--- /dev/null
+From b585ed5baf02b9f51dfcc7a810b1b6fd9f380730 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 5 Mar 2019 19:34:05 +0800
+Subject: arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit 92606ec9285fb84cd9b5943df23f07d741384bfc ]
+
+The call to of_get_next_child returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+ ./arch/arm64/kernel/cpu_ops.c:102:1-7: ERROR: missing of_node_put;
+ acquired a node pointer with refcount incremented on line 69, but
+ without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cpu_ops.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kernel/cpu_ops.c b/arch/arm64/kernel/cpu_ops.c
+index b6bd7d4477683..fbd6aead48e10 100644
+--- a/arch/arm64/kernel/cpu_ops.c
++++ b/arch/arm64/kernel/cpu_ops.c
+@@ -73,6 +73,7 @@ static const char *__init cpu_read_enable_method(int cpu)
+ pr_err("%s: missing enable-method property\n",
+ dn->full_name);
+ }
++ of_node_put(dn);
+ } else {
+ enable_method = acpi_get_enable_method(cpu);
+ if (!enable_method)
+--
+2.20.1
+
--- /dev/null
+From 67f2ab0d67073224b706a8edf0a3efb8fd4a38f7 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 7 Mar 2019 11:11:30 +0100
+Subject: ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
+
+[ Upstream commit 8ca5104715cfd14254ea5aecc390ae583b707607 ]
+
+Building with clang shows a variable that is only used by the
+suspend/resume functions but defined outside of their #ifdef block:
+
+sound/soc/ti/davinci-mcasp.c:48:12: error: variable 'context_regs' is not needed and will not be emitted
+
+We commonly fix these by marking the PM functions as __maybe_unused,
+but here that would grow the davinci_mcasp structure, so instead
+add another #ifdef here.
+
+Fixes: 1cc0c054f380 ("ASoC: davinci-mcasp: Convert the context save/restore to use array")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/davinci/davinci-mcasp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c
+index 2ccb8bccc9d4c..512ec25c9ead1 100644
+--- a/sound/soc/davinci/davinci-mcasp.c
++++ b/sound/soc/davinci/davinci-mcasp.c
+@@ -43,6 +43,7 @@
+
+ #define MCASP_MAX_AFIFO_DEPTH 64
+
++#ifdef CONFIG_PM
+ static u32 context_regs[] = {
+ DAVINCI_MCASP_TXFMCTL_REG,
+ DAVINCI_MCASP_RXFMCTL_REG,
+@@ -65,6 +66,7 @@ struct davinci_mcasp_context {
+ u32 *xrsr_regs; /* for serializer configuration */
+ bool pm_state;
+ };
++#endif
+
+ struct davinci_mcasp_ruledata {
+ struct davinci_mcasp *mcasp;
+--
+2.20.1
+
--- /dev/null
+From d3cc660362f8816e1b59a7b1063b915250f6a051 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:51 +0800
+Subject: ASoC: eukrea-tlv320: fix a leaked reference by adding missing
+ of_node_put
+
+[ Upstream commit b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3 ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/eukrea-tlv320.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
+index 883087f2b092b..38132143b7d5e 100644
+--- a/sound/soc/fsl/eukrea-tlv320.c
++++ b/sound/soc/fsl/eukrea-tlv320.c
+@@ -119,13 +119,13 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-int-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+ ret = of_property_read_u32(np, "fsl,mux-ext-port", &ext_port);
+ if (ret) {
+ dev_err(&pdev->dev,
+ "fsl,mux-ext-port node missing or invalid.\n");
+- return ret;
++ goto err;
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From 728937a554c82f5c7f5eef0b0dbb5c290c7fd7f6 Mon Sep 17 00:00:00 2001
+From: Daniel Baluta <daniel.baluta@nxp.com>
+Date: Sun, 21 Apr 2019 19:39:08 +0000
+Subject: ASoC: fsl_sai: Update is_slave_mode with correct value
+
+[ Upstream commit ddb351145a967ee791a0fb0156852ec2fcb746ba ]
+
+is_slave_mode defaults to false because sai structure
+that contains it is kzalloc'ed.
+
+Anyhow, if we decide to set the following configuration
+SAI slave -> SAI master, is_slave_mode will remain set on true
+although SAI being master it should be set to false.
