--- /dev/null
+From 8e8ce08198de193e3d21d42e96945216e3d9ac7f Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 16 Feb 2020 13:02:06 +0100
+Subject: batman-adv: Don't schedule OGM for disabled interface
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 8e8ce08198de193e3d21d42e96945216e3d9ac7f upstream.
+
+A transmission scheduling for an interface which is currently dropped by
+batadv_iv_ogm_iface_disable could still be in progress. The B.A.T.M.A.N. V
+is simply cancelling the workqueue item in an synchronous way but this is
+not possible with B.A.T.M.A.N. IV because the OGM submissions are
+intertwined.
+
+Instead it has to stop submitting the OGM when it detect that the buffer
+pointer is set to NULL.
+
+Reported-by: syzbot+a98f2016f40b9cd3818a@syzkaller.appspotmail.com
+Reported-by: syzbot+ac36b6a33c28a491e929@syzkaller.appspotmail.com
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Cc: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/bat_iv_ogm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -789,6 +789,10 @@ static void batadv_iv_ogm_schedule_buff(
+
+ lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
+
++ /* interface already disabled by batadv_iv_ogm_iface_disable */
++ if (!*ogm_buff)
++ return;
++
+ /* the interface gets activated here to avoid race conditions between
+ * the moment of activating the interface in
+ * hardif_activate_interface() where the originator mac is set and
--- /dev/null
+From 5eb40257047fb11085d582b7b9ccd0bffe900726 Mon Sep 17 00:00:00 2001
+From: Anson Huang <Anson.Huang@nxp.com>
+Date: Mon, 17 Feb 2020 11:01:35 +0800
+Subject: clk: imx8mn: Fix incorrect clock defines
+
+From: Anson Huang <Anson.Huang@nxp.com>
+
+commit 5eb40257047fb11085d582b7b9ccd0bffe900726 upstream.
+
+IMX8MN_CLK_I2C4 and IMX8MN_CLK_UART1's index definitions are incorrect,
+fix them.
+
+Fixes: 1e80936a42e1 ("dt-bindings: imx: Add clock binding doc for i.MX8MN")
+Signed-off-by: Anson Huang <Anson.Huang@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/dt-bindings/clock/imx8mn-clock.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/dt-bindings/clock/imx8mn-clock.h
++++ b/include/dt-bindings/clock/imx8mn-clock.h
+@@ -122,8 +122,8 @@
+ #define IMX8MN_CLK_I2C1 105
+ #define IMX8MN_CLK_I2C2 106
+ #define IMX8MN_CLK_I2C3 107
+-#define IMX8MN_CLK_I2C4 118
+-#define IMX8MN_CLK_UART1 119
++#define IMX8MN_CLK_I2C4 108
++#define IMX8MN_CLK_UART1 109
+ #define IMX8MN_CLK_UART2 110
+ #define IMX8MN_CLK_UART3 111
+ #define IMX8MN_CLK_UART4 112
--- /dev/null
+From e3a36eb6dfaeea8175c05d5915dcf0b939be6dab Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 11 Mar 2020 17:07:10 +0100
+Subject: driver code: clarify and fix platform device DMA mask allocation
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit e3a36eb6dfaeea8175c05d5915dcf0b939be6dab upstream.
+
+This does three inter-related things to clarify the usage of the
+platform device dma_mask field. In the process, fix the bug introduced
+by cdfee5623290 ("driver core: initialize a default DMA mask for
+platform device") that caused Artem Tashkinov's laptop to not boot with
+newer Fedora kernels.
+
+This does:
+
+ - First off, rename the field to "platform_dma_mask" to make it
+ greppable.
+
+ We have way too many different random fields called "dma_mask" in
+ various data structures, where some of them are actual masks, and
+ some of them are just pointers to the mask. And the structures all
+ have pointers to each other, or embed each other inside themselves,
+ and "pdev" sometimes means "platform device" and sometimes it means
+ "PCI device".
+
+ So to make it clear in the code when you actually use this new field,
+ give it a unique name (it really should be something even more unique
+ like "platform_device_dma_mask", since it's per platform device, not
+ per platform, but that gets old really fast, and this is unique
+ enough in context).
+
+ To further clarify when the field gets used, initialize it when we
+ actually start using it with the default value.
+
+ - Then, use this field instead of the random one-off allocation in
+ platform_device_register_full() that is now unnecessary since we now
+ already have a perfectly fine allocation for it in the platform
+ device structure.
+
+ - The above then allows us to fix the actual bug, where the error path
+ of platform_device_register_full() would unconditionally free the
+ platform device DMA allocation with 'kfree()'.
