741.8355-8-michal.kalderon@marvell.com
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c
+index 682329789d00d..4408d33646647 100644
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -2405,7 +2405,7 @@ int qedr_query_qp(struct ib_qp *ibqp,
+ qp_attr->cap.max_recv_wr = qp->rq.max_wr;
+ qp_attr->cap.max_send_sge = qp->sq.max_sges;
+ qp_attr->cap.max_recv_sge = qp->rq.max_sges;
+- qp_attr->cap.max_inline_data = ROCE_REQ_MAX_INLINE_DATA_SIZE;
++ qp_attr->cap.max_inline_data = dev->attr.max_inline;
+ qp_init_attr->cap = qp_attr->cap;
+
+ qp_attr->ah_attr.type = RDMA_AH_ATTR_TYPE_ROCE;
+--
+2.25.1
+
--- /dev/null
+From 438d8a19a5adbeff8d3afd0224b70fcf8ec50840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 19:57:34 +0300
+Subject: RDMA/qedr: Fix qp structure memory leak
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit 098e345a1a8faaad6e4e54d138773466cecc45d4 ]
+
+The qedr_qp structure wasn't freed when the protocol was RoCE. kmemleak
+output when running basic RoCE scenario.
+
+unreferenced object 0xffff927ad7e22c00 (size 1024):
+ comm "ib_send_bw", pid 7082, jiffies 4384133693 (age 274.698s)
+ hex dump (first 32 bytes):
+ 00 b0 cd a2 79 92 ff ff 00 3f a1 a2 79 92 ff ff ....y....?..y...
+ 00 ee 5c dd 80 92 ff ff 00 f6 5c dd 80 92 ff ff ..\.......\.....
+ backtrace:
+ [<00000000b2ba0f35>] qedr_create_qp+0xb3/0x6c0 [qedr]
+ [<00000000e85a43dd>] ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x555/0xad0 [ib_uverbs]
+ [<00000000fee4d029>] ib_uverbs_cmd_verbs+0xa5a/0xb80 [ib_uverbs]
+ [<000000005d622660>] ib_uverbs_ioctl+0xa4/0x110 [ib_uverbs]
+ [<00000000eb4cdc71>] ksys_ioctl+0x87/0xc0
+ [<00000000abe6b23a>] __x64_sys_ioctl+0x16/0x20
+ [<0000000046e7cef4>] do_syscall_64+0x4d/0x90
+ [<00000000c6948f76>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1212767e23bb ("qedr: Add wrapping generic structure for qpidr and adjust idr routines.")
+Link: https://lore.kernel.org/r/20200902165741.8355-2-michal.kalderon@marvell.com
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/qedr/verbs.c b/drivers/infiniband/hw/qedr/verbs.c
+index 16a994fd7d0a7..682329789d00d 100644
+--- a/drivers/infiniband/hw/qedr/verbs.c
++++ b/drivers/infiniband/hw/qedr/verbs.c
+@@ -2518,6 +2518,8 @@ int qedr_destroy_qp(struct ib_qp *ibqp, struct ib_udata *udata)
+
+ if (rdma_protocol_iwarp(&dev->ibdev, 1))
+ qedr_iw_qp_rem_ref(&qp->ibqp);
++ else
++ kfree(qp);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 40eb19e26ef6d4140622d33293e5685452ea949a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 19:57:37 +0300
+Subject: RDMA/qedr: Fix return code if accept is called on a destroyed qp
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit 8a5a10a1a74465065c75d9de1aa6685e1f1aa117 ]
+
+In iWARP, accept could be called after a QP is already destroyed. In this
+case an error should be returned and not success.
+
+Fixes: 82af6d19d8d9 ("RDMA/qedr: Fix synchronization methods and memory leaks in qedr")
+Link: https://lore.kernel.org/r/20200902165741.8355-5-michal.kalderon@marvell.com
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/qedr_iw_cm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+index 6dea49e11f5f0..e521f3c3dbbf1 100644
+--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
++++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+@@ -736,7 +736,7 @@ int qedr_iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
+ struct qedr_dev *dev = ep->dev;
+ struct qedr_qp *qp;
+ struct qed_iwarp_accept_in params;
+- int rc = 0;
++ int rc;
+
+ DP_DEBUG(dev, QEDR_MSG_IWARP, "Accept on qpid=%d\n", conn_param->qpn);
+
+@@ -759,8 +759,10 @@ int qedr_iw_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
+ params.ord = conn_param->ord;
+
+ if (test_and_set_bit(QEDR_IWARP_CM_WAIT_FOR_CONNECT,
+- &qp->iwarp_cm_flags))
++ &qp->iwarp_cm_flags)) {
++ rc = -EINVAL;
+ goto err; /* QP already destroyed */
++ }
+
+ rc = dev->ops->iwarp_accept(dev->rdma_ctx, ¶ms);
+ if (rc) {
+--
+2.25.1
+
--- /dev/null
+From c6aa3c380c943389f6a4f2af418fb2d1dc23aa47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 19:57:36 +0300
+Subject: RDMA/qedr: Fix use of uninitialized field
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit a379ad54e55a12618cae7f6333fd1b3071de9606 ]
+
+dev->attr.page_size_caps was used uninitialized when setting device
+attributes
+
+Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init")
+Link: https://lore.kernel.org/r/20200902165741.8355-4-michal.kalderon@marvell.com
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qedr/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/qedr/main.c b/drivers/infiniband/hw/qedr/main.c
+index 4494dab8c3d83..93040c994e2e3 100644
+--- a/drivers/infiniband/hw/qedr/main.c
++++ b/drivers/infiniband/hw/qedr/main.c
+@@ -601,7 +601,7 @@ static int qedr_set_device_attr(struct qedr_dev *dev)
+ qed_attr = dev->ops->rdma_query_device(dev->rdma_ctx);
+
+ /* Part 2 - check capabilities */
+- page_size = ~dev->attr.page_size_caps + 1;
++ page_size = ~qed_attr->page_size_caps + 1;
+ if (page_size > PAGE_SIZE) {
+ DP_ERR(dev,
+ "Kernel PAGE_SIZE is %ld which is smaller than minimum page size (%d) required by qedr\n",
+--
+2.25.1
+
--- /dev/null
+From a5fa90b8b6f42f2f689e2a0e0015e5920ef11a98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 15:36:52 -0500
+Subject: RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt()
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+[ Upstream commit e7ec96fc7932f48a6d6cdd05bf82004a1a04285b ]
+
+The changes referenced below replaced sbk_clone)_ by taking additional
+references, passing the skb along and then freeing the skb. This
+deleted the packets before they could be processed and additionally
+passed bad data in each packet. Since pkt is stored in skb->cb
+changing pkt->qp changed it for all the packets.
+
+Replace skb_get() by sbk_clone() in rxe_rcv_mcast_pkt() for cases where
+multiple QPs are receiving multicast packets on the same address.
+
+Delete kfree_skb() because the packets need to live until they have been
+processed by each QP. They are freed later.
+
+Fixes: 86af61764151 ("IB/rxe: remove unnecessary skb_clone")
+Fixes: fe896ceb5772 ("IB/rxe: replace refcount_inc with skb_get")
+Link: https://lore.kernel.org/r/20201008203651.256958-1-rpearson@hpe.com
+Signed-off-by: Bob Pearson <rpearson@hpe.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c
+index 46e111c218fd4..be6416a982c70 100644
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -281,6 +281,8 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb)
+ struct rxe_mc_elem *mce;
+ struct rxe_qp *qp;
+ union ib_gid dgid;
++ struct sk_buff *per_qp_skb;
++ struct rxe_pkt_info *per_qp_pkt;
+ int err;
+
+ if (skb->protocol == htons(ETH_P_IP))
+@@ -309,21 +311,26 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb)
+ if (err)
+ continue;
+
+- /* if *not* the last qp in the list
+- * increase the users of the skb then post to the next qp
++ /* for all but the last qp create a new clone of the
++ * skb and pass to the qp.
+ */
+ if (mce->qp_list.next != &mcg->qp_list)
+- skb_get(skb);
++ per_qp_skb = skb_clone(skb, GFP_ATOMIC);
++ else
++ per_qp_skb = skb;
+
+- pkt->qp = qp;
++ per_qp_pkt = SKB_TO_PKT(per_qp_skb);
++ per_qp_pkt->qp = qp;
+ rxe_add_ref(qp);
+- rxe_rcv_pkt(pkt, skb);
++ rxe_rcv_pkt(per_qp_pkt, per_qp_skb);
+ }
+
+ spin_unlock_bh(&mcg->mcg_lock);
+
+ rxe_drop_ref(mcg); /* drop ref from rxe_pool_get_key. */
+
++ return;
++
+ err1:
+ kfree_skb(skb);
+ }
+--
+2.25.1
+
--- /dev/null
+From 864015e1fe3c6191442c59a9883783507ea9e069 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 13:42:37 -0500
+Subject: RDMA/rxe: Handle skb_clone() failure in rxe_recv.c
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+[ Upstream commit 71abf20b28ff87fee6951ec2218d5ce7969c4e87 ]
+
+If skb_clone() is unable to allocate memory for a new sk_buff this is not
+detected by the current code.
+
+Check for a NULL return and continue. This is similar to other errors in
+this loop over QPs attached to the multicast address and consistent with
+the unreliable UD transport.
+
+Fixes: e7ec96fc7932f ("RDMA/rxe: Fix skb lifetime in rxe_rcv_mcast_pkt()")
+Addresses-Coverity-ID: 1497804: Null pointer dereferences (NULL_RETURNS)
+Link: https://lore.kernel.org/r/20201013184236.5231-1-rpearson@hpe.com
+Signed-off-by: Bob Pearson <rpearson@hpe.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_recv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_recv.c b/drivers/infiniband/sw/rxe/rxe_recv.c
+index be6416a982c70..9bfb98056fc2a 100644
+--- a/drivers/infiniband/sw/rxe/rxe_recv.c
++++ b/drivers/infiniband/sw/rxe/rxe_recv.c
+@@ -319,6 +319,9 @@ static void rxe_rcv_mcast_pkt(struct rxe_dev *rxe, struct sk_buff *skb)
+ else
+ per_qp_skb = skb;
+
++ if (unlikely(!per_qp_skb))
++ continue;
++
+ per_qp_pkt = SKB_TO_PKT(per_qp_skb);
+ per_qp_pkt->qp = qp;
+ rxe_add_ref(qp);
+--
+2.25.1
+
--- /dev/null
+From 0b706f5adaadd777d5db0ee5f829faf9f53b8f93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Aug 2020 15:05:22 +0300
+Subject: RDMA/ucma: Add missing locking around rdma_leave_multicast()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 38e03d092699891c3237b5aee9e8029d4ede0956 ]
+
+All entry points to the rdma_cm from a ULP must be single threaded,
+even this error unwinds. Add the missing locking.
+
+Fixes: 7c11910783a1 ("RDMA/ucma: Put a lock around every call to the rdma_cm layer")
+Link: https://lore.kernel.org/r/20200818120526.702120-11-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/ucma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index d7c74f095805a..ef4be14af3bb9 100644
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -1473,7 +1473,9 @@ static ssize_t ucma_process_join(struct ucma_file *file,
+ return 0;
+
+ err3:
++ mutex_lock(&ctx->mutex);
+ rdma_leave_multicast(ctx->cm_id, (struct sockaddr *) &mc->addr);
++ mutex_unlock(&ctx->mutex);
+ ucma_cleanup_mc_events(mc);
+ err2:
+ xa_erase(&multicast_table, mc->id);
+--
+2.25.1
+
--- /dev/null
+From e7a68fc79cae0f997a3653f3a7744def2130c609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Aug 2020 15:05:21 +0300
+Subject: RDMA/ucma: Fix locking for ctx->events_reported
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 98837c6c3d7285f6eca86480b6f7fac6880e27a8 ]
+
+This value is locked under the file->mut, ensure it is held whenever
+touching it.
+
+The case in ucma_migrate_id() is a race, while in ucma_free_uctx() it is
+already not possible for the write side to run, the movement is just for
+clarity.
+
+Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()")
+Link: https://lore.kernel.org/r/20200818120526.702120-10-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/ucma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index f4f79f1292b91..d7c74f095805a 100644
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -581,6 +581,7 @@ static int ucma_free_ctx(struct ucma_context *ctx)
+ list_move_tail(&uevent->list, &list);
+ }
+ list_del(&ctx->list);
++ events_reported = ctx->events_reported;
+ mutex_unlock(&ctx->file->mut);
+
+ list_for_each_entry_safe(uevent, tmp, &list, list) {
+@@ -590,7 +591,6 @@ static int ucma_free_ctx(struct ucma_context *ctx)
+ kfree(uevent);
+ }
+
+- events_reported = ctx->events_reported;
+ mutex_destroy(&ctx->mutex);
+ kfree(ctx);
+ return events_reported;
+@@ -1639,7 +1639,9 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file,
+
+ cur_file = ctx->file;
+ if (cur_file == new_file) {
++ mutex_lock(&cur_file->mut);
+ resp.events_reported = ctx->events_reported;
++ mutex_unlock(&cur_file->mut);
+ goto response;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 519d26c11b4f2c6bf77a4c92f511a1ebac8fbb03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 19:41:42 -0300
+Subject: RDMA/umem: Fix ib_umem_find_best_pgsz() for mappings that cross a
+ page boundary
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit a40c20dabdf9045270767c75918feb67f0727c89 ]
+
+It is possible for a single SGL to span an aligned boundary, eg if the SGL
+is
+
+ 61440 -> 90112
+
+Then the length is 28672, which currently limits the block size to
+32k. With a 32k page size the two covering blocks will be:
+
+ 32768->65536 and 65536->98304
+
+However, the correct answer is a 128K block size which will span the whole
+28672 bytes in a single block.
+
+Instead of limiting based on length figure out which high IOVA bits don't
+change between the start and end addresses. That is the highest useful
+page size.
+
+Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR")
+Link: https://lore.kernel.org/r/1-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/umem.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index 0d42ba8c0b696..9be8f6c622db0 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -156,8 +156,13 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem,
+ return 0;
+
+ va = virt;
+- /* max page size not to exceed MR length */
+- mask = roundup_pow_of_two(umem->length);
++ /* The best result is the smallest page size that results in the minimum
++ * number of required pages. Compute the largest page size that could
++ * work based on VA address bits that don't change.
++ */
++ mask = pgsz_bitmap &
++ GENMASK(BITS_PER_LONG - 1,
++ bits_per((umem->length - 1 + virt) ^ virt));
+ /* offset into first SGL */
+ pgoff = umem->address & ~PAGE_MASK;
+
+--
+2.25.1
+
--- /dev/null
+From a0c6e13a7c4b36a67f641be9b10c5808a46825ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 15:17:08 -0300
+Subject: RDMA/umem: Fix signature of stub ib_umem_find_best_pgsz()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 61690d01db32eb1f94adc9ac2b8bb741d34e4671 ]
+
+The original function returns unsigned long and 0 on failure.
+
+Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR")
+Link: https://lore.kernel.org/r/0-v1-982a13cc5c6d+501ae-fix_best_pgsz_stub_jgg@nvidia.com
+Reviewed-by: Gal Pressman <galpress@amazon.com>
+Acked-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/rdma/ib_umem.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/include/rdma/ib_umem.h b/include/rdma/ib_umem.h
+index a91b2af64ec47..8e94279af47df 100644
+--- a/include/rdma/ib_umem.h
++++ b/include/rdma/ib_umem.h
+@@ -95,10 +95,11 @@ static inline int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offs
+ size_t length) {
+ return -EINVAL;
+ }
+-static inline int ib_umem_find_best_pgsz(struct ib_umem *umem,
+- unsigned long pgsz_bitmap,
+- unsigned long virt) {
+- return -EINVAL;
++static inline unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem,
++ unsigned long pgsz_bitmap,
++ unsigned long virt)
++{
++ return 0;
+ }
+
+ #endif /* CONFIG_INFINIBAND_USER_MEM */
+--
+2.25.1
+
--- /dev/null
+From b5dbaaadac9789c8bf9d1856400892ca0b15d90b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 19:41:43 -0300
+Subject: RDMA/umem: Prevent small pages from being returned by
+ ib_umem_find_best_pgsz()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 10c75ccb54e4fe548cb16d7ed426d7d709e6ae76 ]
+
+rdma_for_each_block() makes assumptions about how the SGL is constructed
+that don't work if the block size is below the page size used to to build
+the SGL.
+
+The rules for umem SGL construction require that the SG's all be PAGE_SIZE
+aligned and we don't encode the actual byte offset of the VA range inside
+the SGL using offset and length. So rdma_for_each_block() has no idea
+where the actual starting/ending point is to compute the first/last block
+boundary if the starting address should be within a SGL.
+
+Fixing the SGL construction turns out to be really hard, and will be the
+subject of other patches. For now block smaller pages.
+
+Fixes: 4a35339958f1 ("RDMA/umem: Add API to find best driver supported page size in an MR")
+Link: https://lore.kernel.org/r/2-v2-270386b7e60b+28f4-umem_1_jgg@nvidia.com
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/umem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index 9be8f6c622db0..650f71dd4ab93 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -151,6 +151,12 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem,
+ dma_addr_t mask;
+ int i;
+
++ /* rdma_for_each_block() has a bug if the page size is smaller than the
++ * page size used to build the umem. For now prevent smaller page sizes
++ * from being returned.
++ */
++ pgsz_bitmap &= GENMASK(BITS_PER_LONG - 1, PAGE_SHIFT);
++
+ /* At minimum, drivers must support PAGE_SIZE or smaller */
+ if (WARN_ON(!(pgsz_bitmap & GENMASK(PAGE_SHIFT, 0))))
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 8d48db6979283bdd3d72dbf1aab639e3696a032a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Sep 2020 23:32:41 +0200
+Subject: regulator: resolve supply after creating regulator
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+[ Upstream commit aea6cb99703e17019e025aa71643b4d3e0a24413 ]
+
+When creating a new regulator its supply cannot create the sysfs link
+because the device is not yet published. Remove early supply resolving
+since it will be done later anyway. This makes the following error
+disappear and the symlinks get created instead.
+
+ DCDC_REG1: supplied by VSYS
+ VSYS: could not add device link regulator.3 err -2
+
+Note: It doesn't fix the problem for bypassed regulators, though.
+
+Fixes: 45389c47526d ("regulator: core: Add early supply resolution for regulators")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Link: https://lore.kernel.org/r/ba09e0a8617ffeeb25cb4affffe6f3149319cef8.1601155770.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 55fc80de5ef16..ee850cffe1542 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5158,15 +5158,20 @@ regulator_register(const struct regulator_desc *regulator_desc,
+ else if (regulator_desc->supply_name)
+ rdev->supply_name = regulator_desc->supply_name;
+
+- /*
+- * Attempt to resolve the regulator supply, if specified,
+- * but don't return an error if we fail because we will try
+- * to resolve it again later as more regulators are added.
+- */
+- if (regulator_resolve_supply(rdev))
+- rdev_dbg(rdev, "unable to resolve supply\n");
+-
+ ret = set_machine_constraints(rdev, constraints);
++ if (ret == -EPROBE_DEFER) {
++ /* Regulator might be in bypass mode and so needs its supply
++ * to set the constraints */
++ /* FIXME: this currently triggers a chicken-and-egg problem
++ * when creating -SUPPLY symlink in sysfs to a regulator
++ * that is just being created */
++ ret = regulator_resolve_supply(rdev);
++ if (!ret)
++ ret = set_machine_constraints(rdev, constraints);
++ else
++ rdev_dbg(rdev, "unable to resolve supply early: %pe\n",
++ ERR_PTR(ret));
++ }
+ if (ret < 0)
+ goto wash;
+
+--
+2.25.1
+
--- /dev/null
+From f6c38da8139e042f58aa64a255a091f07e57fbf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Mar 2020 14:01:44 +0100
+Subject: reiserfs: Fix memory leak in reiserfs_parse_options()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ]
+
+When a usrjquota or grpjquota mount option is used multiple times, we
+will leak memory allocated for the file name. Make sure the last setting
+is used and all the previous ones are properly freed.
+
+Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/super.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
+index a6bce5b1fb1dc..1b9c7a387dc71 100644
+--- a/fs/reiserfs/super.c
++++ b/fs/reiserfs/super.c
+@@ -1258,6 +1258,10 @@ static int reiserfs_parse_options(struct super_block *s,
+ "turned on.");
+ return 0;
+ }
++ if (qf_names[qtype] !=
++ REISERFS_SB(s)->s_qf_names[qtype])
++ kfree(qf_names[qtype]);
++ qf_names[qtype] = NULL;
+ if (*arg) { /* Some filename specified? */
+ if (REISERFS_SB(s)->s_qf_names[qtype]
+ && strcmp(REISERFS_SB(s)->s_qf_names[qtype],
+@@ -1287,10 +1291,6 @@ static int reiserfs_parse_options(struct super_block *s,
+ else
+ *mount_options |= 1 << REISERFS_GRPQUOTA;
+ } else {
+- if (qf_names[qtype] !=
+- REISERFS_SB(s)->s_qf_names[qtype])
+- kfree(qf_names[qtype]);
+- qf_names[qtype] = NULL;
+ if (qtype == USRQUOTA)
+ *mount_options &= ~(1 << REISERFS_USRQUOTA);
+ else
+--
+2.25.1
+
--- /dev/null
+From 2c0903a9a23d2acf3e4120aecdad7bea5de163de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jun 2020 00:00:57 -0700
+Subject: reiserfs: only call unlock_new_inode() if I_NEW
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ]
+
+unlock_new_inode() is only meant to be called after a new inode has
+already been inserted into the hash table. But reiserfs_new_inode() can
+call it even before it has inserted the inode, triggering the WARNING in
+unlock_new_inode(). Fix this by only calling unlock_new_inode() if the
+inode has the I_NEW flag set, indicating that it's in the table.
+
+This addresses the syzbot report "WARNING in unlock_new_inode"
+(https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7).
+
+Link: https://lore.kernel.org/r/20200628070057.820213-1-ebiggers@kernel.org
+Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
+index 70387650436cf..ac35ddf0dd603 100644
+--- a/fs/reiserfs/inode.c
++++ b/fs/reiserfs/inode.c
+@@ -2161,7 +2161,8 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
+ out_inserted_sd:
+ clear_nlink(inode);
+ th->t_trans_id = 0; /* so the caller can't use this handle later */
+- unlock_new_inode(inode); /* OK to do even if we hadn't locked it */
++ if (inode->i_state & I_NEW)
++ unlock_new_inode(inode);
+ iput(inode);
+ return err;
+ }
+--
+2.25.1
+
--- /dev/null
+From 32f7543ecd5b0f7b2fc66260431c8faf36ac29b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 10:18:41 +0300
+Subject: rpmsg: smd: Fix a kobj leak in in qcom_smd_parse_edge()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e69ee0cf655e8e0c4a80f4319e36019b74f17639 ]
+
+We need to call of_node_put(node) on the error paths for this function.
+
+Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20200908071841.GA294938@mwanda
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_smd.c | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
+index 4abbeea782fa4..19903de6268db 100644
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -1338,7 +1338,7 @@ static int qcom_smd_parse_edge(struct device *dev,
+ ret = of_property_read_u32(node, key, &edge->edge_id);
+ if (ret) {
+ dev_err(dev, "edge missing %s property\n", key);
+- return -EINVAL;
++ goto put_node;
+ }
+
+ edge->remote_pid = QCOM_SMEM_HOST_ANY;
+@@ -1349,32 +1349,37 @@ static int qcom_smd_parse_edge(struct device *dev,
+ edge->mbox_client.knows_txdone = true;
+ edge->mbox_chan = mbox_request_channel(&edge->mbox_client, 0);
+ if (IS_ERR(edge->mbox_chan)) {
+- if (PTR_ERR(edge->mbox_chan) != -ENODEV)
+- return PTR_ERR(edge->mbox_chan);
++ if (PTR_ERR(edge->mbox_chan) != -ENODEV) {
++ ret = PTR_ERR(edge->mbox_chan);
++ goto put_node;
++ }
+
+ edge->mbox_chan = NULL;
+
+ syscon_np = of_parse_phandle(node, "qcom,ipc", 0);
+ if (!syscon_np) {
+ dev_err(dev, "no qcom,ipc node\n");
+- return -ENODEV;
++ ret = -ENODEV;
++ goto put_node;
+ }
+
+ edge->ipc_regmap = syscon_node_to_regmap(syscon_np);
+- if (IS_ERR(edge->ipc_regmap))
+- return PTR_ERR(edge->ipc_regmap);
++ if (IS_ERR(edge->ipc_regmap)) {
++ ret = PTR_ERR(edge->ipc_regmap);
++ goto put_node;
++ }
+
+ key = "qcom,ipc";
+ ret = of_property_read_u32_index(node, key, 1, &edge->ipc_offset);
+ if (ret < 0) {
+ dev_err(dev, "no offset in %s\n", key);
+- return -EINVAL;
++ goto put_node;
+ }
+
+ ret = of_property_read_u32_index(node, key, 2, &edge->ipc_bit);
+ if (ret < 0) {
+ dev_err(dev, "no bit in %s\n", key);
+- return -EINVAL;
++ goto put_node;
+ }
+ }
+
+@@ -1385,7 +1390,8 @@ static int qcom_smd_parse_edge(struct device *dev,
+ irq = irq_of_parse_and_map(node, 0);
+ if (irq < 0) {
+ dev_err(dev, "required smd interrupt missing\n");
+- return -EINVAL;
++ ret = irq;
++ goto put_node;
+ }
+
+ ret = devm_request_irq(dev, irq,
+@@ -1393,12 +1399,18 @@ static int qcom_smd_parse_edge(struct device *dev,
+ node->name, edge);
+ if (ret) {
+ dev_err(dev, "failed to request smd irq\n");
+- return ret;
++ goto put_node;
+ }
+
+ edge->irq = irq;
+
+ return 0;
++
++put_node:
++ of_node_put(node);
++ edge->of_node = NULL;
++
++ return ret;
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 11e553b2d2939020c638250750dc09f547395159 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Sep 2020 12:04:24 +0800
+Subject: rtl8xxxu: prevent potential memory leak
+
+From: Chris Chiu <chiu@endlessm.com>
+
+[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ]
+
+Free the skb if usb_submit_urb fails on rx_urb. And free the urb
+no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb.
+
+Signed-off-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 3499b211dad51..048984ca81fdb 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5447,7 +5447,6 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw)
+ ret = usb_submit_urb(urb, GFP_KERNEL);
+ if (ret) {
+ usb_unanchor_urb(urb);
+- usb_free_urb(urb);
+ goto error;
+ }
+
+@@ -5456,6 +5455,7 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw)
+ rtl8xxxu_write32(priv, REG_USB_HIMR, val32);
+
+ error:
++ usb_free_urb(urb);
+ return ret;
+ }
+
+@@ -5781,6 +5781,7 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw)
+ struct rtl8xxxu_priv *priv = hw->priv;
+ struct rtl8xxxu_rx_urb *rx_urb;
+ struct rtl8xxxu_tx_urb *tx_urb;
++ struct sk_buff *skb;
+ unsigned long flags;
+ int ret, i;
+
+@@ -5831,6 +5832,13 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw)
+ rx_urb->hw = hw;
+
+ ret = rtl8xxxu_submit_rx_urb(priv, rx_urb);
++ if (ret) {
++ if (ret != -ENOMEM) {
++ skb = (struct sk_buff *)rx_urb->urb.context;
++ dev_kfree_skb(skb);
++ }
++ rtl8xxxu_queue_rx_urb(priv, rx_urb);
++ }
+ }
+ exit:
+ /*
+--
+2.25.1
+
--- /dev/null
+From 02e76eb60bf3ff9151a3fd4fbf4077d21615e80b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:12:15 +0800
+Subject: rtw88: increse the size of rx buffer size
+
+From: Tzu-En Huang <tehuang@realtek.com>
+
+[ Upstream commit ee755732b7a16af018daa77d9562d2493fb7092f ]
+
+The vht capability of MAX_MPDU_LENGTH is 11454 in rtw88; however, the rx
+buffer size for each packet is 8192. When receiving packets that are
+larger than rx buffer size, it will leads to rx buffer ring overflow.
+
+Signed-off-by: Tzu-En Huang <tehuang@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200925061219.23754-2-tehuang@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/pci.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/pci.h b/drivers/net/wireless/realtek/rtw88/pci.h
+index 87824a4caba98..a47d871ae506a 100644
+--- a/drivers/net/wireless/realtek/rtw88/pci.h
++++ b/drivers/net/wireless/realtek/rtw88/pci.h
+@@ -13,8 +13,8 @@
+ #define RTK_BEQ_TX_DESC_NUM 256
+
+ #define RTK_MAX_RX_DESC_NUM 512
+-/* 8K + rx desc size */
+-#define RTK_PCI_RX_BUF_SIZE (8192 + 24)
++/* 11K + rx desc size */
++#define RTK_PCI_RX_BUF_SIZE (11454 + 24)
+
+ #define RTK_PCI_CTRL 0x300
+ #define BIT_RST_TRXDMA_INTF BIT(20)
+--
+2.25.1
+
--- /dev/null
+From e1c0fdf39d0e0ec4f281dbb57a1b1cdd95a838a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 14:48:47 +0800
+Subject: sched/fair: Fix wrong cpu selecting from isolated domain
+
+From: Xunlei Pang <xlpang@linux.alibaba.com>
+
+[ Upstream commit df3cb4ea1fb63ff326488efd671ba3c39034255e ]
+
+We've met problems that occasionally tasks with full cpumask
+(e.g. by putting it into a cpuset or setting to full affinity)
+were migrated to our isolated cpus in production environment.
+
+After some analysis, we found that it is due to the current
+select_idle_smt() not considering the sched_domain mask.
+
+Steps to reproduce on my 31-CPU hyperthreads machine:
+1. with boot parameter: "isolcpus=domain,2-31"
+ (thread lists: 0,16 and 1,17)
+2. cgcreate -g cpu:test; cgexec -g cpu:test "test_threads"
+3. some threads will be migrated to the isolated cpu16~17.
+
+Fix it by checking the valid domain mask in select_idle_smt().
+
+Fixes: 10e2f1acd010 ("sched/core: Rewrite and improve select_idle_siblings())
+Reported-by: Wetp Zhang <wetp.zy@linux.alibaba.com>
+Signed-off-by: Xunlei Pang <xlpang@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Jiang Biao <benbjiang@tencent.com>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/1600930127-76857-1-git-send-email-xlpang@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index b02a83ff40687..dddaf61378f62 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -5936,7 +5936,7 @@ static int select_idle_core(struct task_struct *p, struct sched_domain *sd, int
+ /*
+ * Scan the local SMT mask for idle CPUs.