+
+Fix this by updating is_slave_mode for each call of
+fsl_sai_set_dai_fmt.
+
+Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index 08b460ba06efc..61d2d955f26a6 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -260,12 +260,14 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
+ case SND_SOC_DAIFMT_CBS_CFS:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFM:
+ sai->is_slave_mode = true;
+ break;
+ case SND_SOC_DAIFMT_CBS_CFM:
+ val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
++ sai->is_slave_mode = false;
+ break;
+ case SND_SOC_DAIFMT_CBM_CFS:
+ val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
+--
+2.20.1
+
--- /dev/null
+From ef65a84f40cbd4d57520c34cb9467dc58ea9b930 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Tue, 26 Feb 2019 16:17:50 +0800
+Subject: ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
+
+[ Upstream commit c705247136a523488eac806bd357c3e5d79a7acd ]
+
+The call to of_parse_phandle returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Timur Tabi <timur@kernel.org>
+Cc: Nicolin Chen <nicoleotsuka@gmail.com>
+Cc: Xiubo Li <Xiubo.Lee@gmail.com>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: alsa-devel@alsa-project.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c
+index b9e42b503a377..4f8bdb7650e84 100644
+--- a/sound/soc/fsl/fsl_utils.c
++++ b/sound/soc/fsl/fsl_utils.c
+@@ -75,6 +75,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np,
+ iprop = of_get_property(dma_np, "cell-index", NULL);
+ if (!iprop) {
+ of_node_put(dma_np);
++ of_node_put(dma_channel_np);
+ return -EINVAL;
+ }
+ *dma_id = be32_to_cpup(iprop);
+--
+2.20.1
+
--- /dev/null
+From b2596a8e3abf59670906fe2e87458c2beb10e505 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 16 Apr 2019 15:12:23 +0200
+Subject: ASoC: imx: fix fiq dependencies
+
+[ Upstream commit ea751227c813ab833609afecfeedaf0aa26f327e ]
+
+During randconfig builds, I occasionally run into an invalid configuration
+of the freescale FIQ sound support:
+
+WARNING: unmet direct dependencies detected for SND_SOC_IMX_PCM_FIQ
+ Depends on [m]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]
+ Selected by [y]:
+ - SND_SOC_FSL_SPDIF [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]!=n && (MXC_TZIC [=n] || MXC_AVIC [=y])
+
+sound/soc/fsl/imx-ssi.o: In function `imx_ssi_remove':
+imx-ssi.c:(.text+0x28): undefined reference to `imx_pcm_fiq_exit'
+sound/soc/fsl/imx-ssi.o: In function `imx_ssi_probe':
+imx-ssi.c:(.text+0xa64): undefined reference to `imx_pcm_fiq_init'
+
+The Kconfig warning is a result of the symbol being defined inside of
+the "if SND_IMX_SOC" block, and is otherwise harmless. The link error
+is more tricky and happens with SND_SOC_IMX_SSI=y, which may or may not
+imply FIQ support. However, if SND_SOC_FSL_SSI is set to =m at the same
+time, that selects SND_SOC_IMX_PCM_FIQ as a loadable module dependency,
+which then causes a link failure from imx-ssi.
+
+The solution here is to make SND_SOC_IMX_PCM_FIQ built-in whenever
+one of its potential users is built-in.