+
+ That kfree() was dont regardless of whether the allocation had been
+ done earlier with the (now removed) kmalloc, or whether
+ setup_pdev_dma_masks() had already been used and the dma_mask pointer
+ pointed to the mask that was part of the platform device.
+
+It seems most people never triggered the error path, or only triggered
+it from a call chain that set an explicit pdevinfo->dma_mask value (and
+thus caused the unnecessary allocation that was "cleaned up" in the
+error path) before calling platform_device_register_full().
+
+Robin Murphy points out that in Artem's case the wdat_wdt driver failed
+in platform_device_add(), and that was the one that had called
+platform_device_register_full() with pdevinfo.dma_mask = 0, and would
+have caused that kfree() of pdev.dma_mask corrupting the heap.
+
+A later unrelated kmalloc() then oopsed due to the heap corruption.
+
+Fixes: cdfee5623290 ("driver core: initialize a default DMA mask for platform device")
+Reported-bisected-and-tested-by: Artem S. Tashkinov <aros@gmx.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/platform.c | 25 ++++++-------------------
+ include/linux/platform_device.h | 2 +-
+ 2 files changed, 7 insertions(+), 20 deletions(-)
+
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -335,10 +335,10 @@ static void setup_pdev_dma_masks(struct
+ {
+ if (!pdev->dev.coherent_dma_mask)
+ pdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
+- if (!pdev->dma_mask)
+- pdev->dma_mask = DMA_BIT_MASK(32);
+- if (!pdev->dev.dma_mask)
+- pdev->dev.dma_mask = &pdev->dma_mask;
++ if (!pdev->dev.dma_mask) {
++ pdev->platform_dma_mask = DMA_BIT_MASK(32);
++ pdev->dev.dma_mask = &pdev->platform_dma_mask;
++ }
+ };
+
+ /**
+@@ -634,20 +634,8 @@ struct platform_device *platform_device_
+ pdev->dev.of_node_reused = pdevinfo->of_node_reused;
+
+ if (pdevinfo->dma_mask) {
+- /*
+- * This memory isn't freed when the device is put,
+- * I don't have a nice idea for that though. Conceptually
+- * dma_mask in struct device should not be a pointer.
+- * See http://thread.gmane.org/gmane.linux.kernel.pci/9081
+- */
+- pdev->dev.dma_mask =
+- kmalloc(sizeof(*pdev->dev.dma_mask), GFP_KERNEL);
+- if (!pdev->dev.dma_mask)
+- goto err;
+-
+- kmemleak_ignore(pdev->dev.dma_mask);
+-
+- *pdev->dev.dma_mask = pdevinfo->dma_mask;
++ pdev->platform_dma_mask = pdevinfo->dma_mask;
++ pdev->dev.dma_mask = &pdev->platform_dma_mask;
+ pdev->dev.coherent_dma_mask = pdevinfo->dma_mask;
+ }
+
+@@ -672,7 +660,6 @@ struct platform_device *platform_device_
+ if (ret) {
+ err:
+ ACPI_COMPANION_SET(&pdev->dev, NULL);
+- kfree(pdev->dev.dma_mask);
+ platform_device_put(pdev);
+ return ERR_PTR(ret);
+ }
+--- a/include/linux/platform_device.h
++++ b/include/linux/platform_device.h
+@@ -24,7 +24,7 @@ struct platform_device {
+ int id;
+ bool id_auto;
+ struct device dev;
+- u64 dma_mask;
++ u64 platform_dma_mask;
+ u32 num_resources;
+ struct resource *resource;
+
--- /dev/null
+From 259170cb4c84f4165a36c0b05811eb74c495412c Mon Sep 17 00:00:00 2001
+From: Tina Zhang <tina.zhang@intel.com>
+Date: Thu, 27 Feb 2020 09:00:41 +0800
+Subject: drm/i915/gvt: Fix dma-buf display blur issue on CFL
+
+From: Tina Zhang <tina.zhang@intel.com>
+
+commit 259170cb4c84f4165a36c0b05811eb74c495412c upstream.
+
+Commit c3b5a8430daad ("drm/i915/gvt: Enable gfx virtualiztion for CFL")
+added the support on CFL. The vgpu emulation hotplug support on CFL was
+supposed to be included in that patch. Without the vgpu emulation
+hotplug support, the dma-buf based display gives us a blur face.
+
+So fix this issue by adding the vgpu emulation hotplug support on CFL.