+ */
+-static int select_idle_smt(struct task_struct *p, int target)
++static int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int target)
+ {
+ int cpu, si_cpu = -1;
+
+@@ -5944,7 +5944,8 @@ static int select_idle_smt(struct task_struct *p, int target)
+ return -1;
+
+ for_each_cpu(cpu, cpu_smt_mask(target)) {
+- if (!cpumask_test_cpu(cpu, p->cpus_ptr))
++ if (!cpumask_test_cpu(cpu, p->cpus_ptr) ||
++ !cpumask_test_cpu(cpu, sched_domain_span(sd)))
+ continue;
+ if (available_idle_cpu(cpu))
+ return cpu;
+@@ -5962,7 +5963,7 @@ static inline int select_idle_core(struct task_struct *p, struct sched_domain *s
+ return -1;
+ }
+
+-static inline int select_idle_smt(struct task_struct *p, int target)
++static inline int select_idle_smt(struct task_struct *p, struct sched_domain *sd, int target)
+ {
+ return -1;
+ }
+@@ -6072,7 +6073,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target)
+ if ((unsigned)i < nr_cpumask_bits)
+ return i;
+
+- i = select_idle_smt(p, target);
++ i = select_idle_smt(p, sd, target);
+ if ((unsigned)i < nr_cpumask_bits)
+ return i;
+
+--
+2.25.1
+
--- /dev/null
+From 1f32deefcfd13d4dd1e6979b238d4e8311948af8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 07:31:14 +0200
+Subject: sched/features: Fix !CONFIG_JUMP_LABEL case
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit a73f863af4ce9730795eab7097fb2102e6854365 ]
+
+Commit:
+
+ 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds")
+
+made sched features static for !CONFIG_SCHED_DEBUG configurations, but
+overlooked the CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL cases.
+
+For the latter echoing changes to /sys/kernel/debug/sched_features has
+the nasty effect of effectively changing what sched_features reports,
+but without actually changing the scheduler behaviour (since different
+translation units get different sysctl_sched_features).
+
+Fix CONFIG_SCHED_DEBUG=y and !CONFIG_JUMP_LABEL configurations by properly
+restructuring ifdefs.
+
+Fixes: 765cc3a4b224e ("sched/core: Optimize sched_feat() for !CONFIG_SCHED_DEBUG builds")
+Co-developed-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Patrick Bellasi <patrick.bellasi@matbug.net>
+Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
+Link: https://lore.kernel.org/r/20201013053114.160628-1-juri.lelli@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 +-
+ kernel/sched/sched.h | 13 ++++++++++---
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 79ce22de44095..4511532b08b84 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -36,7 +36,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(sched_overutilized_tp);
+
+ DEFINE_PER_CPU_SHARED_ALIGNED(struct rq, runqueues);
+
+-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL)
++#ifdef CONFIG_SCHED_DEBUG
+ /*
+ * Debugging: various feature bits
+ *
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index 9f2a9e34a78d5..3e7590813844f 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -1568,7 +1568,7 @@ enum {
+
+ #undef SCHED_FEAT
+
+-#if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_JUMP_LABEL)
++#ifdef CONFIG_SCHED_DEBUG
+
+ /*
+ * To support run-time toggling of sched features, all the translation units
+@@ -1576,6 +1576,7 @@ enum {
+ */
+ extern const_debug unsigned int sysctl_sched_features;
+
++#ifdef CONFIG_JUMP_LABEL
+ #define SCHED_FEAT(name, enabled) \
+ static __always_inline bool static_branch_##name(struct static_key *key) \
+ { \
+@@ -1588,7 +1589,13 @@ static __always_inline bool static_branch_##name(struct static_key *key) \
+ extern struct static_key sched_feat_keys[__SCHED_FEAT_NR];
+ #define sched_feat(x) (static_branch_##x(&sched_feat_keys[__SCHED_FEAT_##x]))
+
+-#else /* !(SCHED_DEBUG && CONFIG_JUMP_LABEL) */
++#else /* !CONFIG_JUMP_LABEL */
++
++#define sched_feat(x) (sysctl_sched_features & (1UL << __SCHED_FEAT_##x))
++
++#endif /* CONFIG_JUMP_LABEL */
++
++#else /* !SCHED_DEBUG */
+
+ /*
+ * Each translation unit has its own copy of sysctl_sched_features to allow
+@@ -1604,7 +1611,7 @@ static const_debug __maybe_unused unsigned int sysctl_sched_features =
+
+ #define sched_feat(x) !!(sysctl_sched_features & (1UL << __SCHED_FEAT_##x))
+
+-#endif /* SCHED_DEBUG && CONFIG_JUMP_LABEL */
++#endif /* SCHED_DEBUG */
+
+ extern struct static_key_false sched_numa_balancing;
+ extern struct static_key_false sched_schedstats;
+--
+2.25.1
+
--- /dev/null
+From 58337e944fa677a6cb0da1f7caffdfbef62cb183 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 12:13:00 +0300
+Subject: scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 38b2db564d9ab7797192ef15d7aade30633ceeae ]
+
+The be_fill_queue() function can only fail when "eq_vaddress" is NULL and
+since it's non-NULL here that means the function call can't fail. But
+imagine if it could, then in that situation we would want to store the
+"paddr" so that dma memory can be released.
+
+Link: https://lore.kernel.org/r/20200928091300.GD377727@mwanda
+Fixes: bfead3b2cb46 ("[SCSI] be2iscsi: Adding msix and mcc_rings V3")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/be2iscsi/be_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
+index 0760d0bd8a10b..0fa455357594e 100644
+--- a/drivers/scsi/be2iscsi/be_main.c
++++ b/drivers/scsi/be2iscsi/be_main.c
+@@ -3020,6 +3020,7 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba,
+ goto create_eq_error;
+ }
+
++ mem->dma = paddr;
+ mem->va = eq_vaddress;
+ ret = be_fill_queue(eq, phba->params.num_eq_entries,
+ sizeof(struct be_eq_entry), eq_vaddress);
+@@ -3029,7 +3030,6 @@ static int beiscsi_create_eqs(struct beiscsi_hba *phba,
+ goto create_eq_error;
+ }
+
+- mem->dma = paddr;
+ ret = beiscsi_cmd_eq_create(&phba->ctrl, eq,
+ BEISCSI_EQ_DELAY_DEF);
+ if (ret) {
+@@ -3086,6 +3086,7 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba,
+ goto create_cq_error;
+ }
+
++ mem->dma = paddr;
+ ret = be_fill_queue(cq, phba->params.num_cq_entries,
+ sizeof(struct sol_cqe), cq_vaddress);
+ if (ret) {
+@@ -3095,7 +3096,6 @@ static int beiscsi_create_cqs(struct beiscsi_hba *phba,
+ goto create_cq_error;
+ }
+
+- mem->dma = paddr;
+ ret = beiscsi_cmd_cq_create(&phba->ctrl, cq, eq, false,
+ false, 0);
+ if (ret) {
+--
+2.25.1
+
--- /dev/null
+From 9ba7cdd37961f067c755477648928776687fec13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:24:23 +0800
+Subject: scsi: bfa: Fix error return in bfad_pci_init()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit f0f6c3a4fcb80fcbcce4ff6739996dd98c228afd ]
+
+Fix to return error code -ENODEV from the error handling case instead of 0.
+
+Link: https://lore.kernel.org/r/20200925062423.161504-1-jingxiangfeng@huawei.com
+Fixes: 11ea3824140c ("scsi: bfa: fix calls to dma_set_mask_and_coherent()")
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfad.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/bfa/bfad.c b/drivers/scsi/bfa/bfad.c
+index 2f9213b257a4a..93e4011809919 100644
+--- a/drivers/scsi/bfa/bfad.c
++++ b/drivers/scsi/bfa/bfad.c
+@@ -749,6 +749,7 @@ bfad_pci_init(struct pci_dev *pdev, struct bfad_s *bfad)
+
+ if (bfad->pci_bar0_kva == NULL) {
+ printk(KERN_ERR "Fail to map bar0\n");
++ rc = -ENODEV;
+ goto out_release_region;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 7e5b325836ffab0708d5aec0938a9a6e8b5ddd59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:31 +0800
+Subject: scsi: csiostor: Fix wrong return value in csio_hw_prep_fw()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 44f4daf8678ae5f08c93bbe70792f90cd88e4649 ]
+
+On an error exit path, a negative error code should be returned instead of
+a positive return value.
+
+Link: https://lore.kernel.org/r/20200802111531.5065-1-tianjia.zhang@linux.alibaba.com
+Fixes: f40e74ffa3de ("csiostor:firmware upgrade fix")
+Cc: Praveen Madhavan <praveenm@chelsio.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c
+index e519238864758..1b6f9351b43f9 100644
+--- a/drivers/scsi/csiostor/csio_hw.c
++++ b/drivers/scsi/csiostor/csio_hw.c
+@@ -2384,7 +2384,7 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info,
+ FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c),
+ FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k),
+ FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k));
+- ret = EINVAL;
++ ret = -EINVAL;
+ goto bye;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From fb775891efbee64b155cbfb95ca6b36e3e7474bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 16:39:49 +0800
+Subject: scsi: ibmvfc: Fix error return in ibmvfc_probe()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ]
+
+Fix to return error code PTR_ERR() from the error handling case instead of
+0.
+
+Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com
+Acked-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi/ibmvfc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c
+index df897df5cafee..8a76284b59b08 100644
+--- a/drivers/scsi/ibmvscsi/ibmvfc.c
++++ b/drivers/scsi/ibmvscsi/ibmvfc.c
+@@ -4788,6 +4788,7 @@ static int ibmvfc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+ if (IS_ERR(vhost->work_thread)) {
+ dev_err(dev, "Couldn't create kernel thread: %ld\n",
+ PTR_ERR(vhost->work_thread));
++ rc = PTR_ERR(vhost->work_thread);
+ goto free_host_mem;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 92574abd450a53c449789e0e8895db66c036aff6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 16:21:26 +0200
+Subject: scsi: mpt3sas: Fix sync irqs
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit 45181eab8ba79ed7a41b549f00500c0093828521 ]
+
+_base_process_reply_queue() called from _base_interrupt() may schedule a
+new irq poll. Fix this by calling synchronize_irq() first.
+
+Also ensure that enable_irq() is called only when necessary to avoid
+"Unbalanced enable for IRQ..." errors.
+
+Link: https://lore.kernel.org/r/20200910142126.8147-1-thenzl@redhat.com
+Fixes: 320e77acb327 ("scsi: mpt3sas: Irq poll to avoid CPU hard lockups")
+Acked-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
+index b7e44634d0dc2..3d58d24de6b61 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -1708,18 +1708,22 @@ mpt3sas_base_sync_reply_irqs(struct MPT3SAS_ADAPTER *ioc)
+ /* TMs are on msix_index == 0 */
+ if (reply_q->msix_index == 0)
+ continue;
++ synchronize_irq(pci_irq_vector(ioc->pdev, reply_q->msix_index));
+ if (reply_q->irq_poll_scheduled) {
+ /* Calling irq_poll_disable will wait for any pending
+ * callbacks to have completed.
+ */
+ irq_poll_disable(&reply_q->irqpoll);
+ irq_poll_enable(&reply_q->irqpoll);
+- reply_q->irq_poll_scheduled = false;
+- reply_q->irq_line_enable = true;
+- enable_irq(reply_q->os_irq);
+- continue;
++ /* check how the scheduled poll has ended,
++ * clean up only if necessary
++ */
++ if (reply_q->irq_poll_scheduled) {
++ reply_q->irq_poll_scheduled = false;
++ reply_q->irq_line_enable = true;
++ enable_irq(reply_q->os_irq);
++ }
+ }
+- synchronize_irq(pci_irq_vector(ioc->pdev, reply_q->msix_index));
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From e2b9308d11c44e7e1db0125ce003a8957cdb4132 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 20:38:48 +0800
+Subject: scsi: mvumi: Fix error return in mvumi_io_attach()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ]
+
+Return PTR_ERR() from the error handling case instead of 0.
+
+Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangfeng@huawei.com
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mvumi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c
+index 8906aceda4c43..0354898d7cac1 100644
+--- a/drivers/scsi/mvumi.c
++++ b/drivers/scsi/mvumi.c
+@@ -2425,6 +2425,7 @@ static int mvumi_io_attach(struct mvumi_hba *mhba)
+ if (IS_ERR(mhba->dm_thread)) {
+ dev_err(&mhba->pdev->dev,
+ "failed to create device scan thread\n");
++ ret = PTR_ERR(mhba->dm_thread);
+ mutex_unlock(&mhba->sas_discovery_mutex);
+ goto fail_create_thread;
+ }
+--
+2.25.1
+
--- /dev/null
+From 0480bcc01ba0ae1068868344ca7a234789fc2f55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 05:14:40 -0700
+Subject: scsi: qedf: Return SUCCESS if stale rport is encountered
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+[ Upstream commit 10aff62fab263ad7661780816551420cea956ebb ]
+
+If SUCCESS is not returned, error handling will escalate. Return SUCCESS
+similar to other conditions in this function.
+
+Link: https://lore.kernel.org/r/20200907121443.5150-6-jhasan@marvell.com
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Javed Hasan <jhasan@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index 3d0e345947c1f..9c0955c334e3e 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -668,7 +668,7 @@ static int qedf_eh_abort(struct scsi_cmnd *sc_cmd)
+ rdata = fcport->rdata;
+ if (!rdata || !kref_get_unless_zero(&rdata->kref)) {
+ QEDF_ERR(&qedf->dbg_ctx, "stale rport, sc_cmd=%p\n", sc_cmd);
+- rc = 1;
++ rc = SUCCESS;
+ goto out;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From dc00df248fbac40648c9412ebc8c399d82a1648c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 02:56:52 -0700
+Subject: scsi: qedi: Fix list_del corruption while removing active I/O
+
+From: Nilesh Javali <njavali@marvell.com>
+
+[ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ]
+
+While aborting the I/O, the firmware cleanup task timed out and driver
+deleted the I/O from active command list. Some time later the firmware
+sent the cleanup task response and driver again deleted the I/O from
+active command list causing firmware to send completion for non-existent
+I/O and list_del corruption of active command list.
+
+Add fix to check if I/O is present before deleting it from the active
+command list to ensure firmware sends valid I/O completion and protect
+against list_del corruption.
+
+Link: https://lore.kernel.org/r/20200908095657.26821-4-mrangankar@marvell.com
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_fw.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c
+index 32586800620bd..90aa64604ad78 100644
+--- a/drivers/scsi/qedi/qedi_fw.c
++++ b/drivers/scsi/qedi/qedi_fw.c
+@@ -825,8 +825,11 @@ static void qedi_process_cmd_cleanup_resp(struct qedi_ctx *qedi,
+ qedi_clear_task_idx(qedi_conn->qedi, rtid);
+
+ spin_lock(&qedi_conn->list_lock);
+- list_del_init(&dbg_cmd->io_cmd);
+- qedi_conn->active_cmd_count--;
++ if (likely(dbg_cmd->io_cmd_in_list)) {
++ dbg_cmd->io_cmd_in_list = false;
++ list_del_init(&dbg_cmd->io_cmd);
++ qedi_conn->active_cmd_count--;
++ }
+ spin_unlock(&qedi_conn->list_lock);
+ qedi_cmd->state = CLEANUP_RECV;
+ wake_up_interruptible(&qedi_conn->wait_queue);
+@@ -1244,6 +1247,7 @@ int qedi_cleanup_all_io(struct qedi_ctx *qedi, struct qedi_conn *qedi_conn,
+ qedi_conn->cmd_cleanup_req++;
+ qedi_iscsi_cleanup_task(ctask, true);
+
++ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ QEDI_WARN(&qedi->dbg_ctx,
+@@ -1455,8 +1459,11 @@ static void qedi_tmf_work(struct work_struct *work)
+ spin_unlock_bh(&qedi_conn->tmf_work_lock);
+
+ spin_lock(&qedi_conn->list_lock);
+- list_del_init(&cmd->io_cmd);
+- qedi_conn->active_cmd_count--;
++ if (likely(cmd->io_cmd_in_list)) {
++ cmd->io_cmd_in_list = false;
++ list_del_init(&cmd->io_cmd);
++ qedi_conn->active_cmd_count--;
++ }
+ spin_unlock(&qedi_conn->list_lock);
+
+ clear_bit(QEDI_CONN_FW_CLEANUP, &qedi_conn->flags);
+--
+2.25.1
+
--- /dev/null
+From 53baa10689a8e978fdaaf70ed2ce21adeb0d20e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 02:56:53 -0700
+Subject: scsi: qedi: Protect active command list to avoid list corruption
+
+From: Nilesh Javali <njavali@marvell.com>
+
+[ Upstream commit c0650e28448d606c84f76c34333dba30f61de993 ]
+
+Protect active command list for non-I/O commands like login response,
+logout response, text response, and recovery cleanup of active list to
+avoid list corruption.
+
+Link: https://lore.kernel.org/r/20200908095657.26821-5-mrangankar@marvell.com
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedi/qedi_fw.c | 8 ++++++++
+ drivers/scsi/qedi/qedi_iscsi.c | 2 ++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/drivers/scsi/qedi/qedi_fw.c b/drivers/scsi/qedi/qedi_fw.c
+index 946cebc4c9322..32586800620bd 100644
+--- a/drivers/scsi/qedi/qedi_fw.c
++++ b/drivers/scsi/qedi/qedi_fw.c
+@@ -59,6 +59,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi,
+ "Freeing tid=0x%x for cid=0x%x\n",
+ cmd->task_id, qedi_conn->iscsi_conn_id);
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(cmd->io_cmd_in_list)) {
+ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+@@ -69,6 +70,7 @@ static void qedi_process_logout_resp(struct qedi_ctx *qedi,
+ cmd->task_id, qedi_conn->iscsi_conn_id,
+ &cmd->io_cmd);
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ cmd->state = RESPONSE_RECEIVED;
+ qedi_clear_task_idx(qedi, cmd->task_id);
+@@ -122,6 +124,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi,
+ "Freeing tid=0x%x for cid=0x%x\n",
+ cmd->task_id, qedi_conn->iscsi_conn_id);
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(cmd->io_cmd_in_list)) {
+ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+@@ -132,6 +135,7 @@ static void qedi_process_text_resp(struct qedi_ctx *qedi,
+ cmd->task_id, qedi_conn->iscsi_conn_id,
+ &cmd->io_cmd);
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ cmd->state = RESPONSE_RECEIVED;
+ qedi_clear_task_idx(qedi, cmd->task_id);
+@@ -222,11 +226,13 @@ static void qedi_process_tmf_resp(struct qedi_ctx *qedi,
+
+ tmf_hdr = (struct iscsi_tm *)qedi_cmd->task->hdr;
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(qedi_cmd->io_cmd_in_list)) {
+ qedi_cmd->io_cmd_in_list = false;
+ list_del_init(&qedi_cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ if (((tmf_hdr->flags & ISCSI_FLAG_TM_FUNC_MASK) ==
+ ISCSI_TM_FUNC_LOGICAL_UNIT_RESET) ||
+@@ -288,11 +294,13 @@ static void qedi_process_login_resp(struct qedi_ctx *qedi,
+ ISCSI_LOGIN_RESPONSE_HDR_DATA_SEG_LEN_MASK;
+ qedi_conn->gen_pdu.resp_wr_ptr = qedi_conn->gen_pdu.resp_buf + pld_len;
+
++ spin_lock(&qedi_conn->list_lock);
+ if (likely(cmd->io_cmd_in_list)) {
+ cmd->io_cmd_in_list = false;
+ list_del_init(&cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ }
++ spin_unlock(&qedi_conn->list_lock);
+
+ memset(task_ctx, '\0', sizeof(*task_ctx));
+
+diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
+index 0f2622a48311c..755f66b1ff9c7 100644
+--- a/drivers/scsi/qedi/qedi_iscsi.c
++++ b/drivers/scsi/qedi/qedi_iscsi.c
+@@ -972,11 +972,13 @@ static void qedi_cleanup_active_cmd_list(struct qedi_conn *qedi_conn)
+ {
+ struct qedi_cmd *cmd, *cmd_tmp;
+
++ spin_lock(&qedi_conn->list_lock);
+ list_for_each_entry_safe(cmd, cmd_tmp, &qedi_conn->active_cmd_list,
+ io_cmd) {
+ list_del_init(&cmd->io_cmd);
+ qedi_conn->active_cmd_count--;
+ }
++ spin_unlock(&qedi_conn->list_lock);
+ }
+
+ static void qedi_ep_disconnect(struct iscsi_endpoint *ep)
+--
+2.25.1
+
--- /dev/null
+From 20c76a913950758dc193d78114360ce5b5d552d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:30 +0800
+Subject: scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit ca4fb89a3d714a770e9c73c649da830f3f4a5326 ]
+
+On an error exit path, a negative error code should be returned instead of
+a positive return value.
+
+Link: https://lore.kernel.org/r/20200802111530.5020-1-tianjia.zhang@linux.alibaba.com
+Fixes: 8777e4314d39 ("scsi: qla2xxx: Migrate NVME N2N handling into state machine")
+Cc: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_nvme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
+index f4815a4084d8c..11656e864fca9 100644
+--- a/drivers/scsi/qla2xxx/qla_nvme.c
++++ b/drivers/scsi/qla2xxx/qla_nvme.c
+@@ -682,7 +682,7 @@ int qla_nvme_register_hba(struct scsi_qla_host *vha)
+ struct nvme_fc_port_template *tmpl;
+ struct qla_hw_data *ha;
+ struct nvme_fc_port_info pinfo;
+- int ret = EINVAL;
++ int ret = -EINVAL;
+
+ if (!IS_ENABLED(CONFIG_NVME_FC))
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From fd6c6773935997f82d92c23eecd1403eae86a504 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:28 +0800
+Subject: scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit bbf2d06a9d767718bfe6028d6288c03edb98554a ]
+
+In the case of a failed retry, a positive value EIO is returned here. I
+think this is a typo error. It is necessary to return an error value.
+
+[mkp: caller checks != 0 but the rest of the file uses -Exxx so fix this up
+to be consistent]
+
+Link: https://lore.kernel.org/r/20200802111528.4974-1-tianjia.zhang@linux.alibaba.com
+Fixes: 0691094ff3f2 ("scsi: qla2xxx: Add logic to detect ABTS hang and response completion")
+Cc: Quinn Tran <quinn.tran@cavium.com>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index a7acc266cec06..d84d95cac2a13 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -5677,7 +5677,7 @@ static int qlt_chk_unresolv_exchg(struct scsi_qla_host *vha,
+ /* found existing exchange */
+ qpair->retry_term_cnt++;
+ if (qpair->retry_term_cnt >= 5) {
+- rc = EIO;
++ rc = -EIO;
+ qpair->retry_term_cnt = 0;
+ ql_log(ql_log_warn, vha, 0xffff,
+ "Unable to send ABTS Respond. Dumping firmware.\n");
+--
+2.25.1
+
--- /dev/null
+From fc75702aa7ccf922451c8b4e920fe5533de960b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 10:15:13 +0200
+Subject: scsi: qla2xxx: Warn if done() or free() are called on an already
+ freed srb
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit c0014f94218ea3a312f6235febea0d626c5f2154 ]
+
+Emit a warning when ->done or ->free are called on an already freed
+srb. There is a hidden use-after-free bug in the driver which corrupts
+the srb memory pool which originates from the cleanup callbacks.
+
+An extensive search didn't bring any lights on the real problem. The
+initial fix was to set both pointers to NULL and try to catch invalid
+accesses. But instead the memory corruption was gone and the driver
+didn't crash. Since not all calling places check for NULL pointer, add
+explicitly default handlers. With this we workaround the memory
+corruption and add a debug help.
+
+Link: https://lore.kernel.org/r/20200908081516.8561-2-dwagner@suse.de
+Reviewed-by: Martin Wilck <mwilck@suse.com>
+Reviewed-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 10 ++++++++++
+ drivers/scsi/qla2xxx/qla_inline.h | 5 +++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 62d2ee825c97a..b300e11095828 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -71,6 +71,16 @@ void qla2x00_sp_free(srb_t *sp)
+ qla2x00_rel_sp(sp);
+ }
+
++void qla2xxx_rel_done_warning(srb_t *sp, int res)
++{
++ WARN_ONCE(1, "Calling done() of an already freed srb %p object\n", sp);
++}
++
++void qla2xxx_rel_free_warning(srb_t *sp)
++{
++ WARN_ONCE(1, "Calling free() of an already freed srb %p object\n", sp);
++}
++
+ /* Asynchronous Login/Logout Routines -------------------------------------- */
+
+ unsigned long
+diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h
+index 0c3d907af7692..6dfde42d799b5 100644
+--- a/drivers/scsi/qla2xxx/qla_inline.h
++++ b/drivers/scsi/qla2xxx/qla_inline.h
+@@ -183,10 +183,15 @@ qla2xxx_get_qpair_sp(scsi_qla_host_t *vha, struct qla_qpair *qpair,
+ return sp;
+ }
+
++void qla2xxx_rel_done_warning(srb_t *sp, int res);
++void qla2xxx_rel_free_warning(srb_t *sp);
++
+ static inline void
+ qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp)
+ {
+ sp->qpair = NULL;
++ sp->done = qla2xxx_rel_done_warning;
++ sp->free = qla2xxx_rel_free_warning;
+ mempool_free(sp, qpair->srb_mempool);
+ QLA_QPAIR_MARK_NOT_BUSY(qpair);
+ }
+--
+2.25.1
+
--- /dev/null
+From 0012998fb42fc4e2573ddb4f2fb6f2553cdcafe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 12:15:27 +0200
+Subject: scsi: qla4xxx: Fix an error handling path in
+ 'qla4xxx_get_host_stats()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 574918e69720fe62ab3eb42ec3750230c8d16b06 ]
+
+Update the size used in 'dma_free_coherent()' in order to match the one
+used in the corresponding 'dma_alloc_coherent()'.
+
+Link: https://lore.kernel.org/r/20200802101527.676054-1-christophe.jaillet@wanadoo.fr
+Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 5504ab11decc7..df43cf6405a8e 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -1220,7 +1220,7 @@ static int qla4xxx_get_host_stats(struct Scsi_Host *shost, char *buf, int len)
+ le64_to_cpu(ql_iscsi_stats->iscsi_sequence_error);
+ exit_host_stats:
+ if (ql_iscsi_stats)
+- dma_free_coherent(&ha->pdev->dev, host_stats_size,
++ dma_free_coherent(&ha->pdev->dev, stats_size,
+ ql_iscsi_stats, iscsi_stats_dma);
+
+ ql4_printk(KERN_INFO, ha, "%s: Get host stats done\n",
+--
+2.25.1
+
--- /dev/null
+From 62d48b9320e53cf3fb99ef8a6e07e6cd6e6ff5c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 16:01:33 -0500
+Subject: scsi: smartpqi: Avoid crashing kernel for controller issues
+
+From: Kevin Barnett <kevin.barnett@microsemi.com>
+
+[ Upstream commit 9e68cccc8ef7206f0bccd590378d0dca8f9b4f57 ]
+
+Eliminate kernel panics when getting invalid responses from controller.
+Take controller offline instead of causing kernel panics.
+
+Link: https://lore.kernel.org/r/159622929306.30579.16523318707596752828.stgit@brunhilda
+Reviewed-by: Scott Teel <scott.teel@microsemi.com>
+Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
+Reviewed-by: Prasad Munirathnam <Prasad.Munirathnam@microsemi.com>
+Reviewed-by: Martin Wilck <mwilck@suse.com>
+Signed-off-by: Kevin Barnett <kevin.barnett@microsemi.com>
+Signed-off-by: Don Brace <don.brace@microsemi.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi.h | 2 +-
+ drivers/scsi/smartpqi/smartpqi_init.c | 101 +++++++++++++++++---------
+ 2 files changed, 68 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi.h b/drivers/scsi/smartpqi/smartpqi.h
+index 7a3a942b40df0..dd2175e9bfa17 100644
+--- a/drivers/scsi/smartpqi/smartpqi.h
++++ b/drivers/scsi/smartpqi/smartpqi.h
+@@ -357,7 +357,7 @@ struct pqi_event_response {
+ struct pqi_iu_header header;
+ u8 event_type;
+ u8 reserved2 : 7;
+- u8 request_acknowlege : 1;
++ u8 request_acknowledge : 1;
+ __le16 event_id;
+ __le32 additional_event_id;
+ union {
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 5ae074505386a..093ed5d1eef20 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -527,8 +527,7 @@ static int pqi_build_raid_path_request(struct pqi_ctrl_info *ctrl_info,
+ put_unaligned_be16(cdb_length, &cdb[7]);
+ break;
+ default:
+- dev_err(&ctrl_info->pci_dev->dev, "unknown command 0x%c\n",
+- cmd);
++ dev_err(&ctrl_info->pci_dev->dev, "unknown command 0x%c\n", cmd);
+ break;
+ }
+
+@@ -2450,7 +2449,6 @@ static int pqi_raid_bypass_submit_scsi_cmd(struct pqi_ctrl_info *ctrl_info,
+ offload_to_mirror =
+ (offload_to_mirror >= layout_map_count - 1) ?
+ 0 : offload_to_mirror + 1;
+- WARN_ON(offload_to_mirror >= layout_map_count);
+ device->offload_to_mirror = offload_to_mirror;
+ /*
+ * Avoid direct use of device->offload_to_mirror within this
+@@ -2903,10 +2901,14 @@ static int pqi_interpret_task_management_response(
+ return rc;
+ }
+
+-static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info,
+- struct pqi_queue_group *queue_group)
++static inline void pqi_invalid_response(struct pqi_ctrl_info *ctrl_info)
++{
++ pqi_take_ctrl_offline(ctrl_info);
++}
++
++static int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info, struct pqi_queue_group *queue_group)
+ {
+- unsigned int num_responses;
++ int num_responses;
+ pqi_index_t oq_pi;
+ pqi_index_t oq_ci;
+ struct pqi_io_request *io_request;
+@@ -2918,6 +2920,13 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info,
+
+ while (1) {
+ oq_pi = readl(queue_group->oq_pi);
++ if (oq_pi >= ctrl_info->num_elements_per_oq) {
++ pqi_invalid_response(ctrl_info);
++ dev_err(&ctrl_info->pci_dev->dev,
++ "I/O interrupt: producer index (%u) out of range (0-%u): consumer index: %u\n",
++ oq_pi, ctrl_info->num_elements_per_oq - 1, oq_ci);
++ return -1;
++ }
+ if (oq_pi == oq_ci)
+ break;
+
+@@ -2926,10 +2935,22 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info,
+ (oq_ci * PQI_OPERATIONAL_OQ_ELEMENT_LENGTH);
+
+ request_id = get_unaligned_le16(&response->request_id);
+- WARN_ON(request_id >= ctrl_info->max_io_slots);
++ if (request_id >= ctrl_info->max_io_slots) {
++ pqi_invalid_response(ctrl_info);
++ dev_err(&ctrl_info->pci_dev->dev,
++ "request ID in response (%u) out of range (0-%u): producer index: %u consumer index: %u\n",
++ request_id, ctrl_info->max_io_slots - 1, oq_pi, oq_ci);
++ return -1;
++ }
+
+ io_request = &ctrl_info->io_request_pool[request_id];
+- WARN_ON(atomic_read(&io_request->refcount) == 0);
++ if (atomic_read(&io_request->refcount) == 0) {
++ pqi_invalid_response(ctrl_info);
++ dev_err(&ctrl_info->pci_dev->dev,
++ "request ID in response (%u) does not match an outstanding I/O request: producer index: %u consumer index: %u\n",
++ request_id, oq_pi, oq_ci);
++ return -1;
++ }
+
+ switch (response->header.iu_type) {
+ case PQI_RESPONSE_IU_RAID_PATH_IO_SUCCESS:
+@@ -2959,24 +2980,22 @@ static unsigned int pqi_process_io_intr(struct pqi_ctrl_info *ctrl_info,
+ io_request->error_info = ctrl_info->error_buffer +
+ (get_unaligned_le16(&response->error_index) *
+ PQI_ERROR_BUFFER_ELEMENT_LENGTH);
+- pqi_process_io_error(response->header.iu_type,
+- io_request);
++ pqi_process_io_error(response->header.iu_type, io_request);
+ break;
+ default:
++ pqi_invalid_response(ctrl_info);
+ dev_err(&ctrl_info->pci_dev->dev,
+- "unexpected IU type: 0x%x\n",
+- response->header.iu_type);
+- break;
++ "unexpected IU type: 0x%x: producer index: %u consumer index: %u\n",
++ response->header.iu_type, oq_pi, oq_ci);
++ return -1;
+ }
+
+- io_request->io_complete_callback(io_request,
+- io_request->context);
++ io_request->io_complete_callback(io_request, io_request->context);
+
+ /*
+ * Note that the I/O request structure CANNOT BE TOUCHED after
+ * returning from the I/O completion callback!