+
+Fixes: ff40260f79dc ("ASoC: fsl: refine DMA/FIQ dependencies")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/Kconfig | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig
+index 3066e068aae5c..d420995ed45bf 100644
+--- a/sound/soc/fsl/Kconfig
++++ b/sound/soc/fsl/Kconfig
+@@ -171,16 +171,17 @@ config SND_MPC52xx_SOC_EFIKA
+
+ endif # SND_POWERPC_SOC
+
++config SND_SOC_IMX_PCM_FIQ
++ tristate
++ default y if SND_SOC_IMX_SSI=y && (SND_SOC_FSL_SSI=m || SND_SOC_FSL_SPDIF=m) && (MXC_TZIC || MXC_AVIC)
++ select FIQ
++
+ if SND_IMX_SOC
+
+ config SND_SOC_IMX_SSI
+ tristate
+ select SND_SOC_FSL_UTILS
+
+-config SND_SOC_IMX_PCM_FIQ
+- tristate
+- select FIQ
+-
+ comment "SoC Audio support for Freescale i.MX boards:"
+
+ config SND_MXC_SOC_WM1133_EV1
+--
+2.20.1
+
--- /dev/null
+From 9ef43ada1a0f14c29b9940e3407bf53aae420394 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wang6495@umn.edu>
+Date: Fri, 19 Apr 2019 20:49:29 -0500
+Subject: audit: fix a memory leak bug
+
+[ Upstream commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f ]
+
+In audit_rule_change(), audit_data_to_entry() is firstly invoked to
+translate the payload data to the kernel's rule representation. In
+audit_data_to_entry(), depending on the audit field type, an audit tree may
+be created in audit_make_tree(), which eventually invokes kmalloc() to
+allocate the tree. Since this tree is a temporary tree, it will be then
+freed in the following execution, e.g., audit_add_rule() if the message
+type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
+AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
+AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
+temporary tree is not freed.
+
+To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
+or AUDIT_DEL_RULE.
+
+Signed-off-by: Wenwen Wang <wang6495@umn.edu>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditfilter.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
+index b57f929f1b468..cf7aa656b308b 100644
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -1095,22 +1095,24 @@ int audit_rule_change(int type, __u32 portid, int seq, void *data,
+ int err = 0;
+ struct audit_entry *entry;
+
+- entry = audit_data_to_entry(data, datasz);
+- if (IS_ERR(entry))
+- return PTR_ERR(entry);
+-
+ switch (type) {
+ case AUDIT_ADD_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_add_rule(entry);
+ audit_log_rule_change("add_rule", &entry->rule, !err);
+ break;
+ case AUDIT_DEL_RULE:
++ entry = audit_data_to_entry(data, datasz);
++ if (IS_ERR(entry))
++ return PTR_ERR(entry);
+ err = audit_del_rule(entry);
+ audit_log_rule_change("remove_rule", &entry->rule, !err);
+ break;
+ default:
+- err = -EINVAL;
+ WARN_ON(1);
++ return -EINVAL;
+ }
+
+ if (err || type == AUDIT_DEL_RULE) {
+--
+2.20.1
+
--- /dev/null
+From 7afc8cddb5b15ab7d1075f91c0cce143f6175ca2 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2019 15:37:02 +0100
+Subject: b43: shut up clang -Wuninitialized variable warning
+
+[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]
+
+Clang warns about what is clearly a case of passing an uninitalized
+variable into a static function:
+
+drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
+ [-Werror,-Wuninitialized]
+ lpphy_papd_cal(dev, gains, 0, 1, 30);
+ ^~~~~
+drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
+ struct lpphy_tx_gains gains, oldgains;
+ ^
+1 error generated.
+
+However, this function is empty, and its arguments are never evaluated,
+so gcc in contrast does not warn here. Both compilers behave in a
+reasonable way as far as I can tell, so we should change the code
+to avoid the warning everywhere.
+
+We could just eliminate the lpphy_papd_cal() function entirely,
+given that it has had the TODO comment in it for 10 years now
+and is rather unlikely to ever get done. I'm doing a simpler
+change here, and just pass the 'oldgains' variable in that has
+been initialized, based on the guess that this is what was
+originally meant.