+
+Fixes: c3b5a8430daad ("drm/i915/gvt: Enable gfx virtualiztion for CFL")
+Signed-off-by: Tina Zhang <tina.zhang@intel.com>
+Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20200227010041.32248-1-tina.zhang@intel.com
+(cherry picked from commit 135dde8853c7e00f6002e710f7e4787ed8585c0e)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/display.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/gvt/display.c
++++ b/drivers/gpu/drm/i915/gvt/display.c
+@@ -457,7 +457,8 @@ void intel_vgpu_emulate_hotplug(struct i
+ struct drm_i915_private *dev_priv = vgpu->gvt->dev_priv;
+
+ /* TODO: add more platforms support */
+- if (IS_SKYLAKE(dev_priv) || IS_KABYLAKE(dev_priv)) {
++ if (IS_SKYLAKE(dev_priv) || IS_KABYLAKE(dev_priv) ||
++ IS_COFFEELAKE(dev_priv)) {
+ if (connected) {
+ vgpu_vreg_t(vgpu, SFUSE_STRAP) |=
+ SFUSE_STRAP_DDID_DETECTED;
--- /dev/null
+From 04d6067f1f19e70a418f92fa3170cf7fe53b7fdf Mon Sep 17 00:00:00 2001
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+Date: Tue, 3 Mar 2020 13:54:12 +0800
+Subject: drm/i915/gvt: Fix unnecessary schedule timer when no vGPU exits
+
+From: Zhenyu Wang <zhenyuw@linux.intel.com>
+
+commit 04d6067f1f19e70a418f92fa3170cf7fe53b7fdf upstream.
+
+From commit f25a49ab8ab9 ("drm/i915/gvt: Use vgpu_lock to protect per
+vgpu access") the vgpu idr destroy is moved later than vgpu resource
+destroy, then it would fail to stop timer for schedule policy clean
+which to check vgpu idr for any left vGPU. So this trys to destroy
+vgpu idr earlier.
+
+Cc: Colin Xu <colin.xu@intel.com>
+Fixes: f25a49ab8ab9 ("drm/i915/gvt: Use vgpu_lock to protect per vgpu access")
+Acked-by: Colin Xu <colin.xu@intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20200229055445.31481-1-zhenyuw@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/gvt/vgpu.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gvt/vgpu.c
++++ b/drivers/gpu/drm/i915/gvt/vgpu.c
+@@ -272,10 +272,17 @@ void intel_gvt_destroy_vgpu(struct intel
+ {
+ struct intel_gvt *gvt = vgpu->gvt;
+
+- mutex_lock(&vgpu->vgpu_lock);
+-
+ WARN(vgpu->active, "vGPU is still active!\n");
+
++ /*
++ * remove idr first so later clean can judge if need to stop
++ * service if no active vgpu.
++ */
++ mutex_lock(&gvt->lock);
++ idr_remove(&gvt->vgpu_idr, vgpu->id);
++ mutex_unlock(&gvt->lock);
++
++ mutex_lock(&vgpu->vgpu_lock);
+ intel_gvt_debugfs_remove_vgpu(vgpu);
+ intel_vgpu_clean_sched_policy(vgpu);
+ intel_vgpu_clean_submission(vgpu);
+@@ -290,7 +297,6 @@ void intel_gvt_destroy_vgpu(struct intel
+ mutex_unlock(&vgpu->vgpu_lock);
+
+ mutex_lock(&gvt->lock);
+- idr_remove(&gvt->vgpu_idr, vgpu->id);
+ if (idr_is_empty(&gvt->vgpu_idr))
+ intel_gvt_clean_irq(gvt);
+ intel_gvt_update_vgpu_types(gvt);
--- /dev/null
+From 3747cd2efe7ecb9604972285ab3f60c96cb753a8 Mon Sep 17 00:00:00 2001
+From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+Date: Tue, 10 Mar 2020 10:16:18 +1300
+Subject: i2c: gpio: suppress error on probe defer
+
+From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+
+commit 3747cd2efe7ecb9604972285ab3f60c96cb753a8 upstream.
+
+If a GPIO we are trying to use is not available and we are deferring
+the probe, don't output an error message.
+This seems to have been the intent of commit 05c74778858d
+("i2c: gpio: Add support for named gpios in DT") but the error was
+still output due to not checking the updated 'retdesc'.
+
+Fixes: 05c74778858d ("i2c: gpio: Add support for named gpios in DT")
+Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-gpio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-gpio.c
++++ b/drivers/i2c/busses/i2c-gpio.c
+@@ -348,7 +348,7 @@ static struct gpio_desc *i2c_gpio_get_de
+ if (ret == -ENOENT)
+ retdesc = ERR_PTR(-EPROBE_DEFER);
+
+- if (ret != -EPROBE_DEFER)
++ if (PTR_ERR(retdesc) != -EPROBE_DEFER)
+ dev_err(dev, "error trying to get descriptor: %d\n", ret);
+
+ return retdesc;
--- /dev/null
+From 04bbb97d1b732b2d197f103c5818f5c214a4cf81 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 26 Feb 2020 16:21:22 +0300
+Subject: i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 04bbb97d1b732b2d197f103c5818f5c214a4cf81 upstream.