+ */
+-
+ oq_ci = (oq_ci + 1) % ctrl_info->num_elements_per_oq;
+ }
+
+@@ -3289,9 +3308,9 @@ static void pqi_ofa_capture_event_payload(struct pqi_event *event,
+ }
+ }
+
+-static unsigned int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info)
++static int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info)
+ {
+- unsigned int num_events;
++ int num_events;
+ pqi_index_t oq_pi;
+ pqi_index_t oq_ci;
+ struct pqi_event_queue *event_queue;
+@@ -3305,26 +3324,31 @@ static unsigned int pqi_process_event_intr(struct pqi_ctrl_info *ctrl_info)
+
+ while (1) {
+ oq_pi = readl(event_queue->oq_pi);
++ if (oq_pi >= PQI_NUM_EVENT_QUEUE_ELEMENTS) {
++ pqi_invalid_response(ctrl_info);
++ dev_err(&ctrl_info->pci_dev->dev,
++ "event interrupt: producer index (%u) out of range (0-%u): consumer index: %u\n",
++ oq_pi, PQI_NUM_EVENT_QUEUE_ELEMENTS - 1, oq_ci);
++ return -1;
++ }
++
+ if (oq_pi == oq_ci)
+ break;
+
+ num_events++;
+- response = event_queue->oq_element_array +
+- (oq_ci * PQI_EVENT_OQ_ELEMENT_LENGTH);
++ response = event_queue->oq_element_array + (oq_ci * PQI_EVENT_OQ_ELEMENT_LENGTH);
+
+ event_index =
+ pqi_event_type_to_event_index(response->event_type);
+
+- if (event_index >= 0) {
+- if (response->request_acknowlege) {
+- event = &ctrl_info->events[event_index];
+- event->pending = true;
+- event->event_type = response->event_type;
+- event->event_id = response->event_id;
+- event->additional_event_id =
+- response->additional_event_id;
++ if (event_index >= 0 && response->request_acknowledge) {
++ event = &ctrl_info->events[event_index];
++ event->pending = true;
++ event->event_type = response->event_type;
++ event->event_id = response->event_id;
++ event->additional_event_id = response->additional_event_id;
++ if (event->event_type == PQI_EVENT_TYPE_OFA)
+ pqi_ofa_capture_event_payload(event, response);
+- }
+ }
+
+ oq_ci = (oq_ci + 1) % PQI_NUM_EVENT_QUEUE_ELEMENTS;
+@@ -3439,7 +3463,8 @@ static irqreturn_t pqi_irq_handler(int irq, void *data)
+ {
+ struct pqi_ctrl_info *ctrl_info;
+ struct pqi_queue_group *queue_group;
+- unsigned int num_responses_handled;
++ int num_io_responses_handled;
++ int num_events_handled;
+
+ queue_group = data;
+ ctrl_info = queue_group->ctrl_info;
+@@ -3447,17 +3472,25 @@ static irqreturn_t pqi_irq_handler(int irq, void *data)
+ if (!pqi_is_valid_irq(ctrl_info))
+ return IRQ_NONE;
+
+- num_responses_handled = pqi_process_io_intr(ctrl_info, queue_group);
++ num_io_responses_handled = pqi_process_io_intr(ctrl_info, queue_group);
++ if (num_io_responses_handled < 0)
++ goto out;
+
+- if (irq == ctrl_info->event_irq)
+- num_responses_handled += pqi_process_event_intr(ctrl_info);
++ if (irq == ctrl_info->event_irq) {
++ num_events_handled = pqi_process_event_intr(ctrl_info);
++ if (num_events_handled < 0)
++ goto out;
++ } else {
++ num_events_handled = 0;
++ }
+
+- if (num_responses_handled)
++ if (num_io_responses_handled + num_events_handled > 0)
+ atomic_inc(&ctrl_info->num_interrupts);
+
+ pqi_start_io(ctrl_info, queue_group, RAID_PATH, NULL);
+ pqi_start_io(ctrl_info, queue_group, AIO_PATH, NULL);
+
++out:
+ return IRQ_HANDLED;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b47397e6ac725a0163077c56cc8ac16dd2742743 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 15:59:57 +0300
+Subject: scsi: target: core: Add CONTROL field for trace events
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+[ Upstream commit 7010645ba7256992818b518163f46bd4cdf8002a ]
+
+trace-cmd report doesn't show events from target subsystem because
+scsi_command_size() leaks through event format string:
+
+ [target:target_sequencer_start] function scsi_command_size not defined
+ [target:target_cmd_complete] function scsi_command_size not defined
+
+Addition of scsi_command_size() to plugin_scsi.c in trace-cmd doesn't
+help because an expression is used inside TP_printk(). trace-cmd event
+parser doesn't understand minus sign inside [ ]:
+
+ Error: expected ']' but read '-'
+
+Rather than duplicating kernel code in plugin_scsi.c, provide a dedicated
+field for CONTROL byte.
+
+Link: https://lore.kernel.org/r/20200929125957.83069-1-r.bolshakov@yadro.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/scsi/scsi_common.h | 7 +++++++
+ include/trace/events/target.h | 12 ++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/scsi/scsi_common.h b/include/scsi/scsi_common.h
+index 731ac09ed2313..5b567b43e1b16 100644
+--- a/include/scsi/scsi_common.h
++++ b/include/scsi/scsi_common.h
+@@ -25,6 +25,13 @@ scsi_command_size(const unsigned char *cmnd)
+ scsi_varlen_cdb_length(cmnd) : COMMAND_SIZE(cmnd[0]);
+ }
+
++static inline unsigned char
++scsi_command_control(const unsigned char *cmnd)
++{
++ return (cmnd[0] == VARIABLE_LENGTH_CMD) ?
++ cmnd[1] : cmnd[COMMAND_SIZE(cmnd[0]) - 1];
++}
++
+ /* Returns a human-readable name for the device */
+ extern const char *scsi_device_type(unsigned type);
+
+diff --git a/include/trace/events/target.h b/include/trace/events/target.h
+index 914a872dd3435..e87a3716b0ac9 100644
+--- a/include/trace/events/target.h
++++ b/include/trace/events/target.h
+@@ -140,6 +140,7 @@ TRACE_EVENT(target_sequencer_start,
+ __field( unsigned int, opcode )
+ __field( unsigned int, data_length )
+ __field( unsigned int, task_attribute )
++ __field( unsigned char, control )
+ __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE )
+ __string( initiator, cmd->se_sess->se_node_acl->initiatorname )
+ ),
+@@ -149,6 +150,7 @@ TRACE_EVENT(target_sequencer_start,
+ __entry->opcode = cmd->t_task_cdb[0];
+ __entry->data_length = cmd->data_length;
+ __entry->task_attribute = cmd->sam_task_attr;
++ __entry->control = scsi_command_control(cmd->t_task_cdb);
+ memcpy(__entry->cdb, cmd->t_task_cdb, TCM_MAX_COMMAND_SIZE);
+ __assign_str(initiator, cmd->se_sess->se_node_acl->initiatorname);
+ ),
+@@ -158,9 +160,7 @@ TRACE_EVENT(target_sequencer_start,
+ show_opcode_name(__entry->opcode),
+ __entry->data_length, __print_hex(__entry->cdb, 16),
+ show_task_attribute_name(__entry->task_attribute),
+- scsi_command_size(__entry->cdb) <= 16 ?
+- __entry->cdb[scsi_command_size(__entry->cdb) - 1] :
+- __entry->cdb[1]
++ __entry->control
+ )
+ );
+
+@@ -175,6 +175,7 @@ TRACE_EVENT(target_cmd_complete,
+ __field( unsigned int, opcode )
+ __field( unsigned int, data_length )
+ __field( unsigned int, task_attribute )
++ __field( unsigned char, control )
+ __field( unsigned char, scsi_status )
+ __field( unsigned char, sense_length )
+ __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE )
+@@ -187,6 +188,7 @@ TRACE_EVENT(target_cmd_complete,
+ __entry->opcode = cmd->t_task_cdb[0];
+ __entry->data_length = cmd->data_length;
+ __entry->task_attribute = cmd->sam_task_attr;
++ __entry->control = scsi_command_control(cmd->t_task_cdb);
+ __entry->scsi_status = cmd->scsi_status;
+ __entry->sense_length = cmd->scsi_status == SAM_STAT_CHECK_CONDITION ?
+ min(18, ((u8 *) cmd->sense_buffer)[SPC_ADD_SENSE_LEN_OFFSET] + 8) : 0;
+@@ -203,9 +205,7 @@ TRACE_EVENT(target_cmd_complete,
+ show_opcode_name(__entry->opcode),
+ __entry->data_length, __print_hex(__entry->cdb, 16),
+ show_task_attribute_name(__entry->task_attribute),
+- scsi_command_size(__entry->cdb) <= 16 ?
+- __entry->cdb[scsi_command_size(__entry->cdb) - 1] :
+- __entry->cdb[1]
++ __entry->control
+ )
+ );
+
+--
+2.25.1
+
--- /dev/null
+From 5f5910bbe4484b4db0b87c03873ba6d6fbe7f0cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 17:19:20 -0700
+Subject: scsi: target: tcmu: Fix warning: 'page' may be used uninitialized
+
+From: John Donnelly <john.p.donnelly@oracle.com>
+
+[ Upstream commit 61741d8699e1fc764a309ebd20211bb1cb193110 ]
+
+Corrects drivers/target/target_core_user.c:688:6: warning: 'page' may be
+used uninitialized.
+
+Link: https://lore.kernel.org/r/20200924001920.43594-1-john.p.donnelly@oracle.com
+Fixes: 3c58f737231e ("scsi: target: tcmu: Optimize use of flush_dcache_page")
+Cc: Mike Christie <michael.christie@oracle.com>
+Acked-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: John Donnelly <john.p.donnelly@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
+index ea925b102b322..d6634baebb474 100644
+--- a/drivers/target/target_core_user.c
++++ b/drivers/target/target_core_user.c
+@@ -669,7 +669,7 @@ static void scatter_data_area(struct tcmu_dev *udev,
+ void *from, *to = NULL;
+ size_t copy_bytes, to_offset, offset;
+ struct scatterlist *sg;
+- struct page *page;
++ struct page *page = NULL;
+
+ for_each_sg(data_sg, sg, data_nents, i) {
+ int sg_remaining = sg->length;
+--
+2.25.1
+
--- /dev/null
+From 3d74887a96b5545f65d281106259b96335f59233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Aug 2020 05:15:48 -0700
+Subject: scsi: ufs: ufs-qcom: Fix race conditions caused by
+ ufs_qcom_testbus_config()
+
+From: Can Guo <cang@codeaurora.org>
+
+[ Upstream commit 89dd87acd40a44de8ff3358138aedf8f73f4efc6 ]
+
+If ufs_qcom_dump_dbg_regs() calls ufs_qcom_testbus_config() from
+ufshcd_suspend/resume and/or clk gate/ungate context, pm_runtime_get_sync()
+and ufshcd_hold() will cause a race condition. Fix this by removing the
+unnecessary calls of pm_runtime_get_sync() and ufshcd_hold().
+
+Link: https://lore.kernel.org/r/1596975355-39813-3-git-send-email-cang@codeaurora.org
+Reviewed-by: Hongwu Su <hongwus@codeaurora.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Asutosh Das <asutoshd@codeaurora.org>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs-qcom.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufs-qcom.c b/drivers/scsi/ufs/ufs-qcom.c
+index c49e9f6c46f87..4f066e3b19af1 100644
+--- a/drivers/scsi/ufs/ufs-qcom.c
++++ b/drivers/scsi/ufs/ufs-qcom.c
+@@ -1492,9 +1492,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host)
+ */
+ }
+ mask <<= offset;
+-
+- pm_runtime_get_sync(host->hba->dev);
+- ufshcd_hold(host->hba, false);
+ ufshcd_rmwl(host->hba, TEST_BUS_SEL,
+ (u32)host->testbus.select_major << 19,
+ REG_UFS_CFG1);
+@@ -1507,8 +1504,6 @@ int ufs_qcom_testbus_config(struct ufs_qcom_host *host)
+ * committed before returning.
+ */
+ mb();
+- ufshcd_release(host->hba);
+- pm_runtime_put_sync(host->hba->dev);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 8964a64847a8a3efdcaa04b220f64a1214544ff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 10:15:42 -0700
+Subject: selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit 7fb5eefd76394cfefb380724a87ca40b47d44405 ]
+
+Andrii reported that with latest clang, when building selftests, we have
+error likes:
+ error: progs/test_sysctl_loop1.c:23:16: in function sysctl_tcp_mem i32 (%struct.bpf_sysctl*):
+ Looks like the BPF stack limit of 512 bytes is exceeded.
+ Please move large on stack variables into BPF per-cpu array map.
+
+The error is triggered by the following LLVM patch:
+ https://reviews.llvm.org/D87134
+
+For example, the following code is from test_sysctl_loop1.c:
+ static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx)
+ {
+ volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string";
+ ...
+ }
+Without the above LLVM patch, the compiler did optimization to load the string
+(59 bytes long) with 7 64bit loads, 1 8bit load and 1 16bit load,
+occupying 64 byte stack size.
+
+With the above LLVM patch, the compiler only uses 8bit loads, but subregister is 32bit.
+So stack requirements become 4 * 59 = 236 bytes. Together with other stuff on
+the stack, total stack size exceeds 512 bytes, hence compiler complains and quits.
+
+To fix the issue, removing "volatile" key word or changing "volatile" to
+"const"/"static const" does not work, the string is put in .rodata.str1.1 section,
+which libbpf did not process it and errors out with
+ libbpf: elf: skipping unrecognized data section(6) .rodata.str1.1
+ libbpf: prog 'sysctl_tcp_mem': bad map relo against '.L__const.is_tcp_mem.tcp_mem_name'
+ in section '.rodata.str1.1'
+
+Defining the string const as global variable can fix the issue as it puts the string constant
+in '.rodata' section which is recognized by libbpf. In the future, when libbpf can process
+'.rodata.str*.*' properly, the global definition can be changed back to local definition.
+
+Defining tcp_mem_name as a global, however, triggered a verifier failure.
+ ./test_progs -n 7/21
+ libbpf: load bpf program failed: Permission denied
+ libbpf: -- BEGIN DUMP LOG ---
+ libbpf:
+ invalid stack off=0 size=1
+ verification time 6975 usec
+ stack depth 160+64
+ processed 889 insns (limit 1000000) max_states_per_insn 4 total_states
+ 14 peak_states 14 mark_read 10
+
+ libbpf: -- END LOG --
+ libbpf: failed to load program 'sysctl_tcp_mem'
+ libbpf: failed to load object 'test_sysctl_loop2.o'
+ test_bpf_verif_scale:FAIL:114
+ #7/21 test_sysctl_loop2.o:FAIL
+This actually exposed a bpf program bug. In test_sysctl_loop{1,2}, we have code
+like
+ const char tcp_mem_name[] = "<...long string...>";
+ ...
+ char name[64];
+ ...
+ for (i = 0; i < sizeof(tcp_mem_name); ++i)
+ if (name[i] != tcp_mem_name[i])
+ return 0;
+In the above code, if sizeof(tcp_mem_name) > 64, name[i] access may be
+out of bound. The sizeof(tcp_mem_name) is 59 for test_sysctl_loop1.c and
+79 for test_sysctl_loop2.c.
+
+Without promotion-to-global change, old compiler generates code where
+the overflowed stack access is actually filled with valid value, so hiding
+the bpf program bug. With promotion-to-global change, the code is different,
+more specifically, the previous loading constants to stack is gone, and
+"name" occupies stack[-64:0] and overflow access triggers a verifier error.
+To fix the issue, adjust "name" buffer size properly.
+
+Reported-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/20200909171542.3673449-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/test_sysctl_loop1.c | 4 ++--
+ tools/testing/selftests/bpf/progs/test_sysctl_loop2.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c b/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c
+index d22e438198cf7..9af8822ece477 100644
+--- a/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c
++++ b/tools/testing/selftests/bpf/progs/test_sysctl_loop1.c
+@@ -18,11 +18,11 @@
+ #define MAX_ULONG_STR_LEN 7
+ #define MAX_VALUE_STR_LEN (TCP_MEM_LOOPS * MAX_ULONG_STR_LEN)
+
++const char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string";
+ static __always_inline int is_tcp_mem(struct bpf_sysctl *ctx)
+ {
+- volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string";
+ unsigned char i;
+- char name[64];
++ char name[sizeof(tcp_mem_name)];
+ int ret;
+
+ memset(name, 0, sizeof(name));
+diff --git a/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c b/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c
+index cb201cbe11e77..55251046c9b73 100644
+--- a/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c
++++ b/tools/testing/selftests/bpf/progs/test_sysctl_loop2.c
+@@ -18,11 +18,11 @@
+ #define MAX_ULONG_STR_LEN 7
+ #define MAX_VALUE_STR_LEN (TCP_MEM_LOOPS * MAX_ULONG_STR_LEN)
+
++const char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string_to_stress_byte_loop";
+ static __attribute__((noinline)) int is_tcp_mem(struct bpf_sysctl *ctx)
+ {
+- volatile char tcp_mem_name[] = "net/ipv4/tcp_mem/very_very_very_very_long_pointless_string_to_stress_byte_loop";
+ unsigned char i;
+- char name[64];
++ char name[sizeof(tcp_mem_name)];
+ int ret;
+
+ memset(name, 0, sizeof(name));
+--
+2.25.1
+
--- /dev/null
+From ef1648721732675af1d7385855af2d39a6b7cb4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 09:17:56 -0500
+Subject: selftests/ftrace: Change synthetic event name for
+ inter-event-combined test
+
+From: Tom Zanussi <zanussi@kernel.org>
+
+[ Upstream commit 96378b2088faea68f1fb05ea6b9a566fc569a44c ]
+
+This test uses waking+wakeup_latency as an event name, which doesn't
+make sense since it includes an operator. Illegal names are now
+detected by the synthetic event command parsing, which causes this
+test to fail. Change the name to 'waking_plus_wakeup_latency' to
+prevent this.
+
+Link: https://lkml.kernel.org/r/a1ee2f76ff28ef7166fb788ca8be968887808920.1602598160.git.zanussi@kernel.org
+
+Fixes: f06eec4d0f2c (selftests: ftrace: Add inter-event hist triggers testcases)
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Tested-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Tom Zanussi <zanussi@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../inter-event/trigger-inter-event-combined-hist.tc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc
+index f3eb8aacec0e7..a2b0e4eb1fe4c 100644
+--- a/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc
++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-inter-event-combined-hist.tc
+@@ -34,12 +34,12 @@ echo 'wakeup_latency u64 lat pid_t pid' >> synthetic_events
+ echo 'hist:keys=pid:ts1=common_timestamp.usecs if comm=="ping"' >> events/sched/sched_wakeup/trigger
+ echo 'hist:keys=next_pid:wakeup_lat=common_timestamp.usecs-$ts1:onmatch(sched.sched_wakeup).wakeup_latency($wakeup_lat,next_pid) if next_comm=="ping"' > events/sched/sched_switch/trigger
+
+-echo 'waking+wakeup_latency u64 lat; pid_t pid' >> synthetic_events
+-echo 'hist:keys=pid,lat:sort=pid,lat:ww_lat=$waking_lat+$wakeup_lat:onmatch(synthetic.wakeup_latency).waking+wakeup_latency($ww_lat,pid)' >> events/synthetic/wakeup_latency/trigger
+-echo 'hist:keys=pid,lat:sort=pid,lat' >> events/synthetic/waking+wakeup_latency/trigger
++echo 'waking_plus_wakeup_latency u64 lat; pid_t pid' >> synthetic_events
++echo 'hist:keys=pid,lat:sort=pid,lat:ww_lat=$waking_lat+$wakeup_lat:onmatch(synthetic.wakeup_latency).waking_plus_wakeup_latency($ww_lat,pid)' >> events/synthetic/wakeup_latency/trigger
++echo 'hist:keys=pid,lat:sort=pid,lat' >> events/synthetic/waking_plus_wakeup_latency/trigger
+
+ ping $LOCALHOST -c 3
+-if ! grep -q "pid:" events/synthetic/waking+wakeup_latency/hist; then
++if ! grep -q "pid:" events/synthetic/waking_plus_wakeup_latency/hist; then
+ fail "Failed to create combined histogram"
+ fi
+
+--
+2.25.1
+
--- /dev/null
+From a22b09221f0dcb6745b94b9ba17792c5ef8f3df3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 13:47:11 +1100
+Subject: selftests/powerpc: Fix eeh-basic.sh exit codes
+
+From: Oliver O'Halloran <oohall@gmail.com>
+
+[ Upstream commit 996f9e0f93f16211945c8d5f18f296a88cb32f91 ]
+
+The kselftests test running infrastructure expects tests to finish with an
+exit code of 4 if the test decided it should be skipped. Currently
+eeh-basic.sh exits with the number of devices that failed to recover, so if
+four devices didn't recover we'll report a skip instead of a fail.
+
+Fix this by checking if the return code is non-zero and report success
+and failure by returning 0 or 1 respectively. For the cases where should
+actually skip return 4.
+
+Fixes: 85d86c8aa52e ("selftests/powerpc: Add basic EEH selftest")
+Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201014024711.1138386-1-oohall@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/eeh/eeh-basic.sh | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/eeh/eeh-basic.sh b/tools/testing/selftests/powerpc/eeh/eeh-basic.sh
+index f988d2f42e8f2..cf001a2c69420 100755
+--- a/tools/testing/selftests/powerpc/eeh/eeh-basic.sh
++++ b/tools/testing/selftests/powerpc/eeh/eeh-basic.sh
+@@ -1,17 +1,19 @@
+ #!/bin/sh
+ # SPDX-License-Identifier: GPL-2.0-only
+
++KSELFTESTS_SKIP=4
++
+ . ./eeh-functions.sh
+
+ if ! eeh_supported ; then
+ echo "EEH not supported on this system, skipping"
+- exit 0;
++ exit $KSELFTESTS_SKIP;
+ fi
+
+ if [ ! -e "/sys/kernel/debug/powerpc/eeh_dev_check" ] && \
+ [ ! -e "/sys/kernel/debug/powerpc/eeh_dev_break" ] ; then
+ echo "debugfs EEH testing files are missing. Is debugfs mounted?"
+- exit 1;
++ exit $KSELFTESTS_SKIP;
+ fi
+
+ pre_lspci=`mktemp`
+@@ -79,4 +81,5 @@ echo "$failed devices failed to recover ($dev_count tested)"
+ lspci | diff -u $pre_lspci -
+ rm -f $pre_lspci
+
+-exit $failed
++test "$failed" == 0
++exit $?