+
+Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration & software RFKILL support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/b43/phy_lp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/b43/phy_lp.c b/drivers/net/wireless/b43/phy_lp.c
+index 058a9f2320503..55cb07693ae80 100644
+--- a/drivers/net/wireless/b43/phy_lp.c
++++ b/drivers/net/wireless/b43/phy_lp.c
+@@ -1834,7 +1834,7 @@ static void lpphy_papd_cal(struct b43_wldev *dev, struct lpphy_tx_gains gains,
+ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
+ {
+ struct b43_phy_lp *lpphy = dev->phy.lp;
+- struct lpphy_tx_gains gains, oldgains;
++ struct lpphy_tx_gains oldgains;
+ int old_txpctl, old_afe_ovr, old_rf, old_bbmult;
+
+ lpphy_read_tx_pctl_mode_from_hardware(dev);
+@@ -1848,9 +1848,9 @@ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
+ lpphy_set_tx_power_control(dev, B43_LPPHY_TXPCTL_OFF);
+
+ if (dev->dev->chip_id == 0x4325 && dev->dev->chip_rev == 0)
+- lpphy_papd_cal(dev, gains, 0, 1, 30);
++ lpphy_papd_cal(dev, oldgains, 0, 1, 30);
+ else
+- lpphy_papd_cal(dev, gains, 0, 1, 65);
++ lpphy_papd_cal(dev, oldgains, 0, 1, 65);
+
+ if (old_afe_ovr)
+ lpphy_set_tx_gains(dev, oldgains);
+--
+2.20.1
+
--- /dev/null
+From b6c49aaa593587501f23e3c2d6248ef8e79d6b59 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Thu, 25 Apr 2019 00:48:34 +0800
+Subject: bcache: add failure check to run_cache_set() for journal replay
+
+[ Upstream commit ce3e4cfb59cb382f8e5ce359238aa580d4ae7778 ]
+
+Currently run_cache_set() has no return value, if there is failure in
+bch_journal_replay(), the caller of run_cache_set() has no idea about
+such failure and just continue to execute following code after
+run_cache_set(). The internal failure is triggered inside
+bch_journal_replay() and being handled in async way. This behavior is
+inefficient, while failure handling inside bch_journal_replay(), cache
+register code is still running to start the cache set. Registering and
+unregistering code running as same time may introduce some rare race
+condition, and make the code to be more hard to be understood.
+
+This patch adds return value to run_cache_set(), and returns -EIO if
+bch_journal_rreplay() fails. Then caller of run_cache_set() may detect
+such failure and stop registering code flow immedidately inside
+register_cache_set().
+
+If journal replay fails, run_cache_set() can report error immediately
+to register_cache_set(). This patch makes the failure handling for
+bch_journal_replay() be in synchronized way, easier to understand and
+debug, and avoid poetential race condition for register-and-unregister
+in same time.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 2140c5b48b511..02757b90e4029 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1558,7 +1558,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
+ return NULL;
+ }
+
+-static void run_cache_set(struct cache_set *c)
++static int run_cache_set(struct cache_set *c)
+ {
+ const char *err = "cannot allocate memory";
+ struct cached_dev *dc, *t;
+@@ -1650,7 +1650,9 @@ static void run_cache_set(struct cache_set *c)
+ if (j->version < BCACHE_JSET_VERSION_UUID)
+ __uuid_write(c);
+
+- bch_journal_replay(c, &journal);
++ err = "bcache: replay journal failed";
++ if (bch_journal_replay(c, &journal))
++ goto err;
+ } else {
+ pr_notice("invalidating existing data");
+
+@@ -1718,11 +1720,13 @@ static void run_cache_set(struct cache_set *c)
+ flash_devs_run(c);
+
+ set_bit(CACHE_SET_RUNNING, &c->flags);
+- return;
++ return 0;
+ err:
+ closure_sync(&cl);
+ /* XXX: test this, it's broken */
+ bch_cache_set_error(c, "%s", err);
++
++ return -EIO;
+ }
+
+ static bool can_attach_cache(struct cache *ca, struct cache_set *c)
+@@ -1786,8 +1790,11 @@ static const char *register_cache_set(struct cache *ca)
+ ca->set->cache[ca->sb.nr_this_dev] = ca;
+ c->cache_by_alloc[c->caches_loaded++] = ca;
+
+- if (c->caches_loaded == c->sb.nr_in_set)
+- run_cache_set(c);
++ if (c->caches_loaded == c->sb.nr_in_set) {
++ err = "failed to run cache set";
++ if (run_cache_set(c) < 0)
++ goto err;
++ }
+
+ return NULL;
+ err:
+--
+2.20.1
+
--- /dev/null
+From 5c20f4898dd54fb9a51d7c4e2438f099ed1e2d5d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 25 Apr 2019 00:48:28 +0800
+Subject: bcache: avoid clang -Wunintialized warning
+
+[ Upstream commit 78d4eb8ad9e1d413449d1b7a060f50b6efa81ebd ]
+
+clang has identified a code path in which it thinks a
+variable may be unused:
+
+drivers/md/bcache/alloc.c:333:4: error: variable 'bucket' is used uninitialized whenever 'if' condition is false
+ [-Werror,-Wsometimes-uninitialized]
+ fifo_pop(&ca->free_inc, bucket);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
+ #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
+ ^~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/md/bcache/util.h:189:6: note: expanded from macro 'fifo_pop_front'
+ if (_r) { \
+ ^~
+drivers/md/bcache/alloc.c:343:46: note: uninitialized use occurs here
+ allocator_wait(ca, bch_allocator_push(ca, bucket));
+ ^~~~~~
+drivers/md/bcache/alloc.c:287:7: note: expanded from macro 'allocator_wait'
+ if (cond) \
+ ^~~~
+drivers/md/bcache/alloc.c:333:4: note: remove the 'if' if its condition is always true
+ fifo_pop(&ca->free_inc, bucket);
+ ^
+drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
+ #define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
+ ^
+drivers/md/bcache/util.h:189:2: note: expanded from macro 'fifo_pop_front'
+ if (_r) { \
+ ^
+drivers/md/bcache/alloc.c:331:15: note: initialize the variable 'bucket' to silence this warning
+ long bucket;
+ ^
+
+This cannot happen in practice because we only enter the loop
+if there is at least one element in the list.