+
+Martin noticed that nct6775 driver does not load properly on his system
+in v5.4+ kernels. The issue was bisected to commit b84398d6d7f9 ("i2c:
+i801: Use iTCO version 6 in Cannon Lake PCH and beyond") but it is
+likely not the culprit because the faulty code has been in the driver
+already since commit 9424693035a5 ("i2c: i801: Create iTCO device on
+newer Intel PCHs"). So more likely some commit that added PCI IDs of
+recent chipsets made the driver to create the iTCO_wdt device on Martins
+system.
+
+The issue was debugged to be PCI configuration access to the PMC device
+that is not present. This returns all 1's when read and this caused the
+iTCO_wdt driver to accidentally request resourses used by nct6775.
+
+It turns out that the SMI resource is only required for some ancient
+systems, not the ones supported by this driver. For this reason do not
+populate the SMI resource at all and drop all the related code. The
+driver now always populates the main I/O resource and only in case of SPT
+(Intel Sunrisepoint) compatible devices it adds another resource for the
+NO_REBOOT bit. These two resources are of different types so
+platform_get_resource() used by the iTCO_wdt driver continues to find
+the both resources at index 0.
+
+Link: https://lore.kernel.org/linux-hwmon/CAM1AHpQ4196tyD=HhBu-2donSsuogabkfP03v1YF26Q7_BgvgA@mail.gmail.com/
+Fixes: 9424693035a5 ("i2c: i801: Create iTCO device on newer Intel PCHs")
+[wsa: complete fix needs all of http://patchwork.ozlabs.org/project/linux-i2c/list/?series=160959&state=*]
+Reported-by: Martin Volf <martin.volf.42@gmail.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c | 45 +++++++++++-------------------------------
+ 1 file changed, 12 insertions(+), 33 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -129,11 +129,6 @@
+ #define TCOBASE 0x050
+ #define TCOCTL 0x054
+
+-#define ACPIBASE 0x040
+-#define ACPIBASE_SMI_OFF 0x030
+-#define ACPICTRL 0x044
+-#define ACPICTRL_EN 0x080
+-
+ #define SBREG_BAR 0x10
+ #define SBREG_SMBCTRL 0xc6000c
+ #define SBREG_SMBCTRL_DNV 0xcf000c
+@@ -1544,7 +1539,7 @@ i801_add_tco_spt(struct i801_priv *priv,
+ pci_bus_write_config_byte(pci_dev->bus, devfn, 0xe1, hidden);
+ spin_unlock(&p2sb_spinlock);
+
+- res = &tco_res[ICH_RES_MEM_OFF];
++ res = &tco_res[1];
+ if (pci_dev->device == PCI_DEVICE_ID_INTEL_DNV_SMBUS)
+ res->start = (resource_size_t)base64_addr + SBREG_SMBCTRL_DNV;
+ else
+@@ -1554,7 +1549,7 @@ i801_add_tco_spt(struct i801_priv *priv,
+ res->flags = IORESOURCE_MEM;
+
+ return platform_device_register_resndata(&pci_dev->dev, "iTCO_wdt", -1,
+- tco_res, 3, &spt_tco_platform_data,
++ tco_res, 2, &spt_tco_platform_data,
+ sizeof(spt_tco_platform_data));
+ }
+
+@@ -1567,17 +1562,16 @@ static struct platform_device *
+ i801_add_tco_cnl(struct i801_priv *priv, struct pci_dev *pci_dev,
+ struct resource *tco_res)
+ {
+- return platform_device_register_resndata(&pci_dev->dev, "iTCO_wdt", -1,
+- tco_res, 2, &cnl_tco_platform_data,
+- sizeof(cnl_tco_platform_data));
++ return platform_device_register_resndata(&pci_dev->dev,
++ "iTCO_wdt", -1, tco_res, 1, &cnl_tco_platform_data,
++ sizeof(cnl_tco_platform_data));
+ }
+
+ static void i801_add_tco(struct i801_priv *priv)
+ {
+- u32 base_addr, tco_base, tco_ctl, ctrl_val;
+ struct pci_dev *pci_dev = priv->pci_dev;
+- struct resource tco_res[3], *res;
+- unsigned int devfn;
++ struct resource tco_res[2], *res;
++ u32 tco_base, tco_ctl;
+
+ /* If we have ACPI based watchdog use that instead */
+ if (acpi_has_watchdog())
+@@ -1592,30 +1586,15 @@ static void i801_add_tco(struct i801_pri
+ return;
+
+ memset(tco_res, 0, sizeof(tco_res));
+-
+- res = &tco_res[ICH_RES_IO_TCO];
+- res->start = tco_base & ~1;
+- res->end = res->start + 32 - 1;
+- res->flags = IORESOURCE_IO;
+-
+ /*
+- * Power Management registers.