+--
+2.25.1
+
ima-don-t-ignore-errors-from-crypto_shash_update.patch
crypto-algif_aead-do-not-set-may_backlog-on-the-async-path.patch
crypto-caam-qi-add-fallback-for-xts-with-more-than-8b-iv.patch
+edac-i5100-fix-error-handling-order-in-i5100_init_on.patch
+edac-aspeed-fix-handling-of-platform_get_irq-error.patch
+edac-ti-fix-handling-of-platform_get_irq-error.patch
+perf-x86-intel-ds-fix-x86_pmu_stop-warning-for-large.patch
+x86-fpu-allow-multiple-bits-in-clearcpuid-parameter.patch
+drivers-perf-xgene_pmu-fix-uninitialized-resource-st.patch
+drivers-perf-thunderx2_pmu-fix-memory-resource-error.patch
+sched-fair-fix-wrong-cpu-selecting-from-isolated-dom.patch
+perf-x86-intel-uncore-update-ice-lake-uncore-units.patch
+perf-x86-intel-uncore-reduce-the-number-of-cbox-coun.patch
+x86-nmi-fix-nmi_handle-duration-miscalculation.patch
+x86-events-amd-iommu-fix-sizeof-mismatch.patch
+crypto-algif_skcipher-ebusy-on-aio-should-be-an-erro.patch
+crypto-mediatek-fix-wrong-return-value-in-mtk_desc_r.patch
+crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch
+crypto-picoxcell-fix-potential-race-condition-bug.patch
+media-tuner-simple-fix-regression-in-simple_set_radi.patch
+media-revert-media-exynos4-is-add-missed-check-for-p.patch
+media-ov5640-correct-bit-div-register-in-clock-tree-.patch
+media-m5mols-check-function-pointer-in-m5mols_sensor.patch
+media-uvcvideo-set-media-controller-entity-functions.patch
+media-uvcvideo-silence-shift-out-of-bounds-warning.patch
+media-staging-intel-ipu3-css-correctly-reset-some-me.patch
+media-omap3isp-fix-memleak-in-isp_probe.patch
+media-i2c-ov5640-remain-in-power-down-for-dvp-mode-u.patch
+media-i2c-ov5640-separate-out-mipi-configuration-fro.patch
+media-i2c-ov5640-enable-data-pins-on-poweron-for-dvp.patch
+media-rcar_drif-fix-fwnode-reference-leak-when-parsi.patch
+media-rcar_drif-allocate-v4l2_async_subdev-dynamical.patch
+media-rcar-csi2-allocate-v4l2_async_subdev-dynamical.patch
+crypto-omap-sham-fix-digcnt-register-handling-with-e.patch
+hwmon-pmbus-max34440-fix-status-register-reads-for-m.patch
+cypto-mediatek-fix-leaks-in-mtk_desc_ring_alloc.patch
+media-mx2_emmaprp-fix-memleak-in-emmaprp_probe.patch
+media-tc358743-initialize-variable.patch
+media-tc358743-cleanup-tc358743_cec_isr.patch
+media-rcar-vin-fix-a-reference-count-leak.patch
+media-rockchip-rga-fix-a-reference-count-leak.patch
+media-platform-fcp-fix-a-reference-count-leak.patch
+media-camss-fix-a-reference-count-leak.patch
+media-s5p-mfc-fix-a-reference-count-leak.patch
+media-stm32-dcmi-fix-a-reference-count-leak.patch
+media-ti-vpe-fix-a-missing-check-and-reference-count.patch
+regulator-resolve-supply-after-creating-regulator.patch
+pinctrl-bcm-fix-kconfig-dependency-warning-when-gpio.patch
+spi-spi-s3c64xx-swap-s3c64xx_spi_set_cs-and-s3c64xx_.patch
+spi-spi-s3c64xx-check-return-values.patch
+blk-mq-move-cancel-of-hctx-run_work-to-the-front-of-.patch
+ath10k-provide-survey-info-as-accumulated-data.patch
+drm-vkms-fix-xrgb-on-compute-crc.patch
+bluetooth-hci_uart-cancel-init-work-before-unregiste.patch
+drm-amd-display-fix-wrong-return-value-in-dm_update_.patch
+drm-panel-fix-bus-format-for-ortustech-com43h4m85ulc.patch
+ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch
+ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch
+ath10k-fix-the-size-used-in-a-dma_free_coherent-call.patch
+wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch
+asoc-qcom-lpass-platform-fix-memory-leak.patch
+asoc-qcom-lpass-cpu-fix-concurrency-issue.patch
+brcmfmac-check-ndev-pointer.patch
+mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch
+staging-rtl8192u-do-not-use-gfp_kernel-in-atomic-con.patch
+drm-gma500-fix-error-check.patch
+scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch
+scsi-qla2xxx-fix-wrong-return-value-in-qlt_chk_unres.patch
+scsi-qla2xxx-fix-wrong-return-value-in-qla_nvme_regi.patch
+scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch
+drm-radeon-prefer-lower-feedback-dividers.patch
+backlight-sky81452-backlight-fix-refcount-imbalance-.patch
+staging-emxx_udc-fix-passing-of-null-to-dma_alloc_co.patch
+vmci-check-return-value-of-get_user_pages_fast-for-e.patch
+mm-error_inject-fix-allow_error_inject-function-sign.patch
+drm-panel-fix-bpc-for-ortustech-com43h4m85ulc-panel.patch
+drm-crc-debugfs-fix-memleak-in-crc_control_write.patch
+binder-remove-bogus-warning-on-failed-same-process-t.patch
+tty-serial-earlycon-dependency.patch
+tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch
+pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch
+pwm-lpss-fix-off-by-one-error-in-base_unit-math-in-p.patch
+pwm-lpss-add-range-limit-check-for-the-base_unit-reg.patch
+drivers-virt-fsl_hypervisor-fix-error-handling-path.patch
+video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch
+video-fbdev-sis-fix-null-ptr-dereference.patch
+video-fbdev-radeon-fix-memleak-in-radeonfb_pci_regis.patch
+asoc-fsl-imx-es8328-add-missing-put_device-call-in-i.patch
+hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch
+drm-msm-avoid-div-by-zero-in-dpu_crtc_atomic_check.patch
+drm-panfrost-ensure-gpu-quirks-are-always-initialise.patch
+iomap-clear-page-error-before-beginning-a-write.patch
+pinctrl-mcp23s08-fix-mcp23x17_regmap-initialiser.patch
+pinctrl-mcp23s08-fix-mcp23x17-precious-range.patch
+net-mlx5-don-t-call-timecounter-cyc2time-directly-fr.patch
+scsi-mpt3sas-fix-sync-irqs.patch
+net-stmmac-use-netif_tx_start-stop_all_queues-functi.patch
+cpufreq-armada-37xx-add-missing-module_device_table.patch
+drm-mxsfb-check-framebuffer-pitch.patch
+coresight-etm4x-handle-unreachable-sink-in-perf-mode.patch
+xhci-don-t-create-endpoint-debugfs-entry-before-ring.patch
+net-dsa-rtl8366-check-validity-of-passed-vlans.patch
+net-dsa-rtl8366-refactor-vlan-pvid-init.patch
+net-dsa-rtl8366-skip-pvid-setting-if-not-requested.patch
+net-wilc1000-clean-up-resource-in-error-path-of-init.patch
+asoc-tlv320aic32x4-fix-bdiv-clock-rate-derivation.patch
+net-dsa-rtl8366rb-support-all-4096-vlans.patch
+spi-omap2-mcspi-improve-performance-waiting-for-chst.patch
+ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch
+dmaengine-dmatest-check-list-for-emptiness-before-ac.patch
+misc-mic-scif-fix-error-handling-path.patch
+alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch
+usb-dwc2-fix-parameter-type-in-function-pointer-prot.patch
+quota-clear-padding-in-v2r1_mem2diskdqb.patch
+slimbus-core-check-get_addr-before-removing-laddr-id.patch
+slimbus-core-do-not-enter-to-clock-pause-mode-in-cor.patch
+slimbus-qcom-ngd-ctrl-disable-ngd-in-qmi-server-down.patch
+asoc-fsl_sai-instantiate-snd_soc_dai_driver.patch
+hid-hid-input-fix-stylus-battery-reporting.patch
+nvmem-core-fix-possibly-memleak-when-use-nvmem_cell_.patch
+nl80211-fix-obss-pd-min-and-max-offset-validation.patch
+coresight-etm-perf-fix-warning-caused-by-etm_setup_a.patch
+ibmvnic-set-up-200gbps-speed.patch
+qtnfmac-fix-resource-leaks-on-unsupported-iftype-err.patch
+iio-adc-stm32-adc-fix-runtime-autosuspend-delay-when.patch
+net-enic-cure-the-enic-api-locking-trainwreck.patch
+mfd-sm501-fix-leaks-in-probe.patch
+iwlwifi-mvm-split-a-print-to-avoid-a-warning-in-roc.patch
+usb-gadget-f_ncm-fix-ncm_bitrate-for-superspeed-and-.patch
+usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch
+nl80211-fix-non-split-wiphy-information.patch
+usb-dwc2-fix-intr-out-transfers-in-ddma-mode.patch
+scsi-target-tcmu-fix-warning-page-may-be-used-uninit.patch
+scsi-be2iscsi-fix-a-theoretical-leak-in-beiscsi_crea.patch
+ipmi_si-fix-wrong-return-value-in-try_smi_init.patch
+platform-x86-mlx-platform-remove-psu-eeprom-configur.patch
+mwifiex-fix-double-free.patch
+net-fec-fix-phy-init-after-phy_reset_after_clk_enabl.patch
+ipvs-clear-skb-tstamp-in-forwarding-path.patch
+net-korina-fix-kfree-of-rx-tx-descriptor-array.patch
+netfilter-nf_log-missing-vlan-offload-tag-and-proto.patch
+mm-swapfile.c-fix-potential-memory-leak-in-sys_swapo.patch
+mm-memcg-fix-device-private-memcg-accounting.patch
+mm-oom_adj-don-t-loop-through-tasks-in-__set_oom_adj.patch
+fs-fix-null-dereference-due-to-data-race-in-prepend_.patch
+selftests-ftrace-change-synthetic-event-name-for-int.patch
+i3c-master-add-i3c_master_attach_boardinfo-to-preser.patch
+ib-mlx4-fix-starvation-in-paravirt-mux-demux.patch
+ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch
+powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch
+powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch
+rdma-ucma-fix-locking-for-ctx-events_reported.patch
+rdma-ucma-add-missing-locking-around-rdma_leave_mult.patch
+mtd-lpddr-fix-excessive-stack-usage-with-clang.patch
+rdma-hns-add-a-check-for-current-state-before-modify.patch
+rdma-umem-fix-signature-of-stub-ib_umem_find_best_pg.patch
+powerpc-pseries-explicitly-reschedule-during-drmem_l.patch
+pseries-drmem-don-t-cache-node-id-in-drmem_lmb-struc.patch
+rdma-mlx5-fix-potential-race-between-destroy-and-cqe.patch
+mtd-mtdoops-don-t-write-panic-data-twice.patch
+arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch
+arc-plat-hsdk-fix-kconfig-dependency-warning-when-re.patch
+ida-free-allocated-bitmap-in-error-path.patch
+xfs-limit-entries-returned-when-counting-fsmap-recor.patch
+xfs-fix-deadlock-and-streamline-xfs_getfsmap-perform.patch
+xfs-fix-high-key-handling-in-the-rt-allocator-s-quer.patch
+rdma-umem-fix-ib_umem_find_best_pgsz-for-mappings-th.patch
+rdma-umem-prevent-small-pages-from-being-returned-by.patch
+rdma-efa-use-ib_umem_num_dma_pages.patch
+rdma-qedr-fix-qp-structure-memory-leak.patch
+rdma-qedr-fix-use-of-uninitialized-field.patch
+rdma-qedr-fix-return-code-if-accept-is-called-on-a-d.patch
+rdma-qedr-fix-inline-size-returned-for-iwarp.patch
+powerpc-book3s64-hash-4k-support-large-linear-mappin.patch
+powerpc-tau-use-appropriate-temperature-sample-inter.patch
+powerpc-tau-convert-from-timer-to-workqueue.patch
+powerpc-tau-remove-duplicated-set_thresholds-call.patch
+powerpc-tau-check-processor-type-before-enabling-tau.patch
+powerpc-tau-disable-tau-between-measurements.patch
+powerpc-64s-radix-fix-mm_cpumask-trimming-race-vs-kt.patch
+rdma-cma-remove-dead-code-for-kernel-rdmacm-multicas.patch
+rdma-cma-consolidate-the-destruction-of-a-cma_multic.patch
+perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch
+rdma-hns-set-the-unsupported-wr-opcode.patch
+rdma-mlx5-disable-ib_device_mem_mgt_extensions-if-ib.patch
+i40iw-add-support-to-make-destroy-qp-synchronous.patch
+perf-stat-skip-duration_time-in-setup_system_wide.patch
+rdma-hns-fix-the-wrong-value-of-rnr_retry-when-query.patch
+rdma-hns-fix-missing-sq_sig_type-when-querying-qp.patch
+mtd-rawnand-vf610-disable-clk-on-error-handling-path.patch
+mtd-spinand-gigadevice-only-one-dummy-byte-in-quadio.patch
+mtd-spinand-gigadevice-add-qe-bit.patch
+kdb-fix-pager-search-for-multi-line-strings.patch
+overflow-include-header-file-with-size_max-declarati.patch
+rdma-ipoib-set-rtnl_link_ops-for-ipoib-interfaces.patch
+powerpc-perf-exclude-pmc5-6-from-the-irrelevant-pmu-.patch
+powerpc-perf-hv-gpci-fix-starting-index-value.patch
+i3c-master-fix-error-return-in-cdns_i3c_master_probe.patch
+cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch
+ib-rdmavt-fix-sizeof-mismatch.patch
+rdma-rxe-fix-skb-lifetime-in-rxe_rcv_mcast_pkt.patch
+maiblox-mediatek-fix-handling-of-platform_get_irq-er.patch
+selftests-powerpc-fix-eeh-basic.sh-exit-codes.patch
+f2fs-wait-for-sysfs-kobject-removal-before-freeing-f.patch
+rdma-rxe-handle-skb_clone-failure-in-rxe_recv.c.patch
+mm-page_owner-change-split_page_owner-to-take-a-coun.patch
+lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch
+ramfs-fix-nommu-mmap-with-gaps-in-the-page-cache.patch
+rapidio-fix-error-handling-path.patch
+rapidio-fix-the-missed-put_device-for-rio_mport_add_.patch
+mailbox-avoid-timer-start-from-callback.patch
+i2c-rcar-auto-select-reset_controller.patch
+clk-meson-g12a-mark-fclk_div2-as-critical.patch
+pci-aardvark-check-for-errors-from-pci_bridge_emul_i.patch
+pci-iproc-set-affinity-mask-on-msi-interrupts.patch
+rpmsg-smd-fix-a-kobj-leak-in-in-qcom_smd_parse_edge.patch
+pci-iov-mark-vfs-as-not-implementing-pci_command_mem.patch
+vfio-pci-decouple-pci_command_memory-bit-checks-from.patch
+clk-qcom-gcc-sdm660-fix-wrong-parent_map.patch
+clk-keystone-sci-clk-fix-parsing-assigned-clock-data.patch
+pwm-img-fix-null-pointer-access-in-probe.patch
+clk-rockchip-initialize-hw-to-error-to-avoid-undefin.patch
+clk-mediatek-add-uart0-clock-support.patch
+module-statically-initialize-init-section-freeing-da.patch
+clk-at91-clk-main-update-key-before-writing-at91_ckg.patch
+clk-bcm2835-add-missing-release-if-devm_clk_hw_regis.patch
+watchdog-fix-memleak-in-watchdog_cdev_register.patch
+watchdog-use-put_device-on-error.patch
+watchdog-sp5100-fix-definition-of-efch_pm_decodeen3.patch
+svcrdma-fix-bounce-buffers-for-unaligned-offsets-and.patch
+ext4-limit-entries-returned-when-counting-fsmap-reco.patch
+vfio-pci-clear-token-on-bypass-registration-failure.patch
+vfio-iommu-type1-fix-memory-leak-in-vfio_iommu_type1.patch
+clk-imx8mq-fix-usdhc-parents-order.patch
+sunrpc-fix-copying-of-multiple-pages-in-gss_read_pro.patch
+input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch
+input-stmfts-fix-a-vs-typo.patch
+input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch
+input-omap4-keypad-fix-handling-of-platform_get_irq-.patch
+input-twl4030_keypad-fix-handling-of-platform_get_ir.patch
+input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch
+kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch
+scsi-bfa-fix-error-return-in-bfad_pci_init.patch
+netfilter-conntrack-connection-timeout-after-re-regi.patch
+netfilter-ebtables-fixes-dropping-of-small-packets-i.patch
+netfilter-nf_fwd_netdev-clear-timestamp-in-forwardin.patch
+arm64-dts-meson-vim3-correct-led-polarity.patch
+arm-dts-imx6sl-fix-rng-node.patch
+arm-at91-pm-of_node_put-after-its-usage.patch
+arm-s3c24xx-fix-mmc-gpio-lookup-tables.patch
+arm-dts-sun8i-r40-bananapi-m2-ultra-fix-dcdc1-regula.patch
+arm64-dts-allwinner-h5-remove-mali-gpu-pmu-module.patch
+memory-omap-gpmc-fix-a-couple-off-by-ones.patch
+memory-omap-gpmc-fix-build-error-without-config_of.patch
+memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch
+arm64-dts-imx8mq-add-missing-interrupts-to-gpc.patch
+arm64-dts-qcom-msm8916-remove-one-more-thermal-trip-.patch
+arm64-dts-qcom-pm8916-remove-invalid-reg-size-from-w.patch
+arm64-dts-qcom-msm8916-fix-mdp-dsi-interrupts.patch
+arm64-dts-renesas-r8a77990-fix-msiof1-dma-channels.patch
+arm64-dts-renesas-r8a774c0-fix-msiof1-dma-channels.patch
+arm64-dts-actions-limit-address-range-for-pinctrl-no.patch
+arm-dts-owl-s500-fix-incorrect-ppi-interrupt-specifi.patch
+soc-fsl-qbman-fix-return-value-on-success.patch
+arm-omap2-restore-mpu-power-domain-if-cpu_cluster_pm.patch
+arm64-dts-zynqmp-remove-additional-compatible-string.patch
+arm-dts-meson8-remove-two-invalid-interrupt-lines-fr.patch
+lightnvm-fix-out-of-bounds-write-to-array-devices-in.patch
+powerpc-powernv-dump-fix-race-while-processing-opal-.patch
+powerpc-pseries-avoid-using-addr_to_pfn-in-real-mode.patch
+nvmet-fix-uninitialized-work-for-zero-kato.patch
+ntb-hw-amd-fix-an-issue-about-leak-system-resources.patch
+sched-features-fix-config_jump_label-case.patch
+perf-correct-snoopx-field-offset.patch
+i2c-core-restore-acpi_walk_dep_device_list-getting-c.patch
+md-bitmap-fix-memory-leak-of-temporary-bitmap.patch
+block-ratelimit-handle_bad_sector-message.patch
+crypto-ccp-fix-error-handling.patch
+x86-asm-replace-__force_order-with-a-memory-clobber.patch
+x86-mce-add-skylake-quirk-for-patrol-scrub-reported-.patch
+media-firewire-fix-memory-leak.patch
+media-ati_remote-sanity-check-for-both-endpoints.patch
+media-st-delta-fix-reference-count-leak-in-delta_run.patch
+media-sti-fix-reference-count-leaks.patch
+media-exynos4-is-fix-several-reference-count-leaks-d.patch
+media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch
+media-exynos4-is-fix-a-reference-count-leak.patch
+media-vsp1-fix-runtime-pm-imbalance-on-error.patch
+media-platform-s3c-camif-fix-runtime-pm-imbalance-on.patch
+media-platform-sti-hva-fix-runtime-pm-imbalance-on-e.patch
+media-bdisp-fix-runtime-pm-imbalance-on-error.patch
+media-media-pci-prevent-memory-leak-in-bttv_probe.patch
+x86-mce-make-mce_rdmsrl-panic-on-an-inaccessible-msr.patch
+media-uvcvideo-ensure-all-probed-info-is-returned-to.patch
+mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch
+media-saa7134-avoid-a-shift-overflow.patch
+media-venus-fixes-for-list-corruption.patch
+fs-dlm-fix-configfs-memory-leak.patch
+media-venus-core-fix-runtime-pm-imbalance-in-venus_p.patch
+ntfs-add-check-for-mft-record-size-in-superblock.patch
+ip_gre-set-dev-hard_header_len-and-dev-needed_headro.patch
+mac80211-handle-lack-of-sband-bitrates-in-rates.patch
+pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch
+scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch
+scsi-target-core-add-control-field-for-trace-events.patch
+mic-vop-copy-data-to-kernel-space-then-write-to-io-m.patch
+misc-vop-add-round_up-x-4-for-vring_size-to-avoid-ke.patch
+usb-dwc3-add-splitdisable-quirk-for-hisilicon-kirin-.patch
+usb-gadget-function-printer-fix-use-after-free-in-__.patch
+udf-limit-sparing-table-size.patch
+udf-avoid-accessing-uninitialized-data-on-failed-ino.patch
+rtw88-increse-the-size-of-rx-buffer-size.patch
+usb-cdc-acm-handle-broken-union-descriptors.patch
+usb-dwc3-simple-add-support-for-hikey-970.patch
+can-flexcan-flexcan_chip_stop-add-error-handling-and.patch
+ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch
+drm-panfrost-add-amlogic-reset-quirk-callback.patch
+bpf-limit-caller-s-stack-depth-256-for-subprogs-with.patch
+misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch
+reiserfs-only-call-unlock_new_inode-if-i_new.patch
+opp-prevent-memory-leak-in-dev_pm_opp_attach_genpd.patch
+xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch
+usb-ohci-default-to-per-port-over-current-protection.patch
+bluetooth-only-mark-socket-zapped-after-unlocking.patch
+drm-msm-a6xx-fix-a-potential-overflow-issue.patch
+iomap-fix-warn_on_once-from-unprivileged-users.patch
+scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch
+scsi-qla2xxx-warn-if-done-or-free-are-called-on-an-a.patch
+selftests-bpf-fix-test_sysctl_loop-1-2-failure-due-t.patch
+brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch
+rtl8xxxu-prevent-potential-memory-leak.patch
+fix-use-after-free-in-get_capset_info-callback.patch
+hid-ite-add-usb-id-match-for-acer-one-s1003-keyboard.patch
+scsi-qedf-return-success-if-stale-rport-is-encounter.patch
+scsi-qedi-protect-active-command-list-to-avoid-list-.patch
+scsi-qedi-fix-list_del-corruption-while-removing-act.patch
+fbmem-add-margin-check-to-fb_check_caps.patch
+tty-ipwireless-fix-error-handling.patch
+bluetooth-btusb-fix-memleak-in-btusb_mtk_submit_wmt_.patch
+ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch
+reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch
+mwifiex-don-t-call-del_timer_sync-on-uninitialized-t.patch
+alsa-hda-ca0132-add-ae-7-microphone-selection-comman.patch
+alsa-hda-ca0132-add-new-quirk-id-for-soundblaster-ae.patch
+scsi-smartpqi-avoid-crashing-kernel-for-controller-i.patch
+brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch
+usb-core-solve-race-condition-in-anchor-cleanup-func.patch
+scsi-ufs-ufs-qcom-fix-race-conditions-caused-by-ufs_.patch
+dmaengine-dw-add-dma-channels-mask-cell-support.patch
+dmaengine-dw-activate-fifo-mode-for-memory-periphera.patch
+ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch
--- /dev/null
+From db62c00597595c558ca3434da213a66be650e3f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 10:55:18 +0100
+Subject: slimbus: core: check get_addr before removing laddr ida
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit f97769fde678e111a1b7b165b380d8a3dfe54f4e ]
+
+logical address can be either assigned by the SLIMBus controller or the core.
+Core uses IDA in cases where get_addr callback is not provided by the
+controller.
+Core already has this check while allocating IDR, however during absence
+reporting this is not checked. This patch fixes this issue.
+
+Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200925095520.27316-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c
+index 63ee96eb58c68..42a233fc5dc6c 100644
+--- a/drivers/slimbus/core.c
++++ b/drivers/slimbus/core.c
+@@ -327,8 +327,8 @@ void slim_report_absent(struct slim_device *sbdev)
+ mutex_lock(&ctrl->lock);
+ sbdev->is_laddr_valid = false;
+ mutex_unlock(&ctrl->lock);
+-
+- ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr);
++ if (!ctrl->get_laddr)
++ ida_simple_remove(&ctrl->laddr_ida, sbdev->laddr);
+ slim_device_update_status(sbdev, SLIM_DEVICE_STATUS_DOWN);
+ }
+ EXPORT_SYMBOL_GPL(slim_report_absent);
+--
+2.25.1
+
--- /dev/null
+From 21a3057725ad1b34aa5abbb2f861547d2ea5d454 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 10:55:19 +0100
+Subject: slimbus: core: do not enter to clock pause mode in core
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit df2c471c4ae07e18a0396db670dca2ef867c5153 ]
+
+Let the controller logic decide when to enter into clock pause mode!
+Entering in to pause mode during unregistration does not really make
+sense as the controller is totally going down at that point in time.
+
+Fixes: 4b14e62ad3c9e ("slimbus: Add support for 'clock-pause' feature")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200925095520.27316-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/core.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/slimbus/core.c b/drivers/slimbus/core.c
+index 42a233fc5dc6c..130c798921b5d 100644
+--- a/drivers/slimbus/core.c
++++ b/drivers/slimbus/core.c
+@@ -302,8 +302,6 @@ int slim_unregister_controller(struct slim_controller *ctrl)
+ {
+ /* Remove all clients */
+ device_for_each_child(ctrl->dev, NULL, slim_ctrl_remove_device);
+- /* Enter Clock Pause */
+- slim_ctrl_clk_pause(ctrl, false, 0);
+ ida_simple_remove(&ctrl_ida, ctrl->id);
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 6fa4e9d0c2cc763d5e85af25490b94eea10344da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 10:55:20 +0100
+Subject: slimbus: qcom-ngd-ctrl: disable ngd in qmi server down callback
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 709ec3f7fc5773ac4aa6fb22c3f0ac8103c674db ]
+
+In QMI new server notification we enable the NGD however during
+delete server notification we do not disable the NGD.
+
+This can lead to multiple instances of NGD being enabled, so make
+sure that we disable NGD in delete server callback to fix this issue!
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200925095520.27316-4-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c
+index 01a17d84b6064..ce265bf7de868 100644
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1273,9 +1273,13 @@ static void qcom_slim_ngd_qmi_del_server(struct qmi_handle *hdl,
+ {
+ struct qcom_slim_ngd_qmi *qmi =
+ container_of(hdl, struct qcom_slim_ngd_qmi, svc_event_hdl);
++ struct qcom_slim_ngd_ctrl *ctrl =
++ container_of(qmi, struct qcom_slim_ngd_ctrl, qmi);
+
+ qmi->svc_info.sq_node = 0;
+ qmi->svc_info.sq_port = 0;
++
++ qcom_slim_ngd_enable(ctrl, false);
+ }
+
+ static struct qmi_ops qcom_slim_ngd_qmi_svc_event_ops = {
+--
+2.25.1
+
--- /dev/null
+From 726a2e353814e4917286f9b969f35d6fd5f74019 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Sep 2020 22:26:25 +0200
+Subject: soc: fsl: qbman: Fix return value on success
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 750cf40c0f7088f36a8a5d102e0488b1ac47faf5 ]
+
+On error the function was meant to return -ERRNO. This also fixes
+compile warning:
+
+ drivers/soc/fsl/qbman/bman.c:640:6: warning: variable 'err' set but not used [-Wunused-but-set-variable]
+
+Fixes: 0505d00c8dba ("soc/fsl/qbman: Cleanup buffer pools if BMan was initialized prior to bootup")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Li Yang <leoyang.li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/fsl/qbman/bman.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/fsl/qbman/bman.c b/drivers/soc/fsl/qbman/bman.c
+index f4fb527d83018..c5dd026fe889f 100644
+--- a/drivers/soc/fsl/qbman/bman.c
++++ b/drivers/soc/fsl/qbman/bman.c
+@@ -660,7 +660,7 @@ int bm_shutdown_pool(u32 bpid)
+ }
+ done:
+ put_affine_portal();
+- return 0;
++ return err;
+ }
+
+ struct gen_pool *bm_bpalloc;
+--
+2.25.1
+
--- /dev/null
+From 113fc336211185e7a7a8cc64872f64572ebd3b0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 17:56:24 +0530
+Subject: spi: omap2-mcspi: Improve performance waiting for CHSTAT
+
+From: Aswath Govindraju <a-govindraju@ti.com>
+
+[ Upstream commit 7b1d96813317358312440d0d07abbfbeb0ef8d22 ]
+
+This reverts commit 13d515c796 (spi: omap2-mcspi: Switch to
+readl_poll_timeout()).
+
+The amount of time spent polling for the MCSPI_CHSTAT bits to be set on
+AM335x-icev2 platform is less than 1us (about 0.6us) in most cases, with
+or without using DMA. So, in most cases the function need not sleep.
+Also, setting the sleep_usecs to zero would not be optimal here because
+ktime_add_us() used in readl_poll_timeout() is slower compared to the
+direct addition used after the revert. So, it is sub-optimal to use
+readl_poll_timeout in this case.
+
+When DMA is not enabled, this revert results in an increase of about 27%
+in throughput and decrease of about 20% in CPU usage. However, the CPU
+usage and throughput are almost the same when used with DMA.
+
+Therefore, fix this by reverting the commit which switched to using
+readl_poll_timeout().
+
+Fixes: 13d515c796ad ("spi: omap2-mcspi: Switch to readl_poll_timeout()")
+Signed-off-by: Aswath Govindraju <a-govindraju@ti.com>
+Link: https://lore.kernel.org/r/20200910122624.8769-1-a-govindraju@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap2-mcspi.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c
+index 4433cb4de564e..7646b4b56bed9 100644
+--- a/drivers/spi/spi-omap2-mcspi.c
++++ b/drivers/spi/spi-omap2-mcspi.c
+@@ -24,7 +24,6 @@
+ #include <linux/of.h>
+ #include <linux/of_device.h>
+ #include <linux/gcd.h>
+-#include <linux/iopoll.h>
+
+ #include <linux/spi/spi.h>
+ #include <linux/gpio.h>
+@@ -348,9 +347,19 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi,
+
+ static int mcspi_wait_for_reg_bit(void __iomem *reg, unsigned long bit)
+ {
+- u32 val;
+-
+- return readl_poll_timeout(reg, val, val & bit, 1, MSEC_PER_SEC);
++ unsigned long timeout;
++
++ timeout = jiffies + msecs_to_jiffies(1000);
++ while (!(readl_relaxed(reg) & bit)) {
++ if (time_after(jiffies, timeout)) {
++ if (!(readl_relaxed(reg) & bit))
++ return -ETIMEDOUT;
++ else
++ return 0;
++ }
++ cpu_relax();
++ }
++ return 0;
+ }
+
+ static int mcspi_wait_for_completion(struct omap2_mcspi *mcspi,
+--
+2.25.1
+
--- /dev/null
+From 0a14aed7b36b34a76af1bdfb00610742c72922e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 14:22:37 +0200
+Subject: spi: spi-s3c64xx: Check return values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Stelmach <l.stelmach@samsung.com>
+
+[ Upstream commit 2f4db6f705c5cba85d23836c19b44d9687dc1334 ]
+
+Check return values in prepare_dma() and s3c64xx_spi_config() and
+propagate errors upwards.
+
+Fixes: 788437273fa8 ("spi: s3c64xx: move to generic dmaengine API")
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
+Link: https://lore.kernel.org/r/20201002122243.26849-4-l.stelmach@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-s3c64xx.c | 50 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 41 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
+index 322f75f89c713..1d948fee1a039 100644
+--- a/drivers/spi/spi-s3c64xx.c
++++ b/drivers/spi/spi-s3c64xx.c
+@@ -122,6 +122,7 @@
+
+ struct s3c64xx_spi_dma_data {
+ struct dma_chan *ch;
++ dma_cookie_t cookie;
+ enum dma_transfer_direction direction;
+ };
+
+@@ -264,12 +265,13 @@ static void s3c64xx_spi_dmacb(void *data)
+ spin_unlock_irqrestore(&sdd->lock, flags);
+ }
+
+-static void prepare_dma(struct s3c64xx_spi_dma_data *dma,
++static int prepare_dma(struct s3c64xx_spi_dma_data *dma,
+ struct sg_table *sgt)
+ {
+ struct s3c64xx_spi_driver_data *sdd;
+ struct dma_slave_config config;
+ struct dma_async_tx_descriptor *desc;
++ int ret;
+
+ memset(&config, 0, sizeof(config));
+
+@@ -293,12 +295,24 @@ static void prepare_dma(struct s3c64xx_spi_dma_data *dma,
+
+ desc = dmaengine_prep_slave_sg(dma->ch, sgt->sgl, sgt->nents,
+ dma->direction, DMA_PREP_INTERRUPT);
++ if (!desc) {
++ dev_err(&sdd->pdev->dev, "unable to prepare %s scatterlist",
++ dma->direction == DMA_DEV_TO_MEM ? "rx" : "tx");
++ return -ENOMEM;
++ }
+
+ desc->callback = s3c64xx_spi_dmacb;
+ desc->callback_param = dma;
+
+- dmaengine_submit(desc);
++ dma->cookie = dmaengine_submit(desc);
++ ret = dma_submit_error(dma->cookie);
++ if (ret) {
++ dev_err(&sdd->pdev->dev, "DMA submission failed");
++ return -EIO;
++ }
++
+ dma_async_issue_pending(dma->ch);
++ return 0;
+ }
+
+ static void s3c64xx_spi_set_cs(struct spi_device *spi, bool enable)
+@@ -348,11 +362,12 @@ static bool s3c64xx_spi_can_dma(struct spi_master *master,
+ return xfer->len > (FIFO_LVL_MASK(sdd) >> 1) + 1;
+ }
+
+-static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd,
++static int s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd,
+ struct spi_transfer *xfer, int dma_mode)
+ {
+ void __iomem *regs = sdd->regs;
+ u32 modecfg, chcfg;
++ int ret = 0;
+
+ modecfg = readl(regs + S3C64XX_SPI_MODE_CFG);
+ modecfg &= ~(S3C64XX_SPI_MODE_TXDMA_ON | S3C64XX_SPI_MODE_RXDMA_ON);
+@@ -378,7 +393,7 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd,
+ chcfg |= S3C64XX_SPI_CH_TXCH_ON;
+ if (dma_mode) {
+ modecfg |= S3C64XX_SPI_MODE_TXDMA_ON;
+- prepare_dma(&sdd->tx_dma, &xfer->tx_sg);
++ ret = prepare_dma(&sdd->tx_dma, &xfer->tx_sg);
+ } else {
+ switch (sdd->cur_bpw) {
+ case 32:
+@@ -410,12 +425,17 @@ static void s3c64xx_enable_datapath(struct s3c64xx_spi_driver_data *sdd,
+ writel(((xfer->len * 8 / sdd->cur_bpw) & 0xffff)
+ | S3C64XX_SPI_PACKET_CNT_EN,
+ regs + S3C64XX_SPI_PACKET_CNT);
+- prepare_dma(&sdd->rx_dma, &xfer->rx_sg);
++ ret = prepare_dma(&sdd->rx_dma, &xfer->rx_sg);
+ }
+ }
+
++ if (ret)
++ return ret;
++
+ writel(modecfg, regs + S3C64XX_SPI_MODE_CFG);
+ writel(chcfg, regs + S3C64XX_SPI_CH_CFG);
++
++ return 0;
+ }
+
+ static u32 s3c64xx_spi_wait_for_timeout(struct s3c64xx_spi_driver_data *sdd,
+@@ -548,9 +568,10 @@ static int s3c64xx_wait_for_pio(struct s3c64xx_spi_driver_data *sdd,
+ return 0;
+ }
+
+-static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd)
++static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd)
+ {
+ void __iomem *regs = sdd->regs;
++ int ret;
+ u32 val;
+
+ /* Disable Clock */
+@@ -598,7 +619,9 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd)
+
+ if (sdd->port_conf->clk_from_cmu) {
+ /* The src_clk clock is divided internally by 2 */
+- clk_set_rate(sdd->src_clk, sdd->cur_speed * 2);
++ ret = clk_set_rate(sdd->src_clk, sdd->cur_speed * 2);
++ if (ret)
++ return ret;
+ } else {
+ /* Configure Clock */
+ val = readl(regs + S3C64XX_SPI_CLK_CFG);
+@@ -612,6 +635,8 @@ static void s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd)
+ val |= S3C64XX_SPI_ENCLK_ENABLE;
+ writel(val, regs + S3C64XX_SPI_CLK_CFG);
+ }
++
++ return 0;
+ }
+
+ #define XFER_DMAADDR_INVALID DMA_BIT_MASK(32)
+@@ -654,7 +679,9 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master,
+ sdd->cur_bpw = bpw;
+ sdd->cur_speed = speed;
+ sdd->cur_mode = spi->mode;
+- s3c64xx_spi_config(sdd);
++ status = s3c64xx_spi_config(sdd);
++ if (status)
++ return status;
+ }
+
+ if (!is_polling(sdd) && (xfer->len > fifo_len) &&
+@@ -681,10 +708,15 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master,
+ /* Start the signals */
+ s3c64xx_spi_set_cs(spi, true);
+
+- s3c64xx_enable_datapath(sdd, xfer, use_dma);
++ status = s3c64xx_enable_datapath(sdd, xfer, use_dma);
+
+ spin_unlock_irqrestore(&sdd->lock, flags);
+
++ if (status) {
++ dev_err(&spi->dev, "failed to enable data path for transfer: %d\n", status);
++ break;
++ }
++
+ if (use_dma)
+ status = s3c64xx_wait_for_dma(sdd, xfer);
+ else
+--
+2.25.1
+
--- /dev/null
+From f1b492083a8502f7a75c39ef03708562622f1c67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 14:22:35 +0200
+Subject: spi: spi-s3c64xx: swap s3c64xx_spi_set_cs() and
+ s3c64xx_enable_datapath()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Łukasz Stelmach <l.stelmach@samsung.com>
+
+[ Upstream commit 581e2b41977dfc2d4c26c8e976f89c43bb92f9bf ]
+
+Fix issues with DMA transfers bigger than 512 bytes on Exynos3250. Without
+the patches such transfers fail to complete. This solution to the problem
+is found in the vendor kernel for ARTIK5 boards based on Exynos3250.