+
+Slightly rearranging the code makes this clearer to both the
+reader and the compiler, which avoids the warning.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/alloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
+index 16c3390e5d9f3..d82ae445c9ee3 100644
+--- a/drivers/md/bcache/alloc.c
++++ b/drivers/md/bcache/alloc.c
+@@ -324,10 +324,11 @@ static int bch_allocator_thread(void *arg)
+ * possibly issue discards to them, then we add the bucket to
+ * the free list:
+ */
+- while (!fifo_empty(&ca->free_inc)) {
++ while (1) {
+ long bucket;
+
+- fifo_pop(&ca->free_inc, bucket);
++ if (!fifo_pop(&ca->free_inc, bucket))
++ break;
+
+ if (ca->discard) {
+ mutex_unlock(&ca->set->bucket_lock);
+--
+2.20.1
+
--- /dev/null
+From b38b56db8e1df58924a756901f269627ac9521b0 Mon Sep 17 00:00:00 2001
+From: Tang Junhui <tang.junhui.linux@gmail.com>
+Date: Thu, 25 Apr 2019 00:48:41 +0800
+Subject: bcache: fix failure in journal relplay
+
+[ Upstream commit 631207314d88e9091be02fbdd1fdadb1ae2ed79a ]
+
+journal replay failed with messages:
+Sep 10 19:10:43 ceph kernel: bcache: error on
+bb379a64-e44e-4812-b91d-a5599871a3b1: bcache: journal entries
+2057493-2057567 missing! (replaying 2057493-2076601), disabling
+caching
+
+The reason is in journal_reclaim(), when discard is enabled, we send
+discard command and reclaim those journal buckets whose seq is old
+than the last_seq_now, but before we write a journal with last_seq_now,
+the machine is restarted, so the journal with the last_seq_now is not
+written to the journal bucket, and the last_seq_wrote in the newest
+journal is old than last_seq_now which we expect to be, so when we doing
+replay, journals from last_seq_wrote to last_seq_now are missing.
+
+It's hard to write a journal immediately after journal_reclaim(),
+and it harmless if those missed journal are caused by discarding
+since those journals are already wrote to btree node. So, if miss
+seqs are started from the beginning journal, we treat it as normal,
+and only print a message to show the miss journal, and point out
+it maybe caused by discarding.
+
+Patch v2 add a judgement condition to ignore the missed journal
+only when discard enabled as Coly suggested.