++ * Always populate the main iTCO IO resource here. The second entry
++ * for NO_REBOOT MMIO is filled by the SPT specific function.
+ */
+- devfn = PCI_DEVFN(PCI_SLOT(pci_dev->devfn), 2);
+- pci_bus_read_config_dword(pci_dev->bus, devfn, ACPIBASE, &base_addr);
+-
+- res = &tco_res[ICH_RES_IO_SMI];
+- res->start = (base_addr & ~1) + ACPIBASE_SMI_OFF;
+- res->end = res->start + 3;
++ res = &tco_res[0];
++ res->start = tco_base & ~1;
++ res->end = res->start + 32 - 1;
+ res->flags = IORESOURCE_IO;
+
+- /*
+- * Enable the ACPI I/O space.
+- */
+- pci_bus_read_config_dword(pci_dev->bus, devfn, ACPICTRL, &ctrl_val);
+- ctrl_val |= ACPICTRL_EN;
+- pci_bus_write_config_dword(pci_dev->bus, devfn, ACPICTRL, ctrl_val);
+-
+ if (priv->features & FEATURE_TCO_CNL)
+ priv->tco_pdev = i801_add_tco_cnl(priv, pci_dev, tco_res);
+ else
--- /dev/null
+From 2d48ea0efb8887ebba3e3720bb5b738aced4e574 Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Thu, 5 Mar 2020 15:00:46 -0500
+Subject: iommu/vt-d: Fix RCU-list bugs in intel_iommu_init()
+
+From: Qian Cai <cai@lca.pw>
+
+commit 2d48ea0efb8887ebba3e3720bb5b738aced4e574 upstream.
+
+There are several places traverse RCU-list without holding any lock in
+intel_iommu_init(). Fix them by acquiring dmar_global_lock.
+
+ WARNING: suspicious RCU usage
+ -----------------------------
+ drivers/iommu/intel-iommu.c:5216 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ no locks held by swapper/0/1.
+
+ Call Trace:
+ dump_stack+0xa0/0xea
+ lockdep_rcu_suspicious+0x102/0x10b
+ intel_iommu_init+0x947/0xb13
+ pci_iommu_init+0x26/0x62
+ do_one_initcall+0xfe/0x500
+ kernel_init_freeable+0x45a/0x4f8
+ kernel_init+0x11/0x139
+ ret_from_fork+0x3a/0x50
+ DMAR: Intel(R) Virtualization Technology for Directed I/O
+
+Fixes: d8190dc63886 ("iommu/vt-d: Enable DMA remapping after rmrr mapped")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/intel-iommu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel-iommu.c
++++ b/drivers/iommu/intel-iommu.c
+@@ -5024,6 +5024,7 @@ int __init intel_iommu_init(void)
+
+ init_iommu_pm_ops();
+
++ down_read(&dmar_global_lock);
+ for_each_active_iommu(iommu, drhd) {
+ iommu_device_sysfs_add(&iommu->iommu, NULL,
+ intel_iommu_groups,
+@@ -5031,6 +5032,7 @@ int __init intel_iommu_init(void)
+ iommu_device_set_ops(&iommu->iommu, &intel_iommu_ops);
+ iommu_device_register(&iommu->iommu);
+ }
++ up_read(&dmar_global_lock);
+
+ bus_set_iommu(&pci_bus_type, &intel_iommu_ops);
+ if (si_domain && !hw_pass_through)
+@@ -5041,7 +5043,6 @@ int __init intel_iommu_init(void)
+ down_read(&dmar_global_lock);
+ if (probe_acpi_namespace_devices())
+ pr_warn("ACPI name space devices didn't probe correctly\n");
+- up_read(&dmar_global_lock);
+
+ /* Finally, we enable the DMA remapping hardware. */
+ for_each_iommu(iommu, drhd) {
+@@ -5050,6 +5051,8 @@ int __init intel_iommu_init(void)
+
+ iommu_disable_protect_mem_regions(iommu);
+ }
++ up_read(&dmar_global_lock);
++
+ pr_info("Intel(R) Virtualization Technology for Directed I/O\n");
+
+ intel_iommu_enabled = 1;
--- /dev/null
+From c049b3450072b8e3998053490e025839fecfef31 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:08:31 -0800
+Subject: netfilter: cthelper: add missing attribute validation for cthelper
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit c049b3450072b8e3998053490e025839fecfef31 upstream.
+
+Add missing attribute validation for cthelper
+to the netlink policy.