+
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
+Link: https://lore.kernel.org/r/20201002122243.26849-2-l.stelmach@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-s3c64xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
+index 7b7151ec14c8a..322f75f89c713 100644
+--- a/drivers/spi/spi-s3c64xx.c
++++ b/drivers/spi/spi-s3c64xx.c
+@@ -678,11 +678,11 @@ static int s3c64xx_spi_transfer_one(struct spi_master *master,
+ sdd->state &= ~RXBUSY;
+ sdd->state &= ~TXBUSY;
+
+- s3c64xx_enable_datapath(sdd, xfer, use_dma);
+-
+ /* Start the signals */
+ s3c64xx_spi_set_cs(spi, true);
+
++ s3c64xx_enable_datapath(sdd, xfer, use_dma);
++
+ spin_unlock_irqrestore(&sdd->lock, flags);
+
+ if (use_dma)
+--
+2.25.1
+
--- /dev/null
+From 8e96598466fa239244e984475b8c62021a9ec129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 10:19:28 +0100
+Subject: staging: emxx_udc: Fix passing of NULL to dma_alloc_coherent()
+
+From: Alex Dewar <alex.dewar90@gmail.com>
+
+[ Upstream commit cc34073c6248e9cec801bf690d1455f264d12357 ]
+
+In nbu2ss_eq_queue() memory is allocated with dma_alloc_coherent(),
+though, strangely, NULL is passed as the struct device* argument. Pass
+the UDC's device instead. Fix up the corresponding call to
+dma_free_coherent() in the same way.
+
+Build-tested on x86 only.
+
+Fixes: 33aa8d45a4fe ("staging: emxx_udc: Add Emma Mobile USB Gadget driver")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alex Dewar <alex.dewar90@gmail.com>
+Link: https://lore.kernel.org/r/20200825091928.55794-1-alex.dewar90@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/emxx_udc/emxx_udc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/emxx_udc/emxx_udc.c b/drivers/staging/emxx_udc/emxx_udc.c
+index 147481bf680c3..a6c893ddbf280 100644
+--- a/drivers/staging/emxx_udc/emxx_udc.c
++++ b/drivers/staging/emxx_udc/emxx_udc.c
+@@ -2594,7 +2594,7 @@ static int nbu2ss_ep_queue(struct usb_ep *_ep,
+
+ if (req->unaligned) {
+ if (!ep->virt_buf)
+- ep->virt_buf = dma_alloc_coherent(NULL, PAGE_SIZE,
++ ep->virt_buf = dma_alloc_coherent(udc->dev, PAGE_SIZE,
+ &ep->phys_buf,
+ GFP_ATOMIC | GFP_DMA);
+ if (ep->epnum > 0) {
+@@ -3153,7 +3153,7 @@ static int nbu2ss_drv_remove(struct platform_device *pdev)
+ for (i = 0; i < NUM_ENDPOINTS; i++) {
+ ep = &udc->ep[i];
+ if (ep->virt_buf)
+- dma_free_coherent(NULL, PAGE_SIZE, (void *)ep->virt_buf,
++ dma_free_coherent(udc->dev, PAGE_SIZE, (void *)ep->virt_buf,
+ ep->phys_buf);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 04ca5c137198230cff6aae433536b90fb406cacc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 19:34:58 +0200
+Subject: staging: rtl8192u: Do not use GFP_KERNEL in atomic context
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit acac75bb451fd39344eb54fad6602dfc9482e970 ]
+
+'rtl8192_irq_rx_tasklet()' is a tasklet initialized in
+'rtl8192_init_priv_task()'.
+>From this function it is possible to allocate some memory with the
+GFP_KERNEL flag, which is not allowed in the atomic context of a tasklet.
+
+Use GFP_ATOMIC instead.
+
+The call chain is:
+ rtl8192_irq_rx_tasklet (in r8192U_core.c)
+ --> rtl8192_rx_nomal (in r8192U_core.c)
+ --> ieee80211_rx (in ieee80211/ieee80211_rx.c)
+ --> RxReorderIndicatePacket (in ieee80211/ieee80211_rx.c)
+
+Fixes: 79a5ccd97209 ("staging: rtl8192u: fix large frame size compiler warning")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20200813173458.758284-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+index 5c33bcb0db2ee..00e34c392a388 100644
+--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+@@ -585,7 +585,7 @@ static void RxReorderIndicatePacket(struct ieee80211_device *ieee,
+
+ prxbIndicateArray = kmalloc_array(REORDER_WIN_SIZE,
+ sizeof(struct ieee80211_rxb *),
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!prxbIndicateArray)
+ return;
+
+--
+2.25.1
+
--- /dev/null
+From 8b45b960531d92f83b4b18537ca8b4d3cfd2e266 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Oct 2020 13:42:27 +0200
+Subject: SUNRPC: fix copying of multiple pages in gss_read_proxy_verf()
+
+From: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
+
+[ Upstream commit d48c8124749c9a5081fe68680f83605e272c984b ]
+
+When the passed token is longer than 4032 bytes, the remaining part
+of the token must be copied from the rqstp->rq_arg.pages. But the
+copy must make sure it happens in a consecutive way.
+
+With the existing code, the first memcpy copies 'length' bytes from
+argv->iobase, but since the header is in front, this never fills the
+whole first page of in_token->pages.
+
+The mecpy in the loop copies the following bytes, but starts writing at
+the next page of in_token->pages. This leaves the last bytes of page 0
+unwritten.
+
+Symptoms were that users with many groups were not able to access NFS
+exports, when using Active Directory as the KDC.
+
+Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
+Fixes: 5866efa8cbfb "SUNRPC: Fix svcauth_gss_proxy_init()"
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
+index 3645cd241d3ea..cf4d6d7e72822 100644
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1095,9 +1095,9 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
+ struct gssp_in_token *in_token)
+ {
+ struct kvec *argv = &rqstp->rq_arg.head[0];
+- unsigned int page_base, length;
+- int pages, i, res;
+- size_t inlen;
++ unsigned int length, pgto_offs, pgfrom_offs;
++ int pages, i, res, pgto, pgfrom;
++ size_t inlen, to_offs, from_offs;
+
+ res = gss_read_common_verf(gc, argv, authp, in_handle);
+ if (res)
+@@ -1125,17 +1125,24 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
+ memcpy(page_address(in_token->pages[0]), argv->iov_base, length);
+ inlen -= length;
+
+- i = 1;
+- page_base = rqstp->rq_arg.page_base;
++ to_offs = length;
++ from_offs = rqstp->rq_arg.page_base;
+ while (inlen) {
+- length = min_t(unsigned int, inlen, PAGE_SIZE);
+- memcpy(page_address(in_token->pages[i]),
+- page_address(rqstp->rq_arg.pages[i]) + page_base,
++ pgto = to_offs >> PAGE_SHIFT;
++ pgfrom = from_offs >> PAGE_SHIFT;
++ pgto_offs = to_offs & ~PAGE_MASK;
++ pgfrom_offs = from_offs & ~PAGE_MASK;
++
++ length = min_t(unsigned int, inlen,
++ min_t(unsigned int, PAGE_SIZE - pgto_offs,
++ PAGE_SIZE - pgfrom_offs));
++ memcpy(page_address(in_token->pages[pgto]) + pgto_offs,
++ page_address(rqstp->rq_arg.pages[pgfrom]) + pgfrom_offs,
+ length);
+
++ to_offs += length;
++ from_offs += length;
+ inlen -= length;
+- page_base = 0;
+- i++;
+ }
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 8666121918174c8bbabe6e9f49a6e3eacefc18c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 22:33:43 +0300
+Subject: svcrdma: fix bounce buffers for unaligned offsets and multiple pages
+
+From: Dan Aloni <dan@kernelim.com>
+
+[ Upstream commit c327a310ec4d6ecbea13185ed56c11def441d9ab ]
+
+This was discovered using O_DIRECT at the client side, with small
+unaligned file offsets or IOs that span multiple file pages.
+
+Fixes: e248aa7be86 ("svcrdma: Remove max_sge check at connect time")
+Signed-off-by: Dan Aloni <dan@kernelim.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtrdma/svc_rdma_sendto.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
+index 217106c66a13c..25e8922c10b28 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
+@@ -609,10 +609,11 @@ static int svc_rdma_pull_up_reply_msg(struct svcxprt_rdma *rdma,
+ while (remaining) {
+ len = min_t(u32, PAGE_SIZE - pageoff, remaining);
+
+- memcpy(dst, page_address(*ppages), len);
++ memcpy(dst, page_address(*ppages) + pageoff, len);
+ remaining -= len;
+ dst += len;
+ pageoff = 0;
++ ppages++;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From de3cf1b0ccb50e1f648150837bf758ebd3bd979d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 18:46:38 -0500
+Subject: tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+[ Upstream commit 63ffcbdad738e3d1c857027789a2273df3337624 ]
+
+The code currently NULLs tty->driver_data in hvcs_close() with the
+intent of informing the next call to hvcs_open() that device needs to be
+reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from
+tty->driver_data which was previoulsy NULLed by hvcs_close() and our
+call to tty_port_put(&hvcsd->port) doesn't actually do anything since
+&hvcsd->port ends up translating to NULL by chance. This has the side
+effect that when hvcs_remove() is called we have one too many port
+references preventing hvcs_destuct_port() from ever being called. This
+also prevents us from reusing the /dev/hvcsX node in a future
+hvcs_probe() and we can eventually run out of /dev/hvcsX devices.
+
+Fix this by waiting to NULL tty->driver_data in hvcs_cleanup().
+
+Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Link: https://lore.kernel.org/r/20200820234643.70412-1-tyreld@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/hvc/hvcs.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
+index ee0604cd9c6b2..0c498b20d8cb5 100644
+--- a/drivers/tty/hvc/hvcs.c
++++ b/drivers/tty/hvc/hvcs.c
+@@ -1218,13 +1218,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
+
+ tty_wait_until_sent(tty, HVCS_CLOSE_WAIT);
+
+- /*
+- * This line is important because it tells hvcs_open that this
+- * device needs to be re-configured the next time hvcs_open is
+- * called.
+- */
+- tty->driver_data = NULL;
+-
+ free_irq(irq, hvcsd);
+ return;
+ } else if (hvcsd->port.count < 0) {
+@@ -1239,6 +1232,13 @@ static void hvcs_cleanup(struct tty_struct * tty)
+ {
+ struct hvcs_struct *hvcsd = tty->driver_data;
+
++ /*
++ * This line is important because it tells hvcs_open that this
++ * device needs to be re-configured the next time hvcs_open is
++ * called.
++ */
++ tty->driver_data = NULL;
++
+ tty_port_put(&hvcsd->port);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 4a87becaf27a98cbdc423eb4eaaa4b040b1b8dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 12:19:40 -0400
+Subject: tty: ipwireless: fix error handling
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit db332356222d9429731ab9395c89cca403828460 ]
+
+ipwireless_send_packet() can only return 0 on success and -ENOMEM on
+error, the caller should check non zero for error condition
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Acked-by: David Sterba <dsterba@suse.com>
+Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/ipwireless/network.c | 4 ++--
+ drivers/tty/ipwireless/tty.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/ipwireless/network.c b/drivers/tty/ipwireless/network.c
+index cf20616340a1a..fe569f6294a24 100644
+--- a/drivers/tty/ipwireless/network.c
++++ b/drivers/tty/ipwireless/network.c
+@@ -117,7 +117,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel,
+ skb->len,
+ notify_packet_sent,
+ network);
+- if (ret == -1) {
++ if (ret < 0) {
+ skb_pull(skb, 2);
+ return 0;
+ }
+@@ -134,7 +134,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel,
+ notify_packet_sent,
+ network);
+ kfree(buf);
+- if (ret == -1)
++ if (ret < 0)
+ return 0;
+ }
+ kfree_skb(skb);
+diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
+index fad3401e604d9..23584769fc292 100644
+--- a/drivers/tty/ipwireless/tty.c
++++ b/drivers/tty/ipwireless/tty.c
+@@ -218,7 +218,7 @@ static int ipw_write(struct tty_struct *linux_tty,
+ ret = ipwireless_send_packet(tty->hardware, IPW_CHANNEL_RAS,
+ buf, count,
+ ipw_write_packet_sent_callback, tty);
+- if (ret == -1) {
++ if (ret < 0) {
+ mutex_unlock(&tty->ipw_tty_mutex);
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 12e1696e03f925c503fa727550d6ba4ace086978 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Aug 2020 08:39:50 -0400
+Subject: tty: serial: earlycon dependency
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 0fb9342d06b0f667b915ba58bfefc030e534a218 ]
+
+parse_options() in drivers/tty/serial/earlycon.c calls uart_parse_earlycon
+in drivers/tty/serial/serial_core.c therefore selecting SERIAL_EARLYCON
+should automatically select SERIAL_CORE, otherwise will result in symbol
+not found error during linking if SERIAL_CORE is not configured as builtin
+
+Fixes: 9aac5887595b ("tty/serial: add generic serial earlycon")
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20200828123949.2642-1-ztong0001@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
+index 67a9eb3f94cec..a9751a83d5dbb 100644
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -10,6 +10,7 @@ menu "Serial drivers"
+
+ config SERIAL_EARLYCON
+ bool
++ depends on SERIAL_CORE
+ help
+ Support for early consoles with the earlycon parameter. This enables
+ the console before standard serial driver is probed. The console is
+--
+2.25.1
+
--- /dev/null
+From 7f45a20061f30871ca2cbf04b52bf9fb58caca6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 12:14:03 +0200
+Subject: udf: Avoid accessing uninitialized data on failed inode read
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ]
+
+When we fail to read inode, some data accessed in udf_evict_inode() may
+be uninitialized. Move the accesses to !is_bad_inode() branch.
+
+Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/inode.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index ea80036d7897b..97a192eb9949c 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -139,21 +139,24 @@ void udf_evict_inode(struct inode *inode)
+ struct udf_inode_info *iinfo = UDF_I(inode);
+ int want_delete = 0;
+
+- if (!inode->i_nlink && !is_bad_inode(inode)) {
+- want_delete = 1;
+- udf_setsize(inode, 0);
+- udf_update_inode(inode, IS_SYNC(inode));
++ if (!is_bad_inode(inode)) {
++ if (!inode->i_nlink) {
++ want_delete = 1;
++ udf_setsize(inode, 0);
++ udf_update_inode(inode, IS_SYNC(inode));
++ }
++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
++ inode->i_size != iinfo->i_lenExtents) {
++ udf_warn(inode->i_sb,
++ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
++ inode->i_ino, inode->i_mode,
++ (unsigned long long)inode->i_size,
++ (unsigned long long)iinfo->i_lenExtents);
++ }
+ }
+ truncate_inode_pages_final(&inode->i_data);
+ invalidate_inode_buffers(inode);
+ clear_inode(inode);
+- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB &&
+- inode->i_size != iinfo->i_lenExtents) {
+- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n",
+- inode->i_ino, inode->i_mode,
+- (unsigned long long)inode->i_size,
+- (unsigned long long)iinfo->i_lenExtents);
+- }
+ kfree(iinfo->i_ext.i_data);
+ iinfo->i_ext.i_data = NULL;
+ udf_clear_extent_cache(inode);
+--
+2.25.1
+
--- /dev/null
+From 545d1f61f90483ef10eb96fa7d7b01bcedd518c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:53:08 +0200
+Subject: udf: Limit sparing table size
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ]
+
+Although UDF standard allows it, we don't support sparing table larger
+than a single block. Check it during mount so that we don't try to
+access memory beyond end of buffer.
+
+Reported-by: syzbot+9991561e714f597095da@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 4baa1ca91e9be..a0cd766b41cdb 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1352,6 +1352,12 @@ static int udf_load_sparable_map(struct super_block *sb,
+ (int)spm->numSparingTables);
+ return -EIO;
+ }
++ if (le32_to_cpu(spm->sizeSparingTable) > sb->s_blocksize) {
++ udf_err(sb, "error loading logical volume descriptor: "
++ "Too big sparing table size (%u)\n",
++ le32_to_cpu(spm->sizeSparingTable));
++ return -EIO;
++ }
+
+ for (i = 0; i < spm->numSparingTables; i++) {
+ loc = le32_to_cpu(spm->locSparingTable[i]);
+--
+2.25.1
+
--- /dev/null
+From b51e99b032053cae5d8d53f8e4eadae6b4fed365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Sep 2020 15:59:49 +0200
+Subject: USB: cdc-acm: handle broken union descriptors
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 960c7339de27c6d6fec13b54880501c3576bb08d ]
+
+Handle broken union functional descriptors where the master-interface
+doesn't exist or where its class is of neither Communication or Data
+type (as required by the specification) by falling back to
+"combined-interface" probing.
+
+Note that this still allows for handling union descriptors with switched
+interfaces.
+
+This specifically makes the Whistler radio scanners TRX series devices
+work with the driver without adding further quirks to the device-id
+table.
+
+Reported-by: Daniel Caujolle-Bert <f1rmb.daniel@gmail.com>
+Tested-by: Daniel Caujolle-Bert <f1rmb.daniel@gmail.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20200921135951.24045-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/class/cdc-acm.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 7499ba118665a..c02488d469185 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1243,9 +1243,21 @@ static int acm_probe(struct usb_interface *intf,
+ }
+ }
+ } else {
++ int class = -1;
++
+ data_intf_num = union_header->bSlaveInterface0;
+ control_interface = usb_ifnum_to_if(usb_dev, union_header->bMasterInterface0);
+ data_interface = usb_ifnum_to_if(usb_dev, data_intf_num);
++
++ if (control_interface)
++ class = control_interface->cur_altsetting->desc.bInterfaceClass;
++
++ if (class != USB_CLASS_COMM && class != USB_CLASS_CDC_DATA) {
++ dev_dbg(&intf->dev, "Broken union descriptor, assuming single interface\n");
++ combined_interfaces = 1;
++ control_interface = data_interface = intf;
++ goto look_for_collapsed_interface;
++ }
+ }
+
+ if (!control_interface || !data_interface) {
+--
+2.25.1
+
--- /dev/null
+From 7c6be3c1717a23abc8c8950e826fe733d934e552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jul 2020 08:46:50 +0300
+Subject: usb: core: Solve race condition in anchor cleanup functions
+
+From: Eli Billauer <eli.billauer@gmail.com>
+
+[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ]
+
+usb_kill_anchored_urbs() is commonly used to cancel all URBs on an
+anchor just before releasing resources which the URBs rely on. By doing
+so, users of this function rely on that no completer callbacks will take
+place from any URB on the anchor after it returns.
+
+However if this function is called in parallel with __usb_hcd_giveback_urb
+processing a URB on the anchor, the latter may call the completer
+callback after usb_kill_anchored_urbs() returns. This can lead to a
+kernel panic due to use after release of memory in interrupt context.
+
+The race condition is that __usb_hcd_giveback_urb() first unanchors the URB
+and then makes the completer callback. Such URB is hence invisible to
+usb_kill_anchored_urbs(), allowing it to return before the completer has
+been called, since the anchor's urb_list is empty.
+
+Even worse, if the racing completer callback resubmits the URB, it may
+remain in the system long after usb_kill_anchored_urbs() returns.
+
+Hence list_empty(&anchor->urb_list), which is used in the existing
+while-loop, doesn't reliably ensure that all URBs of the anchor are gone.
+
+A similar problem exists with usb_poison_anchored_urbs() and
+usb_scuttle_anchored_urbs().
+
+This patch adds an external do-while loop, which ensures that all URBs
+are indeed handled before these three functions return. This change has
+no effect at all unless the race condition occurs, in which case the
+loop will busy-wait until the racing completer callback has finished.
+This is a rare condition, so the CPU waste of this spinning is
+negligible.
+
+The additional do-while loop relies on usb_anchor_check_wakeup(), which
+returns true iff the anchor list is empty, and there is no
+__usb_hcd_giveback_urb() in the system that is in the middle of the
+unanchor-before-complete phase. The @suspend_wakeups member of
+struct usb_anchor is used for this purpose, which was introduced to solve
+another problem which the same race condition causes, in commit
+6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up
+till completion is done").
+
+The surely_empty variable is necessary, because usb_anchor_check_wakeup()
+must be called with the lock held to prevent races. However the spinlock
+must be released and reacquired if the outer loop spins with an empty
+URB list while waiting for the unanchor-before-complete passage to finish:
+The completer callback may very well attempt to take the very same lock.
+
+To summarize, using usb_anchor_check_wakeup() means that the patched
+functions can return only when the anchor's list is empty, and there is
+no invisible URB being processed. Since the inner while loop finishes on
+the empty list condition, the new do-while loop will terminate as well,
+except for when the said race condition occurs.
+
+Signed-off-by: Eli Billauer <eli.billauer@gmail.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/urb.c | 89 +++++++++++++++++++++++++-----------------
+ 1 file changed, 54 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
+index da923ec176122..31ca5abb4c12a 100644
+--- a/drivers/usb/core/urb.c
++++ b/drivers/usb/core/urb.c
+@@ -772,11 +772,12 @@ void usb_block_urb(struct urb *urb)
+ EXPORT_SYMBOL_GPL(usb_block_urb);
+
+ /**
+- * usb_kill_anchored_urbs - cancel transfer requests en masse
++ * usb_kill_anchored_urbs - kill all URBs associated with an anchor
+ * @anchor: anchor the requests are bound to
+ *
+- * this allows all outstanding URBs to be killed starting
+- * from the back of the queue
++ * This kills all outstanding URBs starting from the back of the queue,
++ * with guarantee that no completer callbacks will take place from the
++ * anchor after this function returns.
+ *
+ * This routine should not be called by a driver after its disconnect
+ * method has returned.
+@@ -784,20 +785,26 @@ EXPORT_SYMBOL_GPL(usb_block_urb);
+ void usb_kill_anchored_urbs(struct usb_anchor *anchor)
+ {
+ struct urb *victim;
++ int surely_empty;
+
+- spin_lock_irq(&anchor->lock);
+- while (!list_empty(&anchor->urb_list)) {
+- victim = list_entry(anchor->urb_list.prev, struct urb,
+- anchor_list);
+- /* we must make sure the URB isn't freed before we kill it*/
+- usb_get_urb(victim);
+- spin_unlock_irq(&anchor->lock);
+- /* this will unanchor the URB */
+- usb_kill_urb(victim);
+- usb_put_urb(victim);
++ do {
+ spin_lock_irq(&anchor->lock);
+- }
+- spin_unlock_irq(&anchor->lock);
++ while (!list_empty(&anchor->urb_list)) {
++ victim = list_entry(anchor->urb_list.prev,
++ struct urb, anchor_list);
++ /* make sure the URB isn't freed before we kill it */
++ usb_get_urb(victim);
++ spin_unlock_irq(&anchor->lock);
++ /* this will unanchor the URB */
++ usb_kill_urb(victim);
++ usb_put_urb(victim);
++ spin_lock_irq(&anchor->lock);
++ }
++ surely_empty = usb_anchor_check_wakeup(anchor);
++
++ spin_unlock_irq(&anchor->lock);
++ cpu_relax();
++ } while (!surely_empty);
+ }
+ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs);
+
+@@ -816,21 +823,27 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs);
+ void usb_poison_anchored_urbs(struct usb_anchor *anchor)
+ {
+ struct urb *victim;
++ int surely_empty;
+
+- spin_lock_irq(&anchor->lock);
+- anchor->poisoned = 1;
+- while (!list_empty(&anchor->urb_list)) {
+- victim = list_entry(anchor->urb_list.prev, struct urb,
+- anchor_list);
+- /* we must make sure the URB isn't freed before we kill it*/
+- usb_get_urb(victim);
+- spin_unlock_irq(&anchor->lock);
+- /* this will unanchor the URB */
+- usb_poison_urb(victim);
+- usb_put_urb(victim);
++ do {
+ spin_lock_irq(&anchor->lock);
+- }
+- spin_unlock_irq(&anchor->lock);
++ anchor->poisoned = 1;
++ while (!list_empty(&anchor->urb_list)) {
++ victim = list_entry(anchor->urb_list.prev,
++ struct urb, anchor_list);
++ /* make sure the URB isn't freed before we kill it */
++ usb_get_urb(victim);
++ spin_unlock_irq(&anchor->lock);
++ /* this will unanchor the URB */
++ usb_poison_urb(victim);
++ usb_put_urb(victim);
++ spin_lock_irq(&anchor->lock);
++ }
++ surely_empty = usb_anchor_check_wakeup(anchor);
++
++ spin_unlock_irq(&anchor->lock);
++ cpu_relax();
++ } while (!surely_empty);
+ }
+ EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs);
+
+@@ -970,14 +983,20 @@ void usb_scuttle_anchored_urbs(struct usb_anchor *anchor)
+ {
+ struct urb *victim;
+ unsigned long flags;
++ int surely_empty;
++
++ do {
++ spin_lock_irqsave(&anchor->lock, flags);
++ while (!list_empty(&anchor->urb_list)) {
++ victim = list_entry(anchor->urb_list.prev,
++ struct urb, anchor_list);
++ __usb_unanchor_urb(victim, anchor);
++ }
++ surely_empty = usb_anchor_check_wakeup(anchor);
+
+- spin_lock_irqsave(&anchor->lock, flags);
+- while (!list_empty(&anchor->urb_list)) {
+- victim = list_entry(anchor->urb_list.prev, struct urb,
+- anchor_list);
+- __usb_unanchor_urb(victim, anchor);
+- }
+- spin_unlock_irqrestore(&anchor->lock, flags);
++ spin_unlock_irqrestore(&anchor->lock, flags);
++ cpu_relax();
++ } while (!surely_empty);
+ }
+
+ EXPORT_SYMBOL_GPL(usb_scuttle_anchored_urbs);
+--
+2.25.1
+
--- /dev/null
+From 64b725bbd7ff6f5ce2ce6b1b2a38c0ab644f2b07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 18:08:39 +0400
+Subject: usb: dwc2: Fix INTR OUT transfers in DDMA mode.
+
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+
+[ Upstream commit b2c586eb07efab982419f32b7c3bd96829bc8bcd ]
+
+In DDMA mode if INTR OUT transfers mps not multiple of 4 then single packet
+corresponds to single descriptor.
+
+Descriptor limit set to mps and desc chain limit set to mps *
+MAX_DMA_DESC_NUM_GENERIC. On that descriptors complete, to calculate
+transfer size should be considered correction value for each descriptor.
+
+In start request function, if "continue" is true then dma buffer address
+should be incremmented by offset for all type of transfers, not only for
+Control DATA_OUT transfers.
+
+Fixes: cf77b5fb9b394 ("usb: dwc2: gadget: Transfer length limit checking for DDMA")
+Fixes: e02f9aa6119e0 ("usb: dwc2: gadget: EP 0 specific DDMA programming")
+Fixes: aa3e8bc81311e ("usb: dwc2: gadget: DDMA transfer start and complete")
+
+Signed-off-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/gadget.c | 40 ++++++++++++++++++++++++++++++++-------
+ 1 file changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
+index f7528f732b2aa..70ac47a341ac2 100644
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -712,8 +712,11 @@ static u32 dwc2_hsotg_read_frameno(struct dwc2_hsotg *hsotg)
+ */
+ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep)
+ {
++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc;
+ int is_isoc = hs_ep->isochronous;
+ unsigned int maxsize;
++ u32 mps = hs_ep->ep.maxpacket;
++ int dir_in = hs_ep->dir_in;
+
+ if (is_isoc)
+ maxsize = (hs_ep->dir_in ? DEV_DMA_ISOC_TX_NBYTES_LIMIT :
+@@ -722,6 +725,11 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep)
+ else
+ maxsize = DEV_DMA_NBYTES_LIMIT * MAX_DMA_DESC_NUM_GENERIC;
+
++ /* Interrupt OUT EP with mps not multiple of 4 */
++ if (hs_ep->index)
++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4))
++ maxsize = mps * MAX_DMA_DESC_NUM_GENERIC;
++
+ return maxsize;
+ }
+
+@@ -737,11 +745,14 @@ static unsigned int dwc2_gadget_get_chain_limit(struct dwc2_hsotg_ep *hs_ep)
+ * Isochronous - descriptor rx/tx bytes bitfield limit,
+ * Control In/Bulk/Interrupt - multiple of mps. This will allow to not
+ * have concatenations from various descriptors within one packet.
++ * Interrupt OUT - if mps not multiple of 4 then a single packet corresponds
++ * to a single descriptor.
+ *
+ * Selects corresponding mask for RX/TX bytes as well.
+ */
+ static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask)
+ {
++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc;
+ u32 mps = hs_ep->ep.maxpacket;
+ int dir_in = hs_ep->dir_in;
+ u32 desc_size = 0;
+@@ -765,6 +776,13 @@ static u32 dwc2_gadget_get_desc_params(struct dwc2_hsotg_ep *hs_ep, u32 *mask)
+ desc_size -= desc_size % mps;
+ }
+
++ /* Interrupt OUT EP with mps not multiple of 4 */
++ if (hs_ep->index)
++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4)) {
++ desc_size = mps;
++ *mask = DEV_DMA_NBYTES_MASK;
++ }
++
+ return desc_size;
+ }
+
+@@ -1123,13 +1141,7 @@ static void dwc2_hsotg_start_req(struct dwc2_hsotg *hsotg,
+ length += (mps - (length % mps));
+ }
+
+- /*
+- * If more data to send, adjust DMA for EP0 out data stage.
+- * ureq->dma stays unchanged, hence increment it by already
+- * passed passed data count before starting new transaction.