+
+(Coly Li: rebase the patch with other changes in bch_journal_replay())
+
+Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com>
+Tested-by: Dennis Schridde <devurandom@gmx.net>
+Signed-off-by: Coly Li <colyli@suse.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index 3a102f88eb326..6f9db98f2dfd7 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -309,6 +309,18 @@ void bch_journal_mark(struct cache_set *c, struct list_head *list)
+ }
+ }
+
++bool is_discard_enabled(struct cache_set *s)
++{
++ struct cache *ca;
++ unsigned int i;
++
++ for_each_cache(ca, s, i)
++ if (ca->discard)
++ return true;
++
++ return false;
++}
++
+ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ {
+ int ret = 0, keys = 0, entries = 0;
+@@ -323,10 +335,15 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ BUG_ON(i->pin && atomic_read(i->pin) != 1);
+
+ if (n != i->j.seq) {
+- pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+- n, i->j.seq - 1, start, end);
+- ret = -EIO;
+- goto err;
++ if (n == start && is_discard_enabled(s))
++ pr_info("bcache: journal entries %llu-%llu may be discarded! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ else {
++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ ret = -EIO;
++ goto err;
++ }
+ }
+
+ for (k = i->j.start;
+--
+2.20.1
+
--- /dev/null
+From 16320e7f328aacccf44d5a63dd1312e466a58b7b Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Thu, 25 Apr 2019 00:48:36 +0800
+Subject: bcache: return error immediately in bch_journal_replay()
+
+[ Upstream commit 68d10e6979a3b59e3cd2e90bfcafed79c4cf180a ]
+
+When failure happens inside bch_journal_replay(), calling
+cache_set_err_on() and handling the failure in async way is not a good
+idea. Because after bch_journal_replay() returns, registering code will
+continue to execute following steps, and unregistering code triggered
+by cache_set_err_on() is running in same time. First it is unnecessary
+to handle failure and unregister cache set in an async way, second there
+might be potential race condition to run register and unregister code
+for same cache set.
+
+So in this patch, if failure happens in bch_journal_replay(), we don't
+call cache_set_err_on(), and just print out the same error message to
+kernel message buffer, then return -EIO immediately caller. Then caller
+can detect such failure and handle it in synchrnozied way.
+
+Signed-off-by: Coly Li <colyli@suse.de>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/journal.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
+index e9d9333940deb..3a102f88eb326 100644
+--- a/drivers/md/bcache/journal.c
++++ b/drivers/md/bcache/journal.c
+@@ -322,9 +322,12 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
+ list_for_each_entry(i, list, list) {
+ BUG_ON(i->pin && atomic_read(i->pin) != 1);
+
+- cache_set_err_on(n != i->j.seq, s,
+-"bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+- n, i->j.seq - 1, start, end);
++ if (n != i->j.seq) {
++ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
++ n, i->j.seq - 1, start, end);
++ ret = -EIO;
++ goto err;
++ }
+
+ for (k = i->j.start;
+ k < bset_bkey_last(&i->j);
+--
+2.20.1
+
--- /dev/null
+From c8589b243b703188666e6a7a4f1cdcde5bde1561 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Apr 2019 12:52:18 +0300
+Subject: brcm80211: potential NULL dereference in
+ brcmf_cfg80211_vndr_cmds_dcmd_handler()
+
+[ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]
+
+If "ret_len" is negative then it could lead to a NULL dereference.
+
+The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
+then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to
+brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
+Most of the functions in that call tree check whether the buffer we pass
+is NULL but there are at least a couple places which don't such as
+brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and
+from the buffer so it would result in a NULL dereference.
+
+The fix is to change the types so that "ret_len" can't be negative. (If
+we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
+issue).
+
+Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/vendor.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
+index 8eff2753abade..d493021f60318 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
+@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
+ struct brcmf_if *ifp;
+ const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
+ struct sk_buff *reply;
+- int ret, payload, ret_len;
++ unsigned int payload, ret_len;
+ void *dcmd_buf = NULL, *wr_pointer;
+ u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
++ int ret;
+
+ if (len < sizeof(*cmdhdr)) {
+ brcmf_err("vendor command too short: %d\n", len);
+@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
+ brcmf_err("oversize return buffer %d\n", ret_len);
+ ret_len = BRCMF_DCMD_MAXLEN;
+ }
+- payload = max(ret_len, len) + 1;
++ payload = max_t(unsigned int, ret_len, len) + 1;
+ dcmd_buf = vzalloc(payload);
+ if (NULL == dcmd_buf)
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From 7f4a45b30014254e12ee7bd391c481bbcf8a0226 Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Wed, 13 Mar 2019 09:52:42 +0000
+Subject: brcmfmac: convert dev_init_lock mutex to completion
+
+[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]
+
+Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
+kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
+which silences those warnings and improves code readability.