+
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_cthelper.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -742,6 +742,8 @@ static const struct nla_policy nfnl_cthe
+ [NFCTH_NAME] = { .type = NLA_NUL_STRING,
+ .len = NF_CT_HELPER_NAME_LEN-1 },
+ [NFCTH_QUEUE_NUM] = { .type = NLA_U32, },
++ [NFCTH_PRIV_DATA_LEN] = { .type = NLA_U32, },
++ [NFCTH_STATUS] = { .type = NLA_U32, },
+ };
+
+ static const struct nfnl_callback nfnl_cthelper_cb[NFNL_MSG_CTHELPER_MAX] = {
--- /dev/null
+From 056e9375e1f3c4bf2fd49b70258c7daf788ecd9d Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:10:57 -0800
+Subject: nl80211: add missing attribute validation for beacon report scanning
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 056e9375e1f3c4bf2fd49b70258c7daf788ecd9d upstream.
+
+Add missing attribute validation for beacon report scanning
+to the netlink policy.
+
+Fixes: 1d76250bd34a ("nl80211: support beacon report scanning")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20200303051058.4089398-3-kuba@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -469,6 +469,8 @@ const struct nla_policy nl80211_policy[N
+ [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
+ [NL80211_ATTR_STA_PLINK_STATE] =
+ NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
++ [NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
++ [NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
+ [NL80211_ATTR_MESH_PEER_AID] =
+ NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
+ [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
--- /dev/null
+From 5cde05c61cbe13cbb3fa66d52b9ae84f7975e5e6 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:10:58 -0800
+Subject: nl80211: add missing attribute validation for channel switch
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 5cde05c61cbe13cbb3fa66d52b9ae84f7975e5e6 upstream.
+
+Add missing attribute validation for NL80211_ATTR_OPER_CLASS
+to the netlink policy.
+
+Fixes: 1057d35ede5d ("cfg80211: introduce TDLS channel switch commands")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20200303051058.4089398-4-kuba@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -564,6 +564,7 @@ const struct nla_policy nl80211_policy[N
+ NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
+ [NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
+ [NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
++ [NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
+ [NL80211_ATTR_MAC_MASK] = {
+ .type = NLA_EXACT_LEN_WARN,
+ .len = ETH_ALEN
--- /dev/null
+From 0e1a1d853ecedc99da9d27f9f5c376935547a0e2 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:10:56 -0800
+Subject: nl80211: add missing attribute validation for critical protocol indication
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 0e1a1d853ecedc99da9d27f9f5c376935547a0e2 upstream.
+
+Add missing attribute validation for critical protocol fields
+to the netlink policy.
+
+Fixes: 5de17984898c ("cfg80211: introduce critical protocol indication from user-space")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20200303051058.4089398-2-kuba@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -530,6 +530,8 @@ const struct nla_policy nl80211_policy[N
+ [NL80211_ATTR_MDID] = { .type = NLA_U16 },
+ [NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
+ .len = IEEE80211_MAX_DATA_LEN },
++ [NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
++ [NL80211_ATTR_MAX_CRIT_PROT_DURATION] = { .type = NLA_U16 },
+ [NL80211_ATTR_PEER_AID] =
+ NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
+ [NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
--- /dev/null
+From f649bd9dd5d5004543bbc3c50b829577b49f5d75 Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Thu, 5 Mar 2020 10:37:13 +0200
+Subject: perf bench futex-wake: Restore thread count default to online CPU count
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+commit f649bd9dd5d5004543bbc3c50b829577b49f5d75 upstream.
+
+Since commit 3b2323c2c1c4 ("perf bench futex: Use cpumaps") the default
+number of threads the benchmark uses got changed from number of online
+CPUs to zero:
+
+ $ perf bench futex wake
+ # Running 'futex/wake' benchmark:
+ Run summary [PID 15930]: blocking on 0 threads (at [private] futex 0x558b8ee4bfac), waking up 1 at a time.
+ [Run 1]: Wokeup 0 of 0 threads in 0.0000 ms
+ [...]
+ [Run 10]: Wokeup 0 of 0 threads in 0.0000 ms
+ Wokeup 0 of 0 threads in 0.0004 ms (+-40.82%)
+
+Restore the old behavior by grabbing the number of online CPUs via
+cpu->nr:
+
+ $ perf bench futex wake
+ # Running 'futex/wake' benchmark:
+ Run summary [PID 18356]: blocking on 8 threads (at [private] futex 0xb3e62c), waking up 1 at a time.
+ [Run 1]: Wokeup 8 of 8 threads in 0.0260 ms
+ [...]