+- */
+- if (!index && hsotg->ep0_state == DWC2_EP0_DATA_OUT &&
+- continuing)
++ if (continuing)
+ offset = ureq->actual;
+
+ /* Fill DDMA chain entries */
+@@ -2319,22 +2331,36 @@ static void dwc2_hsotg_change_ep_iso_parity(struct dwc2_hsotg *hsotg,
+ */
+ static unsigned int dwc2_gadget_get_xfersize_ddma(struct dwc2_hsotg_ep *hs_ep)
+ {
++ const struct usb_endpoint_descriptor *ep_desc = hs_ep->ep.desc;
+ struct dwc2_hsotg *hsotg = hs_ep->parent;
+ unsigned int bytes_rem = 0;
++ unsigned int bytes_rem_correction = 0;
+ struct dwc2_dma_desc *desc = hs_ep->desc_list;
+ int i;
+ u32 status;
++ u32 mps = hs_ep->ep.maxpacket;
++ int dir_in = hs_ep->dir_in;
+
+ if (!desc)
+ return -EINVAL;
+
++ /* Interrupt OUT EP with mps not multiple of 4 */
++ if (hs_ep->index)
++ if (usb_endpoint_xfer_int(ep_desc) && !dir_in && (mps % 4))
++ bytes_rem_correction = 4 - (mps % 4);
++
+ for (i = 0; i < hs_ep->desc_count; ++i) {
+ status = desc->status;
+ bytes_rem += status & DEV_DMA_NBYTES_MASK;
++ bytes_rem -= bytes_rem_correction;
+
+ if (status & DEV_DMA_STS_MASK)
+ dev_err(hsotg->dev, "descriptor %d closed with %x\n",
+ i, status & DEV_DMA_STS_MASK);
++
++ if (status & DEV_DMA_L)
++ break;
++
+ desc++;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From acfc91cb45aed1e8ee09c1bc12ebb9dd65cf61d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 23:03:54 -0700
+Subject: usb: dwc2: Fix parameter type in function pointer prototype
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit 362b9398c962c9ec563653444e15ef9032ef3a90 ]
+
+When booting up on a Raspberry Pi 4 with Control Flow Integrity checking
+enabled, the following warning/panic happens:
+
+[ 1.626435] CFI failure (target: dwc2_set_bcm_params+0x0/0x4):
+[ 1.632408] WARNING: CPU: 0 PID: 32 at kernel/cfi.c:30 __cfi_check_fail+0x54/0x5c
+[ 1.640021] Modules linked in:
+[ 1.643137] CPU: 0 PID: 32 Comm: kworker/0:1 Not tainted 5.8.0-rc6-next-20200724-00051-g89ba619726de #1
+[ 1.652693] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
+[ 1.658637] Workqueue: events deferred_probe_work_func
+[ 1.663870] pstate: 60000005 (nZCv daif -PAN -UAO BTYPE=--)
+[ 1.669542] pc : __cfi_check_fail+0x54/0x5c
+[ 1.673798] lr : __cfi_check_fail+0x54/0x5c
+[ 1.678050] sp : ffff8000102bbaa0
+[ 1.681419] x29: ffff8000102bbaa0 x28: ffffab09e21c7000
+[ 1.686829] x27: 0000000000000402 x26: ffff0000f6e7c228
+[ 1.692238] x25: 00000000fb7cdb0d x24: 0000000000000005
+[ 1.697647] x23: ffffab09e2515000 x22: ffffab09e069a000
+[ 1.703055] x21: 4c550309df1cf4c1 x20: ffffab09e2433c60
+[ 1.708462] x19: ffffab09e160dc50 x18: ffff0000f6e8cc78
+[ 1.713870] x17: 0000000000000041 x16: ffffab09e0bce6f8
+[ 1.719278] x15: ffffab09e1c819b7 x14: 0000000000000003
+[ 1.724686] x13: 00000000ffffefff x12: 0000000000000000
+[ 1.730094] x11: 0000000000000000 x10: 00000000ffffffff
+[ 1.735501] x9 : c932f7abfc4bc600 x8 : c932f7abfc4bc600
+[ 1.740910] x7 : 077207610770075f x6 : ffff0000f6c38f00
+[ 1.746317] x5 : 0000000000000000 x4 : 0000000000000000
+[ 1.751723] x3 : 0000000000000000 x2 : 0000000000000000
+[ 1.757129] x1 : ffff8000102bb7d8 x0 : 0000000000000032
+[ 1.762539] Call trace:
+[ 1.765030] __cfi_check_fail+0x54/0x5c
+[ 1.768938] __cfi_check+0x5fa6c/0x66afc
+[ 1.772932] dwc2_init_params+0xd74/0xd78
+[ 1.777012] dwc2_driver_probe+0x484/0x6ec
+[ 1.781180] platform_drv_probe+0xb4/0x100
+[ 1.785350] really_probe+0x228/0x63c
+[ 1.789076] driver_probe_device+0x80/0xc0
+[ 1.793247] __device_attach_driver+0x114/0x160
+[ 1.797857] bus_for_each_drv+0xa8/0x128
+[ 1.801851] __device_attach.llvm.14901095709067289134+0xc0/0x170
+[ 1.808050] bus_probe_device+0x44/0x100
+[ 1.812044] deferred_probe_work_func+0x78/0xb8
+[ 1.816656] process_one_work+0x204/0x3c4
+[ 1.820736] worker_thread+0x2f0/0x4c4
+[ 1.824552] kthread+0x174/0x184
+[ 1.827837] ret_from_fork+0x10/0x18
+
+CFI validates that all indirect calls go to a function with the same
+exact function pointer prototype. In this case, dwc2_set_bcm_params
+is the target, which has a parameter of type 'struct dwc2_hsotg *',
+but it is being implicitly cast to have a parameter of type 'void *'
+because that is the set_params function pointer prototype. Make the
+function pointer protoype match the definitions so that there is no
+more violation.
+
+Fixes: 7de1debcd2de ("usb: dwc2: Remove platform static params")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1107
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/params.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc2/params.c b/drivers/usb/dwc2/params.c
+index 31e090ac9f1ec..6d3812678b8c6 100644
+--- a/drivers/usb/dwc2/params.c
++++ b/drivers/usb/dwc2/params.c
+@@ -846,7 +846,7 @@ int dwc2_get_hwparams(struct dwc2_hsotg *hsotg)
+ int dwc2_init_params(struct dwc2_hsotg *hsotg)
+ {
+ const struct of_device_id *match;
+- void (*set_params)(void *data);
++ void (*set_params)(struct dwc2_hsotg *data);
+
+ dwc2_set_default_params(hsotg);
+ dwc2_get_device_properties(hsotg);
+--
+2.25.1
+
--- /dev/null
+From 025d0fc6c500a911f3ed61be4e38e1ac316eb0bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 09:20:56 +0200
+Subject: usb: dwc3: Add splitdisable quirk for Hisilicon Kirin Soc
+
+From: Yu Chen <chenyu56@huawei.com>
+
+[ Upstream commit f580170f135af14e287560d94045624d4242d712 ]
+
+SPLIT_BOUNDARY_DISABLE should be set for DesignWare USB3 DRD Core
+of Hisilicon Kirin Soc when dwc3 core act as host.
+
+[mchehab: dropped a dev_dbg() as only traces are now allowwed on this driver]
+
+Signed-off-by: Yu Chen <chenyu56@huawei.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 25 +++++++++++++++++++++++++
+ drivers/usb/dwc3/core.h | 7 +++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 526c275ad0bc5..4cbf295390062 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -117,6 +117,7 @@ static void __dwc3_set_mode(struct work_struct *work)
+ struct dwc3 *dwc = work_to_dwc(work);
+ unsigned long flags;
+ int ret;
++ u32 reg;
+
+ if (dwc->dr_mode != USB_DR_MODE_OTG)
+ return;
+@@ -168,6 +169,11 @@ static void __dwc3_set_mode(struct work_struct *work)
+ otg_set_vbus(dwc->usb2_phy->otg, true);
+ phy_set_mode(dwc->usb2_generic_phy, PHY_MODE_USB_HOST);
+ phy_set_mode(dwc->usb3_generic_phy, PHY_MODE_USB_HOST);
++ if (dwc->dis_split_quirk) {
++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL3);
++ reg |= DWC3_GUCTL3_SPLITDISABLE;
++ dwc3_writel(dwc->regs, DWC3_GUCTL3, reg);
++ }
+ }
+ break;
+ case DWC3_GCTL_PRTCAP_DEVICE:
+@@ -1323,6 +1329,9 @@ static void dwc3_get_properties(struct dwc3 *dwc)
+ dwc->dis_metastability_quirk = device_property_read_bool(dev,
+ "snps,dis_metastability_quirk");
+
++ dwc->dis_split_quirk = device_property_read_bool(dev,
++ "snps,dis-split-quirk");
++
+ dwc->lpm_nyet_threshold = lpm_nyet_threshold;
+ dwc->tx_de_emphasis = tx_de_emphasis;
+
+@@ -1835,10 +1844,26 @@ static int dwc3_resume(struct device *dev)
+
+ return 0;
+ }
++
++static void dwc3_complete(struct device *dev)
++{
++ struct dwc3 *dwc = dev_get_drvdata(dev);
++ u32 reg;
++
++ if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_HOST &&
++ dwc->dis_split_quirk) {
++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL3);
++ reg |= DWC3_GUCTL3_SPLITDISABLE;
++ dwc3_writel(dwc->regs, DWC3_GUCTL3, reg);
++ }
++}
++#else
++#define dwc3_complete NULL
+ #endif /* CONFIG_PM_SLEEP */
+
+ static const struct dev_pm_ops dwc3_dev_pm_ops = {
+ SET_SYSTEM_SLEEP_PM_OPS(dwc3_suspend, dwc3_resume)
++ .complete = dwc3_complete,
+ SET_RUNTIME_PM_OPS(dwc3_runtime_suspend, dwc3_runtime_resume,
+ dwc3_runtime_idle)
+ };
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index ce4acbf7fef90..4dfbffa944de1 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -136,6 +136,7 @@
+ #define DWC3_GEVNTCOUNT(n) (0xc40c + ((n) * 0x10))
+
+ #define DWC3_GHWPARAMS8 0xc600
++#define DWC3_GUCTL3 0xc60c
+ #define DWC3_GFLADJ 0xc630
+
+ /* Device Registers */
+@@ -375,6 +376,9 @@
+ /* Global User Control Register 2 */
+ #define DWC3_GUCTL2_RST_ACTBITLATER BIT(14)
+
++/* Global User Control Register 3 */
++#define DWC3_GUCTL3_SPLITDISABLE BIT(14)
++
+ /* Device Configuration Register */
+ #define DWC3_DCFG_DEVADDR(addr) ((addr) << 3)
+ #define DWC3_DCFG_DEVADDR_MASK DWC3_DCFG_DEVADDR(0x7f)
+@@ -1038,6 +1042,7 @@ struct dwc3_scratchpad_array {
+ * 2 - No de-emphasis
+ * 3 - Reserved
+ * @dis_metastability_quirk: set to disable metastability quirk.
++ * @dis_split_quirk: set to disable split boundary.
+ * @imod_interval: set the interrupt moderation interval in 250ns
+ * increments or 0 to disable.
+ */
+@@ -1229,6 +1234,8 @@ struct dwc3 {
+
+ unsigned dis_metastability_quirk:1;
+
++ unsigned dis_split_quirk:1;
++
+ u16 imod_interval;
+ };
+
+--
+2.25.1
+
--- /dev/null
+From bfb6ea509d2dbf913b2187dead6e85a32c5b683e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 11:58:23 +0200
+Subject: usb: dwc3: simple: add support for Hikey 970
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit b68d9251561f33661e53dd618f1cafe7ec9ec3c2 ]
+
+This binding driver is needed for Hikey 970 to work,
+as otherwise a Serror is produced:
+
+ [ 1.837458] SError Interrupt on CPU0, code 0xbf000002 -- SError
+ [ 1.837462] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205
+ [ 1.837463] Hardware name: HiKey970 (DT)
+ [ 1.837465] Workqueue: events deferred_probe_work_func
+ [ 1.837467] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--)
+ [ 1.837468] pc : _raw_spin_unlock_irqrestore+0x18/0x50
+ [ 1.837469] lr : regmap_unlock_spinlock+0x14/0x20
+ [ 1.837470] sp : ffff8000124dba60
+ [ 1.837471] x29: ffff8000124dba60 x28: 0000000000000000
+ [ 1.837474] x27: ffff0001b7e854c8 x26: ffff80001204ea18
+ [ 1.837476] x25: 0000000000000005 x24: ffff800011f918f8
+ [ 1.837479] x23: ffff800011fbb588 x22: ffff0001b7e40e00
+ [ 1.837481] x21: 0000000000000100 x20: 0000000000000000
+ [ 1.837483] x19: ffff0001b767ec00 x18: 00000000ff10c000
+ [ 1.837485] x17: 0000000000000002 x16: 0000b0740fdb9950
+ [ 1.837488] x15: ffff8000116c1198 x14: ffffffffffffffff
+ [ 1.837490] x13: 0000000000000030 x12: 0101010101010101
+ [ 1.837493] x11: 0000000000000020 x10: ffff0001bf17d130
+ [ 1.837495] x9 : 0000000000000000 x8 : ffff0001b6938080
+ [ 1.837497] x7 : 0000000000000000 x6 : 000000000000003f
+ [ 1.837500] x5 : 0000000000000000 x4 : 0000000000000000
+ [ 1.837502] x3 : ffff80001096a880 x2 : 0000000000000000
+ [ 1.837505] x1 : ffff0001b7e40e00 x0 : 0000000100000001
+ [ 1.837507] Kernel panic - not syncing: Asynchronous SError Interrupt
+ [ 1.837509] CPU: 0 PID: 74 Comm: kworker/0:1 Not tainted 5.8.0+ #205
+ [ 1.837510] Hardware name: HiKey970 (DT)
+ [ 1.837511] Workqueue: events deferred_probe_work_func
+ [ 1.837513] Call trace:
+ [ 1.837514] dump_backtrace+0x0/0x1e0
+ [ 1.837515] show_stack+0x18/0x24
+ [ 1.837516] dump_stack+0xc0/0x11c
+ [ 1.837517] panic+0x15c/0x324
+ [ 1.837518] nmi_panic+0x8c/0x90
+ [ 1.837519] arm64_serror_panic+0x78/0x84
+ [ 1.837520] do_serror+0x158/0x15c
+ [ 1.837521] el1_error+0x84/0x100
+ [ 1.837522] _raw_spin_unlock_irqrestore+0x18/0x50
+ [ 1.837523] regmap_write+0x58/0x80
+ [ 1.837524] hi3660_reset_deassert+0x28/0x34
+ [ 1.837526] reset_control_deassert+0x50/0x260
+ [ 1.837527] reset_control_deassert+0xf4/0x260
+ [ 1.837528] dwc3_probe+0x5dc/0xe6c
+ [ 1.837529] platform_drv_probe+0x54/0xb0
+ [ 1.837530] really_probe+0xe0/0x490
+ [ 1.837531] driver_probe_device+0xf4/0x160
+ [ 1.837532] __device_attach_driver+0x8c/0x114
+ [ 1.837533] bus_for_each_drv+0x78/0xcc
+ [ 1.837534] __device_attach+0x108/0x1a0
+ [ 1.837535] device_initial_probe+0x14/0x20
+ [ 1.837537] bus_probe_device+0x98/0xa0
+ [ 1.837538] deferred_probe_work_func+0x88/0xe0
+ [ 1.837539] process_one_work+0x1cc/0x350
+ [ 1.837540] worker_thread+0x2c0/0x470
+ [ 1.837541] kthread+0x154/0x160
+ [ 1.837542] ret_from_fork+0x10/0x30
+ [ 1.837569] SMP: stopping secondary CPUs
+ [ 1.837570] Kernel Offset: 0x1d0000 from 0xffff800010000000
+ [ 1.837571] PHYS_OFFSET: 0x0
+ [ 1.837572] CPU features: 0x240002,20882004
+ [ 1.837573] Memory Limit: none
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-of-simple.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/dwc3/dwc3-of-simple.c b/drivers/usb/dwc3/dwc3-of-simple.c
+index bdac3e7d7b184..d055e00f81808 100644
+--- a/drivers/usb/dwc3/dwc3-of-simple.c
++++ b/drivers/usb/dwc3/dwc3-of-simple.c
+@@ -183,6 +183,7 @@ static const struct of_device_id of_dwc3_simple_match[] = {
+ { .compatible = "amlogic,meson-axg-dwc3" },
+ { .compatible = "amlogic,meson-gxl-dwc3" },
+ { .compatible = "allwinner,sun50i-h6-dwc3" },
++ { .compatible = "hisilicon,hi3670-dwc3" },
+ { /* Sentinel */ }
+ };
+ MODULE_DEVICE_TABLE(of, of_dwc3_simple_match);
+--
+2.25.1
+
--- /dev/null
+From e93a5c57171ebf1644631bf7256d9d80328c3367 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 14:55:03 +0900
+Subject: usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lorenzo Colitti <lorenzo@google.com>
+
+[ Upstream commit 986499b1569af980a819817f17238015b27793f6 ]
+
+Currently, SuperSpeed NCM gadgets report a speed of 851 Mbps
+in USB_CDC_NOTIFY_SPEED_CHANGE. But the calculation appears to
+assume 16 packets per microframe, and USB 3 and above no longer
+use microframes.
+
+Maximum speed is actually much higher. On a direct connection,
+theoretical throughput is at most 3.86 Gbps for gen1x1 and
+9.36 Gbps for gen2x1, and I have seen gadget->host iperf
+throughput of >2 Gbps for gen1x1 and >4 Gbps for gen2x1.
+
+Unfortunately the ConnectionSpeedChange defined in the CDC spec
+only uses 32-bit values, so we can't report accurate numbers for
+10Gbps and above. So, report 3.75Gbps for SuperSpeed (which is
+roughly maximum theoretical performance) and 4.25Gbps for
+SuperSpeed Plus (which is close to the maximum that we can report
+in a 32-bit unsigned integer).
+
+This results in:
+
+[50879.191272] cdc_ncm 2-2:1.0 enx228b127e050c: renamed from usb0
+[50879.234778] cdc_ncm 2-2:1.0 enx228b127e050c: 3750 mbit/s downlink 3750 mbit/s uplink
+
+on SuperSpeed and:
+
+[50798.434527] cdc_ncm 8-2:1.0 enx228b127e050c: renamed from usb0
+[50798.524278] cdc_ncm 8-2:1.0 enx228b127e050c: 4250 mbit/s downlink 4250 mbit/s uplink
+
+on SuperSpeed Plus.
+
+Fixes: 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM")
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
+index 1f638759a9533..7672fa25085b0 100644
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -85,8 +85,10 @@ static inline struct f_ncm *func_to_ncm(struct usb_function *f)
+ /* peak (theoretical) bulk transfer rate in bits-per-second */
+ static inline unsigned ncm_bitrate(struct usb_gadget *g)
+ {
+- if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER)
+- return 13 * 1024 * 8 * 1000 * 8;
++ if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS)
++ return 4250000000U;
++ else if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER)
++ return 3750000000U;
+ else if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH)
+ return 13 * 512 * 8 * 1000 * 8;
+ else
+--
+2.25.1
+
--- /dev/null
+From 6c997ed371bb5dc495a25074115863e21d0893f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 11:05:33 +0800
+Subject: usb: gadget: function: printer: fix use-after-free in __lock_acquire
+
+From: Zqiang <qiang.zhang@windriver.com>
+
+[ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ]
+
+Fix this by increase object reference count.
+
+BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180
+kernel/locking/lockdep.c:3831
+Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377
+
+CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
+ __kasan_report+0x131/0x1b0 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:641
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
+ __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831
+ lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
+ _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
+ printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ ksys_ioctl+0xfb/0x130 fs/ioctl.c:763
+ __do_sys_ioctl fs/ioctl.c:772 [inline]
+ __se_sys_ioctl fs/ioctl.c:770 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4531a9
+Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48
+89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
+01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9
+RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003
+RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61
+R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff
+
+Allocated by task 2393:
+ save_stack+0x21/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
+ kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813
+ kmalloc include/linux/slab.h:555 [inline]
+ kzalloc include/linux/slab.h:669 [inline]
+ gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416
+ usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61
+ config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444
+ configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202
+ vfs_symlink+0x33d/0x5b0 fs/namei.c:4201
+ do_symlinkat+0x11b/0x1d0 fs/namei.c:4228
+ __do_sys_symlinkat fs/namei.c:4242 [inline]
+ __se_sys_symlinkat fs/namei.c:4239 [inline]
+ __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 3368:
+ save_stack+0x21/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ kasan_set_free_info mm/kasan/common.c:337 [inline]
+ __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
+ slab_free_hook mm/slub.c:1444 [inline]
+ slab_free_freelist_hook mm/slub.c:1477 [inline]
+ slab_free mm/slub.c:3034 [inline]
+ kfree+0xf7/0x410 mm/slub.c:3995
+ gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353
+ usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87
+ config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485
+ configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250
+ vfs_unlink+0x287/0x570 fs/namei.c:4073
+ do_unlinkat+0x4f9/0x620 fs/namei.c:4137
+ __do_sys_unlink fs/namei.c:4184 [inline]
+ __se_sys_unlink fs/namei.c:4182 [inline]
+ __x64_sys_unlink+0x42/0x50 fs/namei.c:4182
+ do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8880683b0000
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 24 bytes inside of
+ 1024-byte region [ffff8880683b0000, ffff8880683b0400)
+The buggy address belongs to the page:
+page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300
+index:0xffff8880683b1800 compound_mapcount: 0
+flags: 0x100000000010200(slab|head)
+raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300
+raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_printer.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
+index 9c7ed2539ff77..8ed1295d7e350 100644
+--- a/drivers/usb/gadget/function/f_printer.c
++++ b/drivers/usb/gadget/function/f_printer.c
+@@ -31,6 +31,7 @@
+ #include <linux/types.h>
+ #include <linux/ctype.h>
+ #include <linux/cdev.h>
++#include <linux/kref.h>
+
+ #include <asm/byteorder.h>
+ #include <linux/io.h>
+@@ -64,7 +65,7 @@ struct printer_dev {
+ struct usb_gadget *gadget;
+ s8 interface;
+ struct usb_ep *in_ep, *out_ep;
+-
++ struct kref kref;
+ struct list_head rx_reqs; /* List of free RX structs */
+ struct list_head rx_reqs_active; /* List of Active RX xfers */
+ struct list_head rx_buffers; /* List of completed xfers */
+@@ -218,6 +219,13 @@ static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget,
+
+ /*-------------------------------------------------------------------------*/
+
++static void printer_dev_free(struct kref *kref)
++{
++ struct printer_dev *dev = container_of(kref, struct printer_dev, kref);
++
++ kfree(dev);
++}
++
+ static struct usb_request *
+ printer_req_alloc(struct usb_ep *ep, unsigned len, gfp_t gfp_flags)
+ {
+@@ -348,6 +356,7 @@ printer_open(struct inode *inode, struct file *fd)
+
+ spin_unlock_irqrestore(&dev->lock, flags);
+
++ kref_get(&dev->kref);
+ DBG(dev, "printer_open returned %x\n", ret);
+ return ret;
+ }
+@@ -365,6 +374,7 @@ printer_close(struct inode *inode, struct file *fd)
+ dev->printer_status &= ~PRINTER_SELECTED;
+ spin_unlock_irqrestore(&dev->lock, flags);
+
++ kref_put(&dev->kref, printer_dev_free);
+ DBG(dev, "printer_close\n");
+
+ return 0;
+@@ -1350,7 +1360,8 @@ static void gprinter_free(struct usb_function *f)
+ struct f_printer_opts *opts;
+
+ opts = container_of(f->fi, struct f_printer_opts, func_inst);
+- kfree(dev);
++
++ kref_put(&dev->kref, printer_dev_free);
+ mutex_lock(&opts->lock);
+ --opts->refcnt;
+ mutex_unlock(&opts->lock);
+@@ -1419,6 +1430,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi)
+ return ERR_PTR(-ENOMEM);
+ }
+
++ kref_init(&dev->kref);
+ ++opts->refcnt;
+ dev->minor = opts->minor;
+ dev->pnp_string = opts->pnp_string;
+--
+2.25.1
+
--- /dev/null
+From 31e2324c58b6e3d798d22ed0664bc77dfc6f69fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 01:19:49 +0900
+Subject: usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lorenzo Colitti <lorenzo@google.com>
+
+[ Upstream commit 4eea21dc67b0c6ba15ae41b1defa113a680a858e ]
+
+The u_ether driver has a qmult setting that multiplies the
+transmit queue length (which by default is 2).
+
+The intent is that it should be enabled at high/super speed, but
+because the code does not explicitly check for USB_SUPER_PLUS,
+it is disabled at that speed.
+
+Fix this by ensuring that the queue multiplier is enabled for any
+wired link at high speed or above. Using >= for USB_SPEED_*
+constants seems correct because it is what the gadget_is_xxxspeed
+functions do.
+
+The queue multiplier substantially helps performance at higher
+speeds. On a direct SuperSpeed Plus link to a Linux laptop,
+iperf3 single TCP stream:
+
+Before (qmult=1): 1.3 Gbps
+After (qmult=5): 3.2 Gbps
+
+Fixes: 04617db7aa68 ("usb: gadget: add SS descriptors to Ethernet gadget")
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/u_ether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
+index fbe96ef1ac7a4..891e9f7f40d59 100644
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -93,7 +93,7 @@ struct eth_dev {
+ static inline int qlen(struct usb_gadget *gadget, unsigned qmult)
+ {
+ if (gadget_is_dualspeed(gadget) && (gadget->speed == USB_SPEED_HIGH ||
+- gadget->speed == USB_SPEED_SUPER))
++ gadget->speed >= USB_SPEED_SUPER))
+ return qmult * DEFAULT_QLEN;
+ else
+ return DEFAULT_QLEN;
+--
+2.25.1
+
--- /dev/null
+From 8480a55d72150b2e3f2ff418d4551827e3718d1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Sep 2020 09:25:11 +1200
+Subject: usb: ohci: Default to per-port over-current protection
+
+From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+
+[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ]
+
+Some integrated OHCI controller hubs do not expose all ports of the hub
+to pins on the SoC. In some cases the unconnected ports generate
+spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC
+contains a nominally 3 port hub but only the first port is wired.
+
+Default behaviour for ohci-platform driver is to use global over-current
+protection mode (AKA "ganged"). This leads to the spurious over-current
+events affecting all ports in the hub.
+
+We now alter the default to use per-port over-current protection.
+
+This patch results in the following configuration changes depending
+on quirks:
+- For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up
+ for ganged power switching and no over-current protection.
+- For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching
+ remains at none, while over-current protection is now guaranteed to be
+ set to per-port rather than the previous behaviour where it was either
+ none or global over-current protection depending on the value at
+ function entry.
+
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/ohci-hcd.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
+index 4de91653a2c7b..5eb62240c7f87 100644
+--- a/drivers/usb/host/ohci-hcd.c
++++ b/drivers/usb/host/ohci-hcd.c
+@@ -673,20 +673,24 @@ static int ohci_run (struct ohci_hcd *ohci)
+
+ /* handle root hub init quirks ... */
+ val = roothub_a (ohci);
+- val &= ~(RH_A_PSM | RH_A_OCPM);
++ /* Configure for per-port over-current protection by default */
++ val &= ~RH_A_NOCP;
++ val |= RH_A_OCPM;
+ if (ohci->flags & OHCI_QUIRK_SUPERIO) {
+- /* NSC 87560 and maybe others */
++ /* NSC 87560 and maybe others.
++ * Ganged power switching, no over-current protection.
++ */
+ val |= RH_A_NOCP;
+- val &= ~(RH_A_POTPGT | RH_A_NPS);
+- ohci_writel (ohci, val, &ohci->regs->roothub.a);
++ val &= ~(RH_A_POTPGT | RH_A_NPS | RH_A_PSM | RH_A_OCPM);
+ } else if ((ohci->flags & OHCI_QUIRK_AMD756) ||
+ (ohci->flags & OHCI_QUIRK_HUB_POWER)) {
+ /* hub power always on; required for AMD-756 and some
+- * Mac platforms. ganged overcurrent reporting, if any.
++ * Mac platforms.
+ */
+ val |= RH_A_NPS;
+- ohci_writel (ohci, val, &ohci->regs->roothub.a);
+ }
++ ohci_writel(ohci, val, &ohci->regs->roothub.a);
++
+ ohci_writel (ohci, RH_HS_LPSC, &ohci->regs->roothub.status);
+ ohci_writel (ohci, (val & RH_A_NPS) ? 0 : RH_B_PPCM,
+ &ohci->regs->roothub.b);
+--
+2.25.1
+
--- /dev/null
+From c3518e8586eb85b6555ad319e1471ae2251bd052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Oct 2020 17:35:58 +0800
+Subject: vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages
+
+From: Xiaoyang Xu <xuxiaoyang2@huawei.com>
+
+[ Upstream commit 2e6cfd496f5b57034cf2aec738799571b5a52124 ]
+
+pfn is not added to pfn_list when vfio_add_to_pfn_list fails.
+vfio_unpin_page_external will exit directly without calling
+vfio_iova_put_vfio_pfn. This will lead to a memory leak.
+
+Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices")
+Signed-off-by: Xiaoyang Xu <xuxiaoyang2@huawei.com>
+[aw: simplified logic, add Fixes]
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index c6220f57fdf3e..3b31e83a92155 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -631,7 +631,8 @@ static int vfio_iommu_type1_pin_pages(void *iommu_data,
+
+ ret = vfio_add_to_pfn_list(dma, iova, phys_pfn[i]);
+ if (ret) {
+- vfio_unpin_page_external(dma, iova, do_accounting);
++ if (put_pfn(phys_pfn[i], dma->prot) && do_accounting)
++ vfio_lock_acct(dma, -1, true);
+ goto pin_unwind;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From eee6f797c066cc43852bc2312fc573ee0af37290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Oct 2020 07:13:55 -0600
+Subject: vfio/pci: Clear token on bypass registration failure
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit 852b1beecb6ff9326f7ca4bc0fe69ae860ebdb9e ]
+
+The eventfd context is used as our irqbypass token, therefore if an
+eventfd is re-used, our token is the same. The irqbypass code will
+return an -EBUSY in this case, but we'll still attempt to unregister
+the producer, where if that duplicate token still exists, results in
+removing the wrong object. Clear the token of failed producers so
+that they harmlessly fall out when unregistered.
+
+Fixes: 6d7425f109d2 ("vfio: Register/unregister irq_bypass_producer")
+Reported-by: guomin chen <guomin_chen@sina.com>
+Tested-by: guomin chen <guomin_chen@sina.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_intrs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
+index 1d9fb25929459..869dce5f134dd 100644
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -352,11 +352,13 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
+ vdev->ctx[vector].producer.token = trigger;
+ vdev->ctx[vector].producer.irq = irq;
+ ret = irq_bypass_register_producer(&vdev->ctx[vector].producer);
+- if (unlikely(ret))
++ if (unlikely(ret)) {
+ dev_info(&pdev->dev,
+ "irq bypass producer (token %p) registration fails: %d\n",
+ vdev->ctx[vector].producer.token, ret);
+
++ vdev->ctx[vector].producer.token = NULL;
++ }
+ vdev->ctx[vector].trigger = trigger;
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From aaf9c50f2de7b926d3ab34a0812b6aaf6bebc28a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 10:59:57 -0400
+Subject: vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn
+
+From: Matthew Rosato <mjrosato@linux.ibm.com>
+
+[ Upstream commit 515ecd5368f1510152fa4f9b9ce55b66ac56c334 ]
+
+While it is true that devices with is_virtfn=1 will have a Memory Space
+Enable bit that is hard-wired to 0, this is not the only case where we
+see this behavior -- For example some bare-metal hypervisors lack
+Memory Space Enable bit emulation for devices not setting is_virtfn
+(s390). Fix this by instead checking for the newly-added
+no_command_memory bit which directly denotes the need for
+PCI_COMMAND_MEMORY emulation in vfio.
+
+Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory")
+Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_config.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
+index 927b608461c82..bf32997c557ff 100644
+--- a/drivers/vfio/pci/vfio_pci_config.c
++++ b/drivers/vfio/pci/vfio_pci_config.c
+@@ -406,7 +406,7 @@ bool __vfio_pci_memory_enabled(struct vfio_pci_device *vdev)
+ * PF SR-IOV capability, there's therefore no need to trigger
+ * faults based on the virtual value.