+
+Fix below errors when connecting the USB WiFi dongle:
+
+brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
+BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
+ last function: hub_event
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: usb_hub_wq hub_event
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
+[<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+======================================================
+WARNING: possible circular locking dependency detected
+4.19.23-00084-g454a789-dirty #123 Not tainted
+------------------------------------------------------
+kworker/0:2/434 is trying to acquire lock:
+e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
+
+but task is already holding lock:
+18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (&devinfo->dev_init_lock){+.+.}:
+ mutex_lock_nested+0x1c/0x24
+ brcmf_usb_probe+0x78/0x550 [brcmfmac]
+ usb_probe_interface+0xc0/0x1bc
+ really_probe+0x228/0x2c0
+ __driver_attach+0xe4/0xe8
+ bus_for_each_dev+0x68/0xb4
+ bus_add_driver+0x19c/0x214
+ driver_register+0x78/0x110
+ usb_register_driver+0x84/0x148
+ process_one_work+0x228/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #1 (brcmf_driver_work){+.+.}:
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+-> #0 ((wq_completion)"events"){+.+.}:
+ process_one_work+0x1b8/0x808
+ worker_thread+0x2c/0x564
+ kthread+0x13c/0x16c
+ ret_from_fork+0x14/0x20
+ (null)
+
+other info that might help us debug this:
+
+Chain exists of:
+ (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&devinfo->dev_init_lock);
+ lock(brcmf_driver_work);
+ lock(&devinfo->dev_init_lock);
+ lock((wq_completion)"events");
+
+ *** DEADLOCK ***
+
+1 lock held by kworker/0:2/434:
+ #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
+
+stack backtrace:
+CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Workqueue: events request_firmware_work_func
+[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
+[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
+[<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
+[<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
+[<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
+[<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
+[<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+Exception stack(0xed1d9fb0 to 0xed1d9ff8)
+9fa0: 00000000 00000000 00000000 00000000
+9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/usb.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+index 689e64d004bc5..32b7b8a8f80c6 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+@@ -144,7 +144,7 @@ struct brcmf_usbdev_info {
+
+ struct usb_device *usbdev;
+ struct device *dev;
+- struct mutex dev_init_lock;
++ struct completion dev_init_done;
+
+ int ctl_in_pipe, ctl_out_pipe;
+ struct urb *ctl_urb; /* URB for control endpoint */
+@@ -1226,11 +1226,11 @@ static void brcmf_usb_probe_phase2(struct device *dev,
+ if (ret)
+ goto error;
+
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return;
+ error:
+ brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ device_release_driver(dev);
+ }
+
+@@ -1268,7 +1268,7 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
+ if (ret)
+ goto fail;
+ /* we are done */
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ return 0;
+ }
+ bus->chip = bus_pub->devid;
+@@ -1322,11 +1322,10 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+
+ devinfo->usbdev = usb;
+ devinfo->dev = &usb->dev;
+- /* Take an init lock, to protect for disconnect while still loading.
++ /* Init completion, to protect for disconnect while still loading.
+ * Necessary because of the asynchronous firmware load construction
+ */
+- mutex_init(&devinfo->dev_init_lock);
+- mutex_lock(&devinfo->dev_init_lock);
++ init_completion(&devinfo->dev_init_done);
+
+ usb_set_intfdata(intf, devinfo);
+
+@@ -1402,7 +1401,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ return 0;
+
+ fail:
+- mutex_unlock(&devinfo->dev_init_lock);
++ complete(&devinfo->dev_init_done);
+ kfree(devinfo);
+ usb_set_intfdata(intf, NULL);
+ return ret;
+@@ -1417,7 +1416,7 @@ brcmf_usb_disconnect(struct usb_interface *intf)
+ devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf);
+
+ if (devinfo) {
+- mutex_lock(&devinfo->dev_init_lock);
++ wait_for_completion(&devinfo->dev_init_done);
+ /* Make sure that devinfo still exists. Firmware probe routines
+ * may have released the device and cleared the intfdata.