+ [Run 10]: Wokeup 8 of 8 threads in 0.0270 ms
+ Wokeup 8 of 8 threads in 0.0419 ms (+-24.35%)
+
+Fixes: 3b2323c2c1c4 ("perf bench futex: Use cpumaps")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Darren Hart <dvhart@infradead.org>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lore.kernel.org/lkml/20200305083714.9381-3-tommi.t.rantala@nokia.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/bench/futex-wake.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/perf/bench/futex-wake.c
++++ b/tools/perf/bench/futex-wake.c
+@@ -43,7 +43,7 @@ static bool done = false, silent = false
+ static pthread_mutex_t thread_lock;
+ static pthread_cond_t thread_parent, thread_worker;
+ static struct stats waketime_stats, wakeup_stats;
+-static unsigned int ncpus, threads_starting, nthreads = 0;
++static unsigned int threads_starting, nthreads = 0;
+ static int futex_flag = 0;
+
+ static const struct option options[] = {
+@@ -141,7 +141,7 @@ int bench_futex_wake(int argc, const cha
+ sigaction(SIGINT, &act, NULL);
+
+ if (!nthreads)
+- nthreads = ncpus;
++ nthreads = cpu->nr;
+
+ worker = calloc(nthreads, sizeof(*worker));
+ if (!worker)
--- /dev/null
+From aafd56fc79041bf36f97712d4b35208cbe07db90 Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Fri, 28 Feb 2020 15:41:42 +0000
+Subject: pinctrl: core: Remove extra kref_get which blocks hogs being freed
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+commit aafd56fc79041bf36f97712d4b35208cbe07db90 upstream.
+
+kref_init starts with the reference count at 1, which will be balanced
+by the pinctrl_put in pinctrl_unregister. The additional kref_get in
+pinctrl_claim_hogs will increase this count to 2 and cause the hogs to
+not get freed when pinctrl_unregister is called.
+
+Fixes: 6118714275f0 ("pinctrl: core: Fix pinctrl_register_and_init() with pinctrl_enable()")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20200228154142.13860-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -2025,7 +2025,6 @@ static int pinctrl_claim_hogs(struct pin
+ return PTR_ERR(pctldev->p);
+ }
+
+- kref_get(&pctldev->p->users);
+ pctldev->hog_default =
+ pinctrl_lookup_state(pctldev->p, PINCTRL_STATE_DEFAULT);
+ if (IS_ERR(pctldev->hog_default)) {
--- /dev/null
+From 4c48e549f39f8ed10cf8a0b6cb96f5eddf0391ce Mon Sep 17 00:00:00 2001
+From: Leonard Crestez <leonard.crestez@nxp.com>
+Date: Thu, 20 Feb 2020 18:29:37 +0200
+Subject: pinctrl: imx: scu: Align imx sc msg structs to 4
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+commit 4c48e549f39f8ed10cf8a0b6cb96f5eddf0391ce upstream.
+
+The imx SC api strongly assumes that messages are composed out of
+4-bytes words but some of our message structs have odd sizeofs.
+
+This produces many oopses with CONFIG_KASAN=y.
+
+Fix by marking with __aligned(4).
+
+Fixes: b96eea718bf6 ("pinctrl: fsl: add scu based pinctrl support")
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Link: https://lore.kernel.org/r/bd7ad5fd755739a6d8d5f4f65e03b3ca4f457bd2.1582216144.git.leonard.crestez@nxp.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/freescale/pinctrl-scu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/freescale/pinctrl-scu.c
++++ b/drivers/pinctrl/freescale/pinctrl-scu.c
+@@ -23,12 +23,12 @@ struct imx_sc_msg_req_pad_set {
+ struct imx_sc_rpc_msg hdr;
+ u32 val;
+ u16 pad;
+-} __packed;
++} __packed __aligned(4);
+
+ struct imx_sc_msg_req_pad_get {
+ struct imx_sc_rpc_msg hdr;
+ u16 pad;
+-} __packed;
++} __packed __aligned(4);
+
+ struct imx_sc_msg_resp_pad_get {
+ struct imx_sc_rpc_msg hdr;
--- /dev/null
+From dc7a06b0dbbafac8623c2b7657e61362f2f479a7 Mon Sep 17 00:00:00 2001
+From: Nicolas Belin <nbelin@baylibre.com>
+Date: Thu, 20 Feb 2020 14:15:12 +0100
+Subject: pinctrl: meson-gxl: fix GPIOX sdio pins
+
+From: Nicolas Belin <nbelin@baylibre.com>
+
+commit dc7a06b0dbbafac8623c2b7657e61362f2f479a7 upstream.
+
+In the gxl driver, the sdio cmd and clk pins are inverted. It has not caused
+any issue so far because devices using these pins always take both pins
+so the resulting configuration is OK.