+ */
+- return pdev->is_virtfn || (cmd & PCI_COMMAND_MEMORY);
++ return pdev->no_command_memory || (cmd & PCI_COMMAND_MEMORY);
+ }
+
+ /*
+@@ -518,8 +518,8 @@ static int vfio_basic_config_read(struct vfio_pci_device *vdev, int pos,
+
+ count = vfio_default_config_read(vdev, pos, count, perm, offset, val);
+
+- /* Mask in virtual memory enable for SR-IOV devices */
+- if (offset == PCI_COMMAND && vdev->pdev->is_virtfn) {
++ /* Mask in virtual memory enable */
++ if (offset == PCI_COMMAND && vdev->pdev->no_command_memory) {
+ u16 cmd = le16_to_cpu(*(__le16 *)&vdev->vconfig[PCI_COMMAND]);
+ u32 tmp_val = le32_to_cpu(*val);
+
+@@ -587,9 +587,11 @@ static int vfio_basic_config_write(struct vfio_pci_device *vdev, int pos,
+ * shows it disabled (phys_mem/io, then the device has
+ * undergone some kind of backdoor reset and needs to be
+ * restored before we allow it to enable the bars.
+- * SR-IOV devices will trigger this, but we catch them later
++ * SR-IOV devices will trigger this - for mem enable let's
++ * catch this now and for io enable it will be caught later
+ */
+- if ((new_mem && virt_mem && !phys_mem) ||
++ if ((new_mem && virt_mem && !phys_mem &&
++ !pdev->no_command_memory) ||
+ (new_io && virt_io && !phys_io) ||
+ vfio_need_bar_restore(vdev))
+ vfio_bar_restore(vdev);
+@@ -1732,12 +1734,14 @@ int vfio_config_init(struct vfio_pci_device *vdev)
+ vconfig[PCI_INTERRUPT_PIN]);
+
+ vconfig[PCI_INTERRUPT_PIN] = 0; /* Gratuitous for good VFs */
+-
++ }
++ if (pdev->no_command_memory) {
+ /*
+- * VFs do no implement the memory enable bit of the COMMAND
+- * register therefore we'll not have it set in our initial
+- * copy of config space after pci_enable_device(). For
+- * consistency with PFs, set the virtual enable bit here.
++ * VFs and devices that set pdev->no_command_memory do not
++ * implement the memory enable bit of the COMMAND register
++ * therefore we'll not have it set in our initial copy of
++ * config space after pci_enable_device(). For consistency
++ * with PFs, set the virtual enable bit here.
+ */
+ *(__le16 *)&vconfig[PCI_COMMAND] |=
+ cpu_to_le16(PCI_COMMAND_MEMORY);
+--
+2.25.1
+
--- /dev/null
+From b46a93d36a58f184fa261abe5f2eb0d82dffed13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 14:29:00 +0800
+Subject: video: fbdev: radeon: Fix memleak in radeonfb_pci_register
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit fe6c6a4af2be8c15bac77f7ea160f947c04840d1 ]
+
+When radeon_kick_out_firmware_fb() fails, info should be
+freed just like the subsequent error paths.
+
+Fixes: 069ee21a82344 ("fbdev: Fix loading of module radeonfb on PowerMac")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Mathieu Malaterre <malat@debian.org>
+Cc: Kangjie Lu <kjlu@umn.edu>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200825062900.11210-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/aty/radeon_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/aty/radeon_base.c b/drivers/video/fbdev/aty/radeon_base.c
+index 4ca07866f2f66..5dda824d0da3f 100644
+--- a/drivers/video/fbdev/aty/radeon_base.c
++++ b/drivers/video/fbdev/aty/radeon_base.c
+@@ -2323,7 +2323,7 @@ static int radeonfb_pci_register(struct pci_dev *pdev,
+
+ ret = radeon_kick_out_firmware_fb(pdev);
+ if (ret)
+- return ret;
++ goto err_release_fb;
+
+ /* request the mem regions */
+ ret = pci_request_region(pdev, 0, "radeonfb framebuffer");
+--
+2.25.1
+
--- /dev/null
+From 6fcae34066a9ec28db79abe0947f2ed5a1b251df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 07:52:08 -0700
+Subject: video: fbdev: sis: fix null ptr dereference
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit ad6f93e9cd56f0b10e9b22e3e137d17a1a035242 ]
+
+Clang static analysis reports this representative error
+
+init.c:2501:18: warning: Array access (from variable 'queuedata') results
+ in a null pointer dereference
+ templ |= ((queuedata[i] & 0xc0) << 3);
+
+This is the problem block of code
+
+ if(ModeNo > 0x13) {
+ ...
+ if(SiS_Pr->ChipType == SIS_730) {
+ queuedata = &FQBQData730[0];
+ } else {
+ queuedata = &FQBQData[0];
+ }
+ } else {
+
+ }
+
+queuedata is not set in the else block
+
+Reviewing the old code, the arrays FQBQData730 and FQBQData were
+used directly.
+
+So hoist the setting of queuedata out of the if-else block.
+
+Fixes: 544393fe584d ("[PATCH] sisfb update")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Cc: Thomas Winischhofer <thomas@winischhofer.net>
+Cc: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200805145208.17727-1-trix@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sis/init.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c
+index dfe3eb769638b..fde27feae5d0c 100644
+--- a/drivers/video/fbdev/sis/init.c
++++ b/drivers/video/fbdev/sis/init.c
+@@ -2428,6 +2428,11 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo,
+
+ i = 0;
+
++ if (SiS_Pr->ChipType == SIS_730)
++ queuedata = &FQBQData730[0];
++ else
++ queuedata = &FQBQData[0];
++
+ if(ModeNo > 0x13) {
+
+ /* Get VCLK */
+@@ -2445,12 +2450,6 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo,
+ /* Get half colordepth */
+ colorth = colortharray[(SiS_Pr->SiS_ModeType - ModeEGA)];
+
+- if(SiS_Pr->ChipType == SIS_730) {
+- queuedata = &FQBQData730[0];
+- } else {
+- queuedata = &FQBQData[0];
+- }
+-
+ do {
+ templ = SiS_CalcDelay2(SiS_Pr, queuedata[i]) * VCLK * colorth;
+
+--
+2.25.1
+
--- /dev/null
+From 96e6970275651af69c297b390da5e944a8fb132c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 18:02:27 +0100
+Subject: video: fbdev: vga16fb: fix setting of pixclock because a
+ pass-by-value error
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c72fab81ceaa54408b827a2f0486d9a0f4be34cf ]
+
+The pixclock is being set locally because it is being passed as a
+pass-by-value argument rather than pass-by-reference, so the computed
+pixclock is never being set in var->pixclock. Fix this by passing
+by reference.
+
+[This dates back to 2002, I found the offending commit from the git
+history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git ]
+
+Addresses-Coverity: ("Unused value")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@intel.com>
+[b.zolnierkie: minor patch summary fixup]
+[b.zolnierkie: removed "Fixes:" tag (not in upstream tree)]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200723170227.996229-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/vga16fb.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
+index 4b83109202b1c..3c4d20618de4c 100644
+--- a/drivers/video/fbdev/vga16fb.c
++++ b/drivers/video/fbdev/vga16fb.c
+@@ -243,7 +243,7 @@ static void vga16fb_update_fix(struct fb_info *info)
+ }
+
+ static void vga16fb_clock_chip(struct vga16fb_par *par,
+- unsigned int pixclock,
++ unsigned int *pixclock,
+ const struct fb_info *info,
+ int mul, int div)
+ {
+@@ -259,14 +259,14 @@ static void vga16fb_clock_chip(struct vga16fb_par *par,
+ { 0 /* bad */, 0x00, 0x00}};
+ int err;
+
+- pixclock = (pixclock * mul) / div;
++ *pixclock = (*pixclock * mul) / div;
+ best = vgaclocks;
+- err = pixclock - best->pixclock;
++ err = *pixclock - best->pixclock;
+ if (err < 0) err = -err;
+ for (ptr = vgaclocks + 1; ptr->pixclock; ptr++) {
+ int tmp;
+
+- tmp = pixclock - ptr->pixclock;
++ tmp = *pixclock - ptr->pixclock;
+ if (tmp < 0) tmp = -tmp;
+ if (tmp < err) {
+ err = tmp;
+@@ -275,7 +275,7 @@ static void vga16fb_clock_chip(struct vga16fb_par *par,
+ }
+ par->misc |= best->misc;
+ par->clkdiv = best->seq_clock_mode;
+- pixclock = (best->pixclock * div) / mul;
++ *pixclock = (best->pixclock * div) / mul;
+ }
+
+ #define FAIL(X) return -EINVAL
+@@ -497,10 +497,10 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var,
+
+ if (mode & MODE_8BPP)
+ /* pixel clock == vga clock / 2 */
+- vga16fb_clock_chip(par, var->pixclock, info, 1, 2);
++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 2);
+ else
+ /* pixel clock == vga clock */
+- vga16fb_clock_chip(par, var->pixclock, info, 1, 1);
++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 1);
+
+ var->red.offset = var->green.offset = var->blue.offset =
+ var->transp.offset = 0;
+--
+2.25.1
+
--- /dev/null
+From 571b365b43adec8bb0e210841ef6461e9718334e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 17:45:18 +0100
+Subject: VMCI: check return value of get_user_pages_fast() for errors
+
+From: Alex Dewar <alex.dewar90@gmail.com>
+
+[ Upstream commit 90ca6333fd65f318c47bff425e1ea36c0a5539f6 ]
+
+In a couple of places in qp_host_get_user_memory(),
+get_user_pages_fast() is called without properly checking for errors. If
+e.g. -EFAULT is returned, this negative value will then be passed on to
+qp_release_pages(), which expects a u64 as input.
+
+Fix this by only calling qp_release_pages() when we have a positive
+number returned.
+
+Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
+Signed-off-by: Alex Dewar <alex.dewar90@gmail.com>
+Link: https://lore.kernel.org/r/20200825164522.412392-1-alex.dewar90@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+index 8531ae7811956..c49065887e8f5 100644
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -657,8 +657,9 @@ static int qp_host_get_user_memory(u64 produce_uva,
+ if (retval < (int)produce_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(produce) failed (retval=%d)",
+ retval);
+- qp_release_pages(produce_q->kernel_if->u.h.header_page,
+- retval, false);
++ if (retval > 0)
++ qp_release_pages(produce_q->kernel_if->u.h.header_page,
++ retval, false);
+ err = VMCI_ERROR_NO_MEM;
+ goto out;
+ }
+@@ -670,8 +671,9 @@ static int qp_host_get_user_memory(u64 produce_uva,
+ if (retval < (int)consume_q->kernel_if->num_pages) {
+ pr_debug("get_user_pages_fast(consume) failed (retval=%d)",
+ retval);
+- qp_release_pages(consume_q->kernel_if->u.h.header_page,
+- retval, false);
++ if (retval > 0)
++ qp_release_pages(consume_q->kernel_if->u.h.header_page,
++ retval, false);
+ qp_release_pages(produce_q->kernel_if->u.h.header_page,
+ produce_q->kernel_if->num_pages, false);
+ err = VMCI_ERROR_NO_MEM;
+--
+2.25.1
+
--- /dev/null
+From c5b298e357f0aac5f8ea77704c3dbb91dcfec82e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 10:40:01 +0800
+Subject: watchdog: Fix memleak in watchdog_cdev_register
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 5afb6d203d0293512aa2c6ae098274a2a4f6ed02 ]
+
+When watchdog_kworker is NULL, we should free wd_data
+before the function returns to prevent memleak.
+
+Fixes: 664a39236e718 ("watchdog: Introduce hardware maximum heartbeat in watchdog core")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200824024001.25474-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/watchdog_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
+index 3729f99fd8eca..694357f2816b3 100644
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -971,8 +971,10 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
+ wd_data->wdd = wdd;
+ wdd->wd_data = wd_data;
+
+- if (IS_ERR_OR_NULL(watchdog_kworker))
++ if (IS_ERR_OR_NULL(watchdog_kworker)) {
++ kfree(wd_data);
+ return -ENODEV;
++ }
+
+ device_initialize(&wd_data->dev);
+ wd_data->dev.devt = MKDEV(MAJOR(watchdog_devt), wdd->id);
+--
+2.25.1
+
--- /dev/null
+From b67978acde52b366e4606433b3d19cca23ff0907 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Sep 2020 09:31:08 -0700
+Subject: watchdog: sp5100: Fix definition of EFCH_PM_DECODEEN3
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 08c619b4923056b5dd2d5045757468c76ad0e3fe ]
+
+EFCH_PM_DECODEEN3 is supposed to access DECODEEN register bits 24..31,
+in other words the register at byte offset 3.
+
+Cc: Jan Kiszka <jan.kiszka@siemens.com>
+Fixes: 887d2ec51e34b ("watchdog: sp5100_tco: Add support for recent FCH versions")
+Tested-by: Jan Kiszka <jan.kiszka@siemens.com>
+Link: https://lore.kernel.org/r/20200910163109.235136-1-linux@roeck-us.net
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/sp5100_tco.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/sp5100_tco.h b/drivers/watchdog/sp5100_tco.h
+index 87eaf357ae01f..adf015aa4126f 100644
+--- a/drivers/watchdog/sp5100_tco.h
++++ b/drivers/watchdog/sp5100_tco.h
+@@ -70,7 +70,7 @@
+ #define EFCH_PM_DECODEEN_WDT_TMREN BIT(7)
+
+
+-#define EFCH_PM_DECODEEN3 0x00
++#define EFCH_PM_DECODEEN3 0x03
+ #define EFCH_PM_DECODEEN_SECOND_RES GENMASK(1, 0)
+ #define EFCH_PM_WATCHDOG_DISABLE ((u8)GENMASK(3, 2))
+
+--
+2.25.1
+
--- /dev/null
+From 1d5a4ef5f53b988d84cc8e205f9630706f8bc51d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Aug 2020 11:12:30 +0800
+Subject: watchdog: Use put_device on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 937425d4cd3ae4e2882b41e332bbbab616bcf0ad ]
+
+We should use put_device() instead of freeing device
+directly after device_initialize().
+
+Fixes: cb36e29bb0e4b ("watchdog: initialize device before misc_register")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20200824031230.31050-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/watchdog_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
+index 694357f2816b3..8494846ccdc5f 100644
+--- a/drivers/watchdog/watchdog_dev.c
++++ b/drivers/watchdog/watchdog_dev.c
+@@ -1000,7 +1000,7 @@ static int watchdog_cdev_register(struct watchdog_device *wdd)
+ pr_err("%s: a legacy watchdog module is probably present.\n",
+ wdd->info->identity);
+ old_wd_data = NULL;
+- kfree(wd_data);
++ put_device(&wd_data->dev);
+ return err;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 7d52a94f4dad8d4c5060bbdc5815c4fbf97df73c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 01:48:24 +0100
+Subject: wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit 3b9fb6791e7113679b1eb472e6ce1659e80f5797 ]
+
+Qualcomm's document "80-WL007-1 Rev. J" states that the highest rx rate for
+the WCN3660 and WCN3680 on MCS 7 is 150 Mbps not the 72 Mbps stated here.
+
+This patch fixes the data-rate declared in the 5GHz table.
+
+Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680
+hardware")
+
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200802004824.1307124-1-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
+index ad051f34e65b2..46ae4ec4ad47d 100644
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -163,7 +163,7 @@ static struct ieee80211_supported_band wcn_band_5ghz = {
+ .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16,
+ .mcs = {
+ .rx_mask = { 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, },
+- .rx_highest = cpu_to_le16(72),
++ .rx_highest = cpu_to_le16(150),
+ .tx_params = IEEE80211_HT_MCS_TX_DEFINED,
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 61bf9ed1739f9774e2d9ded482d4196a44d49447 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 19:21:52 -0400
+Subject: x86/asm: Replace __force_order with a memory clobber
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit aa5cacdc29d76a005cbbee018a47faa6e724dd2d ]
+
+The CRn accessor functions use __force_order as a dummy operand to
+prevent the compiler from reordering CRn reads/writes with respect to
+each other.
+
+The fact that the asm is volatile should be enough to prevent this:
+volatile asm statements should be executed in program order. However GCC
+4.9.x and 5.x have a bug that might result in reordering. This was fixed
+in 8.1, 7.3 and 6.5. Versions prior to these, including 5.x and 4.9.x,
+may reorder volatile asm statements with respect to each other.
+
+There are some issues with __force_order as implemented:
+- It is used only as an input operand for the write functions, and hence
+ doesn't do anything additional to prevent reordering writes.
+- It allows memory accesses to be cached/reordered across write
+ functions, but CRn writes affect the semantics of memory accesses, so
+ this could be dangerous.
+- __force_order is not actually defined in the kernel proper, but the
+ LLVM toolchain can in some cases require a definition: LLVM (as well
+ as GCC 4.9) requires it for PIE code, which is why the compressed
+ kernel has a definition, but also the clang integrated assembler may
+ consider the address of __force_order to be significant, resulting in
+ a reference that requires a definition.
+
+Fix this by:
+- Using a memory clobber for the write functions to additionally prevent
+ caching/reordering memory accesses across CRn writes.
+- Using a dummy input operand with an arbitrary constant address for the
+ read functions, instead of a global variable. This will prevent reads
+ from being reordered across writes, while allowing memory loads to be
+ cached/reordered across CRn reads, which should be safe.
+
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82602
+Link: https://lore.kernel.org/lkml/20200527135329.1172644-1-arnd@arndb.de/
+Link: https://lkml.kernel.org/r/20200902232152.3709896-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/boot/compressed/pgtable_64.c | 9 ---------
+ arch/x86/include/asm/special_insns.h | 28 ++++++++++++++-------------
+ arch/x86/kernel/cpu/common.c | 4 ++--
+ 3 files changed, 17 insertions(+), 24 deletions(-)
+
+diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c
+index c8862696a47b9..7d0394f4ebf97 100644
+--- a/arch/x86/boot/compressed/pgtable_64.c
++++ b/arch/x86/boot/compressed/pgtable_64.c
+@@ -5,15 +5,6 @@
+ #include "pgtable.h"
+ #include "../string.h"
+
+-/*
+- * __force_order is used by special_insns.h asm code to force instruction
+- * serialization.
+- *
+- * It is not referenced from the code, but GCC < 5 with -fPIE would fail
+- * due to an undefined symbol. Define it to make these ancient GCCs work.
+- */
+-unsigned long __force_order;
+-
+ #define BIOS_START_MIN 0x20000U /* 128K, less than this is insane */
+ #define BIOS_START_MAX 0x9f000U /* 640K, absolute maximum */
+
+diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h
+index 6d37b8fcfc778..2e0cdc64cb50d 100644
+--- a/arch/x86/include/asm/special_insns.h
++++ b/arch/x86/include/asm/special_insns.h
+@@ -10,45 +10,47 @@
+ #include <linux/jump_label.h>
+
+ /*
+- * Volatile isn't enough to prevent the compiler from reordering the
+- * read/write functions for the control registers and messing everything up.
+- * A memory clobber would solve the problem, but would prevent reordering of
+- * all loads stores around it, which can hurt performance. Solution is to
+- * use a variable and mimic reads and writes to it to enforce serialization
++ * The compiler should not reorder volatile asm statements with respect to each
++ * other: they should execute in program order. However GCC 4.9.x and 5.x have
++ * a bug (which was fixed in 8.1, 7.3 and 6.5) where they might reorder
++ * volatile asm. The write functions are not affected since they have memory
++ * clobbers preventing reordering. To prevent reads from being reordered with
++ * respect to writes, use a dummy memory operand.
+ */
+-extern unsigned long __force_order;
++
++#define __FORCE_ORDER "m"(*(unsigned int *)0x1000UL)
+
+ void native_write_cr0(unsigned long val);
+
+ static inline unsigned long native_read_cr0(void)
+ {
+ unsigned long val;
+- asm volatile("mov %%cr0,%0\n\t" : "=r" (val), "=m" (__force_order));
++ asm volatile("mov %%cr0,%0\n\t" : "=r" (val) : __FORCE_ORDER);
+ return val;
+ }
+
+ static inline unsigned long native_read_cr2(void)
+ {
+ unsigned long val;
+- asm volatile("mov %%cr2,%0\n\t" : "=r" (val), "=m" (__force_order));
++ asm volatile("mov %%cr2,%0\n\t" : "=r" (val) : __FORCE_ORDER);
+ return val;
+ }
+
+ static inline void native_write_cr2(unsigned long val)
+ {
+- asm volatile("mov %0,%%cr2": : "r" (val), "m" (__force_order));
++ asm volatile("mov %0,%%cr2": : "r" (val) : "memory");
+ }
+
+ static inline unsigned long __native_read_cr3(void)
+ {
+ unsigned long val;
+- asm volatile("mov %%cr3,%0\n\t" : "=r" (val), "=m" (__force_order));
++ asm volatile("mov %%cr3,%0\n\t" : "=r" (val) : __FORCE_ORDER);
+ return val;
+ }
+
+ static inline void native_write_cr3(unsigned long val)
+ {
+- asm volatile("mov %0,%%cr3": : "r" (val), "m" (__force_order));
++ asm volatile("mov %0,%%cr3": : "r" (val) : "memory");
+ }
+
+ static inline unsigned long native_read_cr4(void)
+@@ -63,10 +65,10 @@ static inline unsigned long native_read_cr4(void)
+ asm volatile("1: mov %%cr4, %0\n"
+ "2:\n"
+ _ASM_EXTABLE(1b, 2b)
+- : "=r" (val), "=m" (__force_order) : "0" (0));
++ : "=r" (val) : "0" (0), __FORCE_ORDER);
+ #else
+ /* CR4 always exists on x86_64. */
+- asm volatile("mov %%cr4,%0\n\t" : "=r" (val), "=m" (__force_order));
++ asm volatile("mov %%cr4,%0\n\t" : "=r" (val) : __FORCE_ORDER);
+ #endif
+ return val;
+ }
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 9b3f25e146087..8a85c2e144a6f 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -377,7 +377,7 @@ void native_write_cr0(unsigned long val)
+ unsigned long bits_missing = 0;
+
+ set_register:
+- asm volatile("mov %0,%%cr0": "+r" (val), "+m" (__force_order));
++ asm volatile("mov %0,%%cr0": "+r" (val) : : "memory");
+
+ if (static_branch_likely(&cr_pinning)) {
+ if (unlikely((val & X86_CR0_WP) != X86_CR0_WP)) {
+@@ -396,7 +396,7 @@ void native_write_cr4(unsigned long val)
+ unsigned long bits_changed = 0;
+
+ set_register:
+- asm volatile("mov %0,%%cr4": "+r" (val), "+m" (cr4_pinned_bits));
++ asm volatile("mov %0,%%cr4": "+r" (val) : : "memory");
+
+ if (static_branch_likely(&cr_pinning)) {
+ if (unlikely((val & cr4_pinned_mask) != cr4_pinned_bits)) {
+--
+2.25.1
+
--- /dev/null
+From 16432f693895d9b560e5845c5a77db342673da16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 12:39:00 +0100
+Subject: x86/events/amd/iommu: Fix sizeof mismatch
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 59d5396a4666195f89a67e118e9e627ddd6f53a1 ]
+
+An incorrect sizeof is being used, struct attribute ** is not correct,
+it should be struct attribute *. Note that since ** is the same size as
+* this is not causing any issues. Improve this fix by using sizeof(*attrs)
+as this allows us to not even reference the type of the pointer.
+
+Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)")
+Fixes: 51686546304f ("x86/events/amd/iommu: Fix sysfs perf attribute groups")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20201001113900.58889-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/amd/iommu.c b/arch/x86/events/amd/iommu.c
+index fb616203ce427..be50ef8572cce 100644
+--- a/arch/x86/events/amd/iommu.c
++++ b/arch/x86/events/amd/iommu.c
+@@ -379,7 +379,7 @@ static __init int _init_events_attrs(void)
+ while (amd_iommu_v2_event_descs[i].attr.attr.name)
+ i++;
+
+- attrs = kcalloc(i + 1, sizeof(struct attribute **), GFP_KERNEL);
++ attrs = kcalloc(i + 1, sizeof(*attrs), GFP_KERNEL);
+ if (!attrs)
+ return -ENOMEM;
+
+--
+2.25.1
+
--- /dev/null
+From ffa20b99eacac8c248d1ea4082d96b01b6be701b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 17:39:19 -0400
+Subject: x86/fpu: Allow multiple bits in clearcpuid= parameter
+
+From: Arvind Sankar <nivedita@alum.mit.edu>
+
+[ Upstream commit 0a4bb5e5507a585532cc413125b921c8546fc39f ]
+
+Commit
+
+ 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument")
+
+changed clearcpuid parsing from __setup() to cmdline_find_option().
+While the __setup() function would have been called for each clearcpuid=
+parameter on the command line, cmdline_find_option() will only return
+the last one, so the change effectively made it impossible to disable
+more than one bit.
+
+Allow a comma-separated list of bit numbers as the argument for
+clearcpuid to allow multiple bits to be disabled again. Log the bits
+being disabled for informational purposes.
+
+Also fix the check on the return value of cmdline_find_option(). It
+returns -1 when the option is not found, so testing as a boolean is
+incorrect.
+
+Fixes: 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument")
+Signed-off-by: Arvind Sankar <nivedita@alum.mit.edu>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200907213919.2423441-1-nivedita@alum.mit.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/kernel-parameters.txt | 2 +-
+ arch/x86/kernel/fpu/init.c | 30 ++++++++++++++-----
+ 2 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 13984b6cc3225..988a0d2535b25 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -567,7 +567,7 @@
+ loops can be debugged more effectively on production
+ systems.
+
+- clearcpuid=BITNUM [X86]
++ clearcpuid=BITNUM[,BITNUM...] [X86]
+ Disable CPUID feature X for the kernel. See
+ arch/x86/include/asm/cpufeatures.h for the valid bit
+ numbers. Note the Linux specific bits are not necessarily
+diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c
+index 6ce7e0a23268f..b271da0fa2193 100644
+--- a/arch/x86/kernel/fpu/init.c
++++ b/arch/x86/kernel/fpu/init.c
+@@ -242,9 +242,9 @@ static void __init fpu__init_system_ctx_switch(void)
+ */
+ static void __init fpu__init_parse_early_param(void)
+ {
+- char arg[32];
++ char arg[128];
+ char *argptr = arg;
+- int bit;
++ int arglen, res, bit;
+
+ #ifdef CONFIG_X86_32
+ if (cmdline_find_option_bool(boot_command_line, "no387"))
+@@ -267,12 +267,26 @@ static void __init fpu__init_parse_early_param(void)
+ if (cmdline_find_option_bool(boot_command_line, "noxsaves"))
+ setup_clear_cpu_cap(X86_FEATURE_XSAVES);
+
+- if (cmdline_find_option(boot_command_line, "clearcpuid", arg,
+- sizeof(arg)) &&
+- get_option(&argptr, &bit) &&
+- bit >= 0 &&
+- bit < NCAPINTS * 32)
+- setup_clear_cpu_cap(bit);
++ arglen = cmdline_find_option(boot_command_line, "clearcpuid", arg, sizeof(arg));
++ if (arglen <= 0)
++ return;
++
++ pr_info("Clearing CPUID bits:");
++ do {
++ res = get_option(&argptr, &bit);
++ if (res == 0 || res == 3)
++ break;
++
++ /* If the argument was too long, the last bit may be cut off */
++ if (res == 1 && arglen >= sizeof(arg))
++ break;
++
++ if (bit >= 0 && bit < NCAPINTS * 32) {
++ pr_cont(" " X86_CAP_FMT, x86_cap_flag(bit));
++ setup_clear_cpu_cap(bit);
++ }
++ } while (res == 2);
++ pr_cont("\n");
+ }
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From 9bb7a592a1d5e5cc89d0a702d4c0e8b024ff8921 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 19:13:12 -0700
+Subject: x86/mce: Add Skylake quirk for patrol scrub reported errors
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit fd258dc4442c5c1c069c6b5b42bfe7d10cddda95 ]
+
+The patrol scrubber in Skylake and Cascade Lake systems can be configured
+to report uncorrected errors using a special signature in the machine
+check bank and to signal using CMCI instead of machine check.
+
+Update the severity calculation mechanism to allow specifying the model,
+minimum stepping and range of machine check bank numbers.
+
+Add a new rule to detect the special signature (on model 0x55, stepping
+>=4 in any of the memory controller banks).
+
+ [ bp: Rewrite it.
+ aegl: Productize it. ]
+
+Suggested-by: Youquan Song <youquan.song@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Co-developed-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20200930021313.31810-2-tony.luck@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/severity.c | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
+index 87bcdc6dc2f0c..0d09eb13743b4 100644
+--- a/arch/x86/kernel/cpu/mce/severity.c
++++ b/arch/x86/kernel/cpu/mce/severity.c
+@@ -9,9 +9,11 @@
+ #include <linux/seq_file.h>
+ #include <linux/init.h>
+ #include <linux/debugfs.h>
+-#include <asm/mce.h>
+ #include <linux/uaccess.h>
+
++#include <asm/mce.h>
++#include <asm/intel-family.h>
++
+ #include "internal.h"
+
+ /*
+@@ -40,9 +42,14 @@ static struct severity {
+ unsigned char context;
+ unsigned char excp;
+ unsigned char covered;
++ unsigned char cpu_model;
++ unsigned char cpu_minstepping;
++ unsigned char bank_lo, bank_hi;
+ char *msg;
+ } severities[] = {
+ #define MCESEV(s, m, c...) { .sev = MCE_ ## s ## _SEVERITY, .msg = m, ## c }
++#define BANK_RANGE(l, h) .bank_lo = l, .bank_hi = h
++#define MODEL_STEPPING(m, s) .cpu_model = m, .cpu_minstepping = s
+ #define KERNEL .context = IN_KERNEL
+ #define USER .context = IN_USER
+ #define KERNEL_RECOV .context = IN_KERNEL_RECOV
+@@ -97,7 +104,6 @@ static struct severity {
+ KEEP, "Corrected error",
+ NOSER, BITCLR(MCI_STATUS_UC)
+ ),
+-
+ /*
+ * known AO MCACODs reported via MCE or CMC:
+ *
+@@ -113,6 +119,18 @@ static struct severity {
+ AO, "Action optional: last level cache writeback error",
+ SER, MASK(MCI_UC_AR|MCACOD, MCI_STATUS_UC|MCACOD_L3WB)
+ ),
++ /*
++ * Quirk for Skylake/Cascade Lake. Patrol scrubber may be configured
++ * to report uncorrected errors using CMCI with a special signature.
++ * UC=0, MSCOD=0x0010, MCACOD=binary(000X 0000 1100 XXXX) reported
++ * in one of the memory controller banks.
++ * Set severity to "AO" for same action as normal patrol scrub error.
++ */
++ MCESEV(
++ AO, "Uncorrected Patrol Scrub Error",
++ SER, MASK(MCI_STATUS_UC|MCI_ADDR|0xffffeff0, MCI_ADDR|0x001000c0),
++ MODEL_STEPPING(INTEL_FAM6_SKYLAKE_X, 4), BANK_RANGE(13, 18)
++ ),
+
+ /* ignore OVER for UCNA */
+ MCESEV(
+@@ -320,6 +338,12 @@ static int mce_severity_intel(struct mce *m, int tolerant, char **msg, bool is_e
+ continue;
+ if (s->excp && excp != s->excp)
+ continue;
++ if (s->cpu_model && boot_cpu_data.x86_model != s->cpu_model)
++ continue;
++ if (s->cpu_minstepping && boot_cpu_data.x86_stepping < s->cpu_minstepping)
++ continue;
++ if (s->bank_lo && (m->bank < s->bank_lo || m->bank > s->bank_hi))
++ continue;
+ if (msg)
+ *msg = s->msg;
+ s->covered = 1;
+--
+2.25.1
+
--- /dev/null
+From 600f1137dcb7d8288e88ca003b9c04a838e879e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Sep 2020 23:02:52 +0200
+Subject: x86/mce: Make mce_rdmsrl() panic on an inaccessible MSR
+
+From: Borislav Petkov <bp@suse.de>
+
+[ Upstream commit e2def7d49d0812ea40a224161b2001b2e815dce2 ]
+
+If an exception needs to be handled while reading an MSR - which is in
+most of the cases caused by a #GP on a non-existent MSR - then this
+is most likely the incarnation of a BIOS or a hardware bug. Such bug
+violates the architectural guarantee that MCA banks are present with all
+MSRs belonging to them.
+
+The proper fix belongs in the hardware/firmware - not in the kernel.
+
+Handling an #MC exception which is raised while an NMI is being handled
+would cause the nasty NMI nesting issue because of the shortcoming of
+IRET of reenabling NMIs when executed. And the machine is in an #MC
+context already so <Deity> be at its side.
+
+Tracing MSR accesses while in #MC is another no-no due to tracing being
+inherently a bad idea in atomic context:
+
+ vmlinux.o: warning: objtool: do_machine_check()+0x4a: call to mce_rdmsrl() leaves .noinstr.text section
+
+so remove all that "additional" functionality from mce_rdmsrl() and
+provide it with a special exception handler which panics the machine
+when that MSR is not accessible.
+
+The exception handler prints a human-readable message explaining what
+the panic reason is but, what is more, it panics while in the #GP
+handler and latter won't have executed an IRET, thus opening the NMI
+nesting issue in the case when the #MC has happened while handling
+an NMI. (#MC itself won't be reenabled until MCG_STATUS hasn't been
+cleared).
+
+Suggested-by: Andy Lutomirski <luto@kernel.org>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+[ Add missing prototypes for ex_handler_* ]
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Link: https://lkml.kernel.org/r/20200906212130.GA28456@zn.tnic
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/core.c | 72 +++++++++++++++++++++++++-----
+ arch/x86/kernel/cpu/mce/internal.h | 10 +++++
+ 2 files changed, 70 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
+index fd76e3733dd3d..92331de16d70e 100644
+--- a/arch/x86/kernel/cpu/mce/core.c
++++ b/arch/x86/kernel/cpu/mce/core.c
+@@ -388,10 +388,28 @@ static int msr_to_offset(u32 msr)
+ return -1;
+ }
+
++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup,
++ struct pt_regs *regs, int trapnr,
++ unsigned long error_code,
++ unsigned long fault_addr)
++{
++ pr_emerg("MSR access error: RDMSR from 0x%x at rIP: 0x%lx (%pS)\n",
++ (unsigned int)regs->cx, regs->ip, (void *)regs->ip);
++
++ show_stack_regs(regs);
++
++ panic("MCA architectural violation!\n");
++
++ while (true)
++ cpu_relax();
++
++ return true;
++}
++
+ /* MSR access wrappers used for error injection */
+ static u64 mce_rdmsrl(u32 msr)
+ {
+- u64 v;
++ DECLARE_ARGS(val, low, high);
+
+ if (__this_cpu_read(injectm.finished)) {
+ int offset = msr_to_offset(msr);
+@@ -401,21 +419,43 @@ static u64 mce_rdmsrl(u32 msr)
+ return *(u64 *)((char *)this_cpu_ptr(&injectm) + offset);
+ }
+
+- if (rdmsrl_safe(msr, &v)) {
+- WARN_ONCE(1, "mce: Unable to read MSR 0x%x!\n", msr);
+- /*
+- * Return zero in case the access faulted. This should
+- * not happen normally but can happen if the CPU does
+- * something weird, or if the code is buggy.
+- */
+- v = 0;
+- }
++ /*
++ * RDMSR on MCA MSRs should not fault. If they do, this is very much an
++ * architectural violation and needs to be reported to hw vendor. Panic
++ * the box to not allow any further progress.
++ */
++ asm volatile("1: rdmsr\n"
++ "2:\n"
++ _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_rdmsr_fault)
++ : EAX_EDX_RET(val, low, high) : "c" (msr));
+
+- return v;
++
++ return EAX_EDX_VAL(val, low, high);
++}
++
++__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup,
++ struct pt_regs *regs, int trapnr,
++ unsigned long error_code,
++ unsigned long fault_addr)
++{
++ pr_emerg("MSR access error: WRMSR to 0x%x (tried to write 0x%08x%08x) at rIP: 0x%lx (%pS)\n",
++ (unsigned int)regs->cx, (unsigned int)regs->dx, (unsigned int)regs->ax,
++ regs->ip, (void *)regs->ip);
++
++ show_stack_regs(regs);
++
++ panic("MCA architectural violation!\n");
++
++ while (true)
++ cpu_relax();
++
++ return true;
+ }
+
+ static void mce_wrmsrl(u32 msr, u64 v)
+ {
++ u32 low, high;
++
+ if (__this_cpu_read(injectm.finished)) {
+ int offset = msr_to_offset(msr);
+
+@@ -423,7 +463,15 @@ static void mce_wrmsrl(u32 msr, u64 v)
+ *(u64 *)((char *)this_cpu_ptr(&injectm) + offset) = v;
+ return;
+ }
+- wrmsrl(msr, v);
++
++ low = (u32)v;
++ high = (u32)(v >> 32);
++
++ /* See comment in mce_rdmsrl() */
++ asm volatile("1: wrmsr\n"
++ "2:\n"
++ _ASM_EXTABLE_HANDLE(1b, 2b, ex_handler_wrmsr_fault)
++ : : "c" (msr), "a"(low), "d" (high) : "memory");
+ }
+
+ /*
+diff --git a/arch/x86/kernel/cpu/mce/internal.h b/arch/x86/kernel/cpu/mce/internal.h
+index 43031db429d24..231954fe5b4e6 100644
+--- a/arch/x86/kernel/cpu/mce/internal.h
++++ b/arch/x86/kernel/cpu/mce/internal.h
+@@ -172,4 +172,14 @@ extern bool amd_filter_mce(struct mce *m);
+ static inline bool amd_filter_mce(struct mce *m) { return false; };
+ #endif
+
++__visible bool ex_handler_rdmsr_fault(const struct exception_table_entry *fixup,
++ struct pt_regs *regs, int trapnr,
++ unsigned long error_code,
++ unsigned long fault_addr);
++
++__visible bool ex_handler_wrmsr_fault(const struct exception_table_entry *fixup,
++ struct pt_regs *regs, int trapnr,
++ unsigned long error_code,
++ unsigned long fault_addr);
++
+ #endif /* __X86_MCE_INTERNAL_H__ */
+--
+2.25.1
+
--- /dev/null
+From f3b4636e3c87bdc33868cfa28d3bc7d77844658f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 10:56:41 +0800
+Subject: x86/nmi: Fix nmi_handle() duration miscalculation
+
+From: Libing Zhou <libing.zhou@nokia-sbell.com>
+
+[ Upstream commit f94c91f7ba3ba7de2bc8aa31be28e1abb22f849e ]
+
+When nmi_check_duration() is checking the time an NMI handler took to
+execute, the whole_msecs value used should be read from the @duration
+argument, not from the ->max_duration, the latter being used to store
+the current maximal duration.
+
+ [ bp: Rewrite commit message. ]
+
+Fixes: 248ed51048c4 ("x86/nmi: Remove irq_work from the long duration NMI handler")
+Suggested-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Libing Zhou <libing.zhou@nokia-sbell.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Changbin Du <changbin.du@gmail.com>
+Link: https://lkml.kernel.org/r/20200820025641.44075-1-libing.zhou@nokia-sbell.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/nmi.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
+index 54c21d6abd5ac..5bb001c0c771a 100644
+--- a/arch/x86/kernel/nmi.c
++++ b/arch/x86/kernel/nmi.c
+@@ -106,7 +106,6 @@ fs_initcall(nmi_warning_debugfs);
+
+ static void nmi_check_duration(struct nmiaction *action, u64 duration)
+ {
+- u64 whole_msecs = READ_ONCE(action->max_duration);
+ int remainder_ns, decimal_msecs;
+
+ if (duration < nmi_longest_ns || duration < action->max_duration)
+@@ -114,12 +113,12 @@ static void nmi_check_duration(struct nmiaction *action, u64 duration)
+
+ action->max_duration = duration;
+
+- remainder_ns = do_div(whole_msecs, (1000 * 1000));
++ remainder_ns = do_div(duration, (1000 * 1000));
+ decimal_msecs = remainder_ns / 1000;
+
+ printk_ratelimited(KERN_INFO
+ "INFO: NMI handler (%ps) took too long to run: %lld.%03d msecs\n",
+- action->handler, whole_msecs, decimal_msecs);
++ action->handler, duration, decimal_msecs);
+ }
+
+ static int nmi_handle(unsigned int type, struct pt_regs *regs)
+--
+2.25.1
+
--- /dev/null
+From 7929943db0f0ee5d8b5e81d4ea944ed9147baa68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 10:56:07 -0700
+Subject: xfs: fix deadlock and streamline xfs_getfsmap performance
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 8ffa90e1145c70c7ac47f14b59583b2296d89e72 ]
+
+Refactor xfs_getfsmap to improve its performance: instead of indirectly
+calling a function that copies one record to userspace at a time, create
+a shadow buffer in the kernel and copy the whole array once at the end.
+On the author's computer, this reduces the runtime on his /home by ~20%.
+
+This also eliminates a deadlock when running GETFSMAP against the
+realtime device. The current code locks the rtbitmap to create
+fsmappings and copies them into userspace, having not released the
+rtbitmap lock. If the userspace buffer is an mmap of a sparse file that
+itself resides on the realtime device, the write page fault will recurse
+into the fs for allocation, which will deadlock on the rtbitmap lock.
+
+Fixes: 4c934c7dd60c ("xfs: report realtime space information via the rtbitmap")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_fsmap.c | 45 +++++++-------
+ fs/xfs/xfs_fsmap.h | 6 +-
+ fs/xfs/xfs_ioctl.c | 144 ++++++++++++++++++++++++++++++---------------
+ 3 files changed, 124 insertions(+), 71 deletions(-)
+
+diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
+index 5b864985bc648..01c0933a4d10d 100644
+--- a/fs/xfs/xfs_fsmap.c
++++ b/fs/xfs/xfs_fsmap.c
+@@ -26,7 +26,7 @@
+ #include "xfs_rtalloc.h"
+
+ /* Convert an xfs_fsmap to an fsmap. */
+-void
++static void
+ xfs_fsmap_from_internal(
+ struct fsmap *dest,
+ struct xfs_fsmap *src)
+@@ -154,8 +154,7 @@ xfs_fsmap_owner_from_rmap(
+ /* getfsmap query state */
+ struct xfs_getfsmap_info {
+ struct xfs_fsmap_head *head;
+- xfs_fsmap_format_t formatter; /* formatting fn */
+- void *format_arg; /* format buffer */
++ struct fsmap *fsmap_recs; /* mapping records */
+ struct xfs_buf *agf_bp; /* AGF, for refcount queries */
+ xfs_daddr_t next_daddr; /* next daddr we expect */
+ u64 missing_owner; /* owner of holes */
+@@ -223,6 +222,20 @@ xfs_getfsmap_is_shared(
+ return 0;
+ }
+
++static inline void
++xfs_getfsmap_format(
++ struct xfs_mount *mp,
++ struct xfs_fsmap *xfm,
++ struct xfs_getfsmap_info *info)
++{
++ struct fsmap *rec;
++
++ trace_xfs_getfsmap_mapping(mp, xfm);
++
++ rec = &info->fsmap_recs[info->head->fmh_entries++];
++ xfs_fsmap_from_internal(rec, xfm);
++}
++
+ /*
+ * Format a reverse mapping for getfsmap, having translated rm_startblock
+ * into the appropriate daddr units.
+@@ -287,10 +300,7 @@ xfs_getfsmap_helper(
+ fmr.fmr_offset = 0;
+ fmr.fmr_length = rec_daddr - info->next_daddr;
+ fmr.fmr_flags = FMR_OF_SPECIAL_OWNER;
+- error = info->formatter(&fmr, info->format_arg);
+- if (error)
+- return error;
+- info->head->fmh_entries++;
++ xfs_getfsmap_format(mp, &fmr, info);
+ }
+
+ if (info->last)
+@@ -322,11 +332,8 @@ xfs_getfsmap_helper(
+ if (shared)
+ fmr.fmr_flags |= FMR_OF_SHARED;
+ }
+- error = info->formatter(&fmr, info->format_arg);
+- if (error)
+- return error;
+- info->head->fmh_entries++;
+
++ xfs_getfsmap_format(mp, &fmr, info);
+ out:
+ rec_daddr += XFS_FSB_TO_BB(mp, rec->rm_blockcount);
+ if (info->next_daddr < rec_daddr)
+@@ -794,11 +801,11 @@ xfs_getfsmap_check_keys(
+ #endif /* CONFIG_XFS_RT */
+
+ /*
+- * Get filesystem's extents as described in head, and format for
+- * output. Calls formatter to fill the user's buffer until all
+- * extents are mapped, until the passed-in head->fmh_count slots have
+- * been filled, or until the formatter short-circuits the loop, if it
+- * is tracking filled-in extents on its own.
++ * Get filesystem's extents as described in head, and format for output. Fills
++ * in the supplied records array until there are no more reverse mappings to
++ * return or head.fmh_entries == head.fmh_count. In the second case, this
++ * function returns -ECANCELED to indicate that more records would have been
++ * returned.
+ *
+ * Key to Confusion
+ * ----------------
+@@ -818,8 +825,7 @@ int
+ xfs_getfsmap(
+ struct xfs_mount *mp,
+ struct xfs_fsmap_head *head,
+- xfs_fsmap_format_t formatter,
+- void *arg)
++ struct fsmap *fsmap_recs)
+ {
+ struct xfs_trans *tp = NULL;
+ struct xfs_fsmap dkeys[2]; /* per-dev keys */
+@@ -894,8 +900,7 @@ xfs_getfsmap(
+
+ info.next_daddr = head->fmh_keys[0].fmr_physical +
+ head->fmh_keys[0].fmr_length;
+- info.formatter = formatter;
+- info.format_arg = arg;
++ info.fsmap_recs = fsmap_recs;
+ info.head = head;
+
+ /*
+diff --git a/fs/xfs/xfs_fsmap.h b/fs/xfs/xfs_fsmap.h
+index c6c57739b8626..a0775788e7b13 100644
+--- a/fs/xfs/xfs_fsmap.h
++++ b/fs/xfs/xfs_fsmap.h
+@@ -27,13 +27,9 @@ struct xfs_fsmap_head {
+ struct xfs_fsmap fmh_keys[2]; /* low and high keys */
+ };
+
+-void xfs_fsmap_from_internal(struct fsmap *dest, struct xfs_fsmap *src);
+ void xfs_fsmap_to_internal(struct xfs_fsmap *dest, struct fsmap *src);
+
+-/* fsmap to userspace formatter - copy to user & advance pointer */
+-typedef int (*xfs_fsmap_format_t)(struct xfs_fsmap *, void *);
+-
+ int xfs_getfsmap(struct xfs_mount *mp, struct xfs_fsmap_head *head,
+- xfs_fsmap_format_t formatter, void *arg);
++ struct fsmap *out_recs);
+
+ #endif /* __XFS_FSMAP_H__ */
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index 60c4526312771..bf0435dbec436 100644
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -1832,39 +1832,17 @@ xfs_ioc_getbmap(
+ return error;
+ }
+
+-struct getfsmap_info {
+- struct xfs_mount *mp;
+- struct fsmap_head __user *data;
+- unsigned int idx;
+- __u32 last_flags;
+-};
+-
+-STATIC int
+-xfs_getfsmap_format(struct xfs_fsmap *xfm, void *priv)
+-{
+- struct getfsmap_info *info = priv;
+- struct fsmap fm;
+-
+- trace_xfs_getfsmap_mapping(info->mp, xfm);
+-
+- info->last_flags = xfm->fmr_flags;
+- xfs_fsmap_from_internal(&fm, xfm);
+- if (copy_to_user(&info->data->fmh_recs[info->idx++], &fm,
+- sizeof(struct fsmap)))
+- return -EFAULT;
+-
+- return 0;
+-}
+-
+ STATIC int
+ xfs_ioc_getfsmap(
+ struct xfs_inode *ip,
+ struct fsmap_head __user *arg)
+ {
+- struct getfsmap_info info = { NULL };
+ struct xfs_fsmap_head xhead = {0};
+ struct fsmap_head head;
+- bool aborted = false;
++ struct fsmap *recs;
++ unsigned int count;
++ __u32 last_flags = 0;
++ bool done = false;
+ int error;
+
+ if (copy_from_user(&head, arg, sizeof(struct fsmap_head)))
+@@ -1876,38 +1854,112 @@ xfs_ioc_getfsmap(
+ sizeof(head.fmh_keys[1].fmr_reserved)))
+ return -EINVAL;
+
++ /*
++ * Use an internal memory buffer so that we don't have to copy fsmap
++ * data to userspace while holding locks. Start by trying to allocate
++ * up to 128k for the buffer, but fall back to a single page if needed.
++ */
++ count = min_t(unsigned int, head.fmh_count,
++ 131072 / sizeof(struct fsmap));
++ recs = kvzalloc(count * sizeof(struct fsmap), GFP_KERNEL);
++ if (!recs) {
++ count = min_t(unsigned int, head.fmh_count,
++ PAGE_SIZE / sizeof(struct fsmap));
++ recs = kvzalloc(count * sizeof(struct fsmap), GFP_KERNEL);
++ if (!recs)
++ return -ENOMEM;
++ }
++
+ xhead.fmh_iflags = head.fmh_iflags;
+- xhead.fmh_count = head.fmh_count;
+ xfs_fsmap_to_internal(&xhead.fmh_keys[0], &head.fmh_keys[0]);
+ xfs_fsmap_to_internal(&xhead.fmh_keys[1], &head.fmh_keys[1]);
+
+ trace_xfs_getfsmap_low_key(ip->i_mount, &xhead.fmh_keys[0]);
+ trace_xfs_getfsmap_high_key(ip->i_mount, &xhead.fmh_keys[1]);
+
+- info.mp = ip->i_mount;
+- info.data = arg;
+- error = xfs_getfsmap(ip->i_mount, &xhead, xfs_getfsmap_format, &info);
+- if (error == -ECANCELED) {
+- error = 0;
+- aborted = true;
+- } else if (error)
+- return error;
++ head.fmh_entries = 0;
++ do {
++ struct fsmap __user *user_recs;
++ struct fsmap *last_rec;
++
++ user_recs = &arg->fmh_recs[head.fmh_entries];
++ xhead.fmh_entries = 0;
++ xhead.fmh_count = min_t(unsigned int, count,
++ head.fmh_count - head.fmh_entries);
++
++ /* Run query, record how many entries we got. */
++ error = xfs_getfsmap(ip->i_mount, &xhead, recs);
++ switch (error) {
++ case 0:
++ /*
++ * There are no more records in the result set. Copy
++ * whatever we got to userspace and break out.
++ */
++ done = true;
++ break;
++ case -ECANCELED:
++ /*
++ * The internal memory buffer is full. Copy whatever
++ * records we got to userspace and go again if we have
++ * not yet filled the userspace buffer.
++ */
++ error = 0;
++ break;
++ default:
++ goto out_free;
++ }
++ head.fmh_entries += xhead.fmh_entries;
++ head.fmh_oflags = xhead.fmh_oflags;
+
+- /* If we didn't abort, set the "last" flag in the last fmx */
+- if (!aborted && info.idx) {
+- info.last_flags |= FMR_OF_LAST;
+- if (copy_to_user(&info.data->fmh_recs[info.idx - 1].fmr_flags,
+- &info.last_flags, sizeof(info.last_flags)))
+- return -EFAULT;
++ /*
++ * If the caller wanted a record count or there aren't any
++ * new records to return, we're done.
++ */
++ if (head.fmh_count == 0 || xhead.fmh_entries == 0)
++ break;
++
++ /* Copy all the records we got out to userspace. */
++ if (copy_to_user(user_recs, recs,
++ xhead.fmh_entries * sizeof(struct fsmap))) {
++ error = -EFAULT;
++ goto out_free;
++ }
++
++ /* Remember the last record flags we copied to userspace. */
++ last_rec = &recs[xhead.fmh_entries - 1];
++ last_flags = last_rec->fmr_flags;
++
++ /* Set up the low key for the next iteration. */
++ xfs_fsmap_to_internal(&xhead.fmh_keys[0], last_rec);
++ trace_xfs_getfsmap_low_key(ip->i_mount, &xhead.fmh_keys[0]);
++ } while (!done && head.fmh_entries < head.fmh_count);
++
++ /*
++ * If there are no more records in the query result set and we're not
++ * in counting mode, mark the last record returned with the LAST flag.
++ */
++ if (done && head.fmh_count > 0 && head.fmh_entries > 0) {
++ struct fsmap __user *user_rec;
++
++ last_flags |= FMR_OF_LAST;
++ user_rec = &arg->fmh_recs[head.fmh_entries - 1];
++
++ if (copy_to_user(&user_rec->fmr_flags, &last_flags,
++ sizeof(last_flags))) {
++ error = -EFAULT;
++ goto out_free;
++ }
+ }
+
+ /* copy back header */
+- head.fmh_entries = xhead.fmh_entries;
+- head.fmh_oflags = xhead.fmh_oflags;
+- if (copy_to_user(arg, &head, sizeof(struct fsmap_head)))
+- return -EFAULT;
++ if (copy_to_user(arg, &head, sizeof(struct fsmap_head))) {
++ error = -EFAULT;
++ goto out_free;
++ }
+
+- return 0;
++out_free:
++ kmem_free(recs);
++ return error;
+ }
+
+ STATIC int
+--
+2.25.1
+
--- /dev/null
+From cff648f8ce7389fda85a285a12e434d5e1e3e752 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 08:46:27 -0700
+Subject: xfs: fix high key handling in the rt allocator's query_range function
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit d88850bd5516a77c6f727e8b6cefb64e0cc929c7 ]
+
+Fix some off-by-one errors in xfs_rtalloc_query_range. The highest key
+in the realtime bitmap is always one less than the number of rt extents,
+which means that the key clamp at the start of the function is wrong.
+The 4th argument to xfs_rtfind_forw is the highest rt extent that we
+want to probe, which means that passing 1 less than the high key is
+wrong. Finally, drop the rem variable that controls the loop because we
+can compare the iteration point (rtstart) against the high key directly.
+
+The sordid history of this function is that the original commit (fb3c3)
+incorrectly passed (high_rec->ar_startblock - 1) as the 'limit' parameter
+to xfs_rtfind_forw. This was wrong because the "high key" is supposed
+to be the largest key for which the caller wants result rows, not the
+key for the first row that could possibly be outside the range that the
+caller wants to see.
+
+A subsequent attempt (8ad56) to strengthen the parameter checking added
+incorrect clamping of the parameters to the number of rt blocks in the
+system (despite the bitmap functions all taking units of rt extents) to
+avoid querying ranges past the end of rt bitmap file but failed to fix
+the incorrect _rtfind_forw parameter. The original _rtfind_forw
+parameter error then survived the conversion of the startblock and
+blockcount fields to rt extents (a0e5c), and the most recent off-by-one
+fix (a3a37) thought it was patching a problem when the end of the rt
+volume is not in use, but none of these fixes actually solved the
+original problem that the author was confused about the "limit" argument
+to xfs_rtfind_forw.
+
+Sadly, all four of these patches were written by this author and even
+his own usage of this function and rt testing were inadequate to get
+this fixed quickly.
+
+Original-problem: fb3c3de2f65c ("xfs: add a couple of queries to iterate free extents in the rtbitmap")
+Not-fixed-by: 8ad560d2565e ("xfs: strengthen rtalloc query range checks")
+Not-fixed-by: a0e5c435babd ("xfs: fix xfs_rtalloc_rec units")
+Fixes: a3a374bf1889 ("xfs: fix off-by-one error in xfs_rtalloc_query_range")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_rtbitmap.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_rtbitmap.c b/fs/xfs/libxfs/xfs_rtbitmap.c
+index 8ea1efc97b41d..42085e70c01ac 100644
+--- a/fs/xfs/libxfs/xfs_rtbitmap.c
++++ b/fs/xfs/libxfs/xfs_rtbitmap.c
+@@ -1018,7 +1018,6 @@ xfs_rtalloc_query_range(
+ struct xfs_mount *mp = tp->t_mountp;
+ xfs_rtblock_t rtstart;
+ xfs_rtblock_t rtend;
+- xfs_rtblock_t rem;
+ int is_free;
+ int error = 0;
+
+@@ -1027,13 +1026,12 @@ xfs_rtalloc_query_range(
+ if (low_rec->ar_startext >= mp->m_sb.sb_rextents ||
+ low_rec->ar_startext == high_rec->ar_startext)
+ return 0;
+- if (high_rec->ar_startext > mp->m_sb.sb_rextents)
+- high_rec->ar_startext = mp->m_sb.sb_rextents;
++ high_rec->ar_startext = min(high_rec->ar_startext,
++ mp->m_sb.sb_rextents - 1);
+
+ /* Iterate the bitmap, looking for discrepancies. */
+ rtstart = low_rec->ar_startext;
+- rem = high_rec->ar_startext - rtstart;
+- while (rem) {
++ while (rtstart <= high_rec->ar_startext) {
+ /* Is the first block free? */
+ error = xfs_rtcheck_range(mp, tp, rtstart, 1, 1, &rtend,
+ &is_free);
+@@ -1042,7 +1040,7 @@ xfs_rtalloc_query_range(
+
+ /* How long does the extent go for? */
+ error = xfs_rtfind_forw(mp, tp, rtstart,
+- high_rec->ar_startext - 1, &rtend);
++ high_rec->ar_startext, &rtend);
+ if (error)
+ break;
+
+@@ -1055,7 +1053,6 @@ xfs_rtalloc_query_range(
+ break;
+ }
+
+- rem -= rtend - rtstart + 1;
+ rtstart = rtend + 1;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c53150ed001828504edf58257d019aed5bfedaed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 10:56:07 -0700
+Subject: xfs: limit entries returned when counting fsmap records
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit acd1ac3aa22fd58803a12d26b1ab7f70232f8d8d ]
+
+If userspace asked fsmap to count the number of entries, we cannot
+return more than UINT_MAX entries because fmh_entries is u32.
+Therefore, stop counting if we hit this limit or else we will waste time
+to return truncated results.
+
+Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_fsmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
+index c13754e119be1..5b864985bc648 100644
+--- a/fs/xfs/xfs_fsmap.c
++++ b/fs/xfs/xfs_fsmap.c
+@@ -255,6 +255,9 @@ xfs_getfsmap_helper(
+
+ /* Are we just counting mappings? */
+ if (info->head->fmh_count == 0) {
++ if (info->head->fmh_entries == UINT_MAX)
++ return -ECANCELED;
++
+ if (rec_daddr > info->next_daddr)
+ info->head->fmh_entries++;
+
+--
+2.25.1
+
--- /dev/null
+From f4477e692641e7a37eb35a49bdb7868a553b8cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 14:21:06 -0700
+Subject: xfs: make sure the rt allocator doesn't run off the end
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ]
+
+There's an overflow bug in the realtime allocator. If the rt volume is
+large enough to handle a single allocation request that is larger than
+the maximum bmap extent length and the rt bitmap ends exactly on a
+bitmap block boundary, it's possible that the near allocator will try to
+check the freeness of a range that extends past the end of the bitmap.
+This fails with a corruption error and shuts down the fs.
+
+Therefore, constrain maxlen so that the range scan cannot run off the
+end of the rt bitmap.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_rtalloc.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c
+index 4a48a8c75b4f7..b583669370825 100644
+--- a/fs/xfs/xfs_rtalloc.c
++++ b/fs/xfs/xfs_rtalloc.c
+@@ -247,6 +247,9 @@ xfs_rtallocate_extent_block(
+ end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1;
+ i <= end;
+ i++) {
++ /* Make sure we don't scan off the end of the rt volume. */
++ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i;
++
+ /*
+ * See if there's a free extent of maxlen starting at i.
+ * If it's not so then next will contain the first non-free.
+@@ -442,6 +445,14 @@ xfs_rtallocate_extent_near(
+ */
+ if (bno >= mp->m_sb.sb_rextents)
+ bno = mp->m_sb.sb_rextents - 1;
++
++ /* Make sure we don't run off the end of the rt volume. */
++ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno;
++ if (maxlen < minlen) {
++ *rtblock = NULLRTBLOCK;
++ return 0;
++ }
++
+ /*
+ * Try the exact allocation first.
+ */
+--
+2.25.1
+
--- /dev/null
+From 150fbbd379b836cfdafd832d939f3a528cb3d6c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Sep 2020 16:17:51 +0300
+Subject: xhci: don't create endpoint debugfs entry before ring buffer is set.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 167657a1bb5fcde53ac304ce6c564bd90a2f9185 ]
+
+Make sure xHC completes the configure endpoint command and xhci driver
+sets the ring pointers correctly before we create the user readable
+debugfs file.
+
+In theory there was a small gap where a user could have read the
+debugfs file and cause a NULL pointer dereference error as ring
+pointer was not yet set, in practise we want this change to simplify
+the upcoming streams debugfs support.
+
+Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20200918131752.16488-10-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index bad154f446f8d..0d10ede581cbd 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1915,8 +1915,6 @@ static int xhci_add_endpoint(struct usb_hcd *hcd, struct usb_device *udev,
+ ep_ctx = xhci_get_ep_ctx(xhci, virt_dev->in_ctx, ep_index);
+ trace_xhci_add_endpoint(ep_ctx);
+
+- xhci_debugfs_create_endpoint(xhci, virt_dev, ep_index);
+-
+ xhci_dbg(xhci, "add ep 0x%x, slot id %d, new drop flags = %#x, new add flags = %#x\n",
+ (unsigned int) ep->desc.bEndpointAddress,
+ udev->slot_id,
+@@ -2949,6 +2947,7 @@ static int xhci_check_bandwidth(struct usb_hcd *hcd, struct usb_device *udev)
+ xhci_check_bw_drop_ep_streams(xhci, virt_dev, i);
+ virt_dev->eps[i].ring = virt_dev->eps[i].new_ring;
+ virt_dev->eps[i].new_ring = NULL;
++ xhci_debugfs_create_endpoint(xhci, virt_dev, i);
+ }
+ command_cleanup:
+ kfree(command->completion);
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