+
+Fixes: 0f15f500ff2c ("pinctrl: meson: Add GXL pinctrl definitions")
+Reviewed-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Nicolas Belin <nbelin@baylibre.com>
+Link: https://lore.kernel.org/r/1582204512-7582-1-git-send-email-nbelin@baylibre.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/meson/pinctrl-meson-gxl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/meson/pinctrl-meson-gxl.c
++++ b/drivers/pinctrl/meson/pinctrl-meson-gxl.c
+@@ -147,8 +147,8 @@ static const unsigned int sdio_d0_pins[]
+ static const unsigned int sdio_d1_pins[] = { GPIOX_1 };
+ static const unsigned int sdio_d2_pins[] = { GPIOX_2 };
+ static const unsigned int sdio_d3_pins[] = { GPIOX_3 };
+-static const unsigned int sdio_cmd_pins[] = { GPIOX_4 };
+-static const unsigned int sdio_clk_pins[] = { GPIOX_5 };
++static const unsigned int sdio_clk_pins[] = { GPIOX_4 };
++static const unsigned int sdio_cmd_pins[] = { GPIOX_5 };
+ static const unsigned int sdio_irq_pins[] = { GPIOX_7 };
+
+ static const unsigned int nand_ce0_pins[] = { BOOT_8 };
iommu-vt-d-dmar-replace-warn_taint-with-pr_warn-add_taint.patch
iommu-vt-d-fix-rcu-list-debugging-warnings.patch
iommu-vt-d-fix-a-bug-in-intel_iommu_iova_to_phys-for-huge-page.patch
+batman-adv-don-t-schedule-ogm-for-disabled-interface.patch
+clk-imx8mn-fix-incorrect-clock-defines.patch
+pinctrl-meson-gxl-fix-gpiox-sdio-pins.patch
+pinctrl-imx-scu-align-imx-sc-msg-structs-to-4.patch
+virtio_ring-fix-mem-leak-with-vring_new_virtqueue.patch
+i2c-i801-do-not-add-ich_res_io_smi-for-the-itco_wdt-device.patch
+drm-i915-gvt-fix-dma-buf-display-blur-issue-on-cfl.patch
+pinctrl-core-remove-extra-kref_get-which-blocks-hogs-being-freed.patch
+drm-i915-gvt-fix-unnecessary-schedule-timer-when-no-vgpu-exits.patch
+driver-code-clarify-and-fix-platform-device-dma-mask-allocation.patch
+iommu-vt-d-fix-rcu-list-bugs-in-intel_iommu_init.patch
+i2c-gpio-suppress-error-on-probe-defer.patch
+nl80211-add-missing-attribute-validation-for-critical-protocol-indication.patch
+nl80211-add-missing-attribute-validation-for-beacon-report-scanning.patch
+nl80211-add-missing-attribute-validation-for-channel-switch.patch
+perf-bench-futex-wake-restore-thread-count-default-to-online-cpu-count.patch
+netfilter-cthelper-add-missing-attribute-validation-for-cthelper.patch
--- /dev/null
+From f13f09a12cbd0c7b776e083c5d008b6c6a9c4e0b Mon Sep 17 00:00:00 2001
+From: Suman Anna <s-anna@ti.com>
+Date: Mon, 24 Feb 2020 15:26:43 -0600
+Subject: virtio_ring: Fix mem leak with vring_new_virtqueue()
+
+From: Suman Anna <s-anna@ti.com>
+
+commit f13f09a12cbd0c7b776e083c5d008b6c6a9c4e0b upstream.
+
+The functions vring_new_virtqueue() and __vring_new_virtqueue() are used
+with split rings, and any allocations within these functions are managed
+outside of the .we_own_ring flag. The commit cbeedb72b97a ("virtio_ring:
+allocate desc state for split ring separately") allocates the desc state
+within the __vring_new_virtqueue() but frees it only when the .we_own_ring
+flag is set. This leads to a memory leak when freeing such allocated
+virtqueues with the vring_del_virtqueue() function.
+
+Fix this by moving the desc_state free code outside the flag and only
+for split rings. Issue was discovered during testing with remoteproc
+and virtio_rpmsg.
+
+Fixes: cbeedb72b97a ("virtio_ring: allocate desc state for split ring separately")
+Signed-off-by: Suman Anna <s-anna@ti.com>
+Link: https://lore.kernel.org/r/20200224212643.30672-1-s-anna@ti.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_ring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -2203,10 +2203,10 @@ void vring_del_virtqueue(struct virtqueu
+ vq->split.queue_size_in_bytes,
+ vq->split.vring.desc,
+ vq->split.queue_dma_addr);
+-
+- kfree(vq->split.desc_state);
+ }
+ }
++ if (!vq->packed_ring)
++ kfree(vq->split.desc_state);
+ list_del(&_vq->list);
+ kfree(vq);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