+ */
+--
+2.20.1
+
--- /dev/null
+From d0850600ccb447f42780491fb0d85ade5c633a07 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 12:04:32 -0500
+Subject: brcmfmac: fix missing checks for kmemdup
+
+[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]
+
+In case kmemdup fails, the fix sets conn_info->req_ie_len and
+conn_info->resp_ie_len to zero to avoid buffer overflows.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+index ad35e760ed3f0..e3f5dacd918d7 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+@@ -4836,6 +4836,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->req_ie =
+ kmemdup(cfg->extra_buf, conn_info->req_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->req_ie)
++ conn_info->req_ie_len = 0;
+ } else {
+ conn_info->req_ie_len = 0;
+ conn_info->req_ie = NULL;
+@@ -4852,6 +4854,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
+ conn_info->resp_ie =
+ kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
+ GFP_KERNEL);
++ if (!conn_info->resp_ie)
++ conn_info->resp_ie_len = 0;
+ } else {
+ conn_info->resp_ie_len = 0;
+ conn_info->resp_ie = NULL;
+--
+2.20.1
+
--- /dev/null
+From 5a3f0d5b05b218ff5ce7d69105c822bcfbd0cd4a Mon Sep 17 00:00:00 2001
+From: Piotr Figiel <p.figiel@camlintechnologies.com>
+Date: Fri, 8 Mar 2019 15:25:04 +0000
+Subject: brcmfmac: fix race during disconnect when USB completion is in
+ progress
+
+[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]
+
+It was observed that rarely during USB disconnect happening shortly after
+connect (before full initialization completes) usb_hub_wq would wait
+forever for the dev_init_lock to be unlocked. dev_init_lock would remain
+locked though because of infinite wait during usb_kill_urb:
+
+[ 2730.656472] kworker/0:2 D 0 260 2 0x00000000
+[ 2730.660700] Workqueue: events request_firmware_work_func
+[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
+[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
+[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
+[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
+[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
+[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
+[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
+[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+[ 2733.099695] kworker/0:3 D 0 1065 2 0x00000000
+[ 2733.103926] Workqueue: usb_hub_wq hub_event
+[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
+[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
+[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
+[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
+[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
+[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
+[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
+[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
+[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
+[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
+[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
+[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
+[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
+[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
+[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+
+It was traced down to a case where usb_kill_urb would be called on an URB
+structure containing more or less random data, including large number in
+its use_count. During the debugging it appeared that in brcmf_usb_free_q()
+the traversal over URBs' lists is not synchronized with operations on those
+lists in brcmf_usb_rx_complete() leading to handling
+brcmf_usbdev_info structure (holding lists' head) as lists' element and in
+result causing above problem.
+
+Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
+arrays of requests instead of linked lists.
+
+Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/usb.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+index 32b7b8a8f80c6..8a7da04a9ed4b 100644
+--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+@@ -669,12 +669,18 @@ static int brcmf_usb_up(struct device *dev)
+
+ static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo)
+ {
++ int i;
++
+ if (devinfo->ctl_urb)
+ usb_kill_urb(devinfo->ctl_urb);
+ if (devinfo->bulk_urb)
+ usb_kill_urb(devinfo->bulk_urb);
+- brcmf_usb_free_q(&devinfo->tx_postq, true);
+- brcmf_usb_free_q(&devinfo->rx_postq, true);
++ if (devinfo->tx_reqs)
++ for (i = 0; i < devinfo->bus_pub.ntxq; i++)
++ usb_kill_urb(devinfo->tx_reqs[i].urb);
++ if (devinfo->rx_reqs)
++ for (i = 0; i < devinfo->bus_pub.nrxq; i++)
++ usb_kill_urb(devinfo->rx_reqs[i].urb);
+ }
+
+ static void brcmf_usb_down(struct device *dev)
+--
+2.20.1
+
--- /dev/null
+From 08c271e02d02ab497ace99b9f4fa7486836500a0 Mon Sep 17 00:00:00 2001
+From: Chengguang Xu <cgxu519@gmx.com>
+Date: Fri, 15 Feb 2019 20:27:11 +0800
+Subject: chardev: add additional check for minor range overlap
+
+[ Upstream commit de36e16d1557a0b6eb328bc3516359a12ba5c25c ]
+
+Current overlap checking cannot correctly handle
+a case which is baseminor < existing baseminor &&
+baseminor + minorct > existing baseminor + minorct.
+
+Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/char_dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/char_dev.c b/fs/char_dev.c
+index 24b142569ca9b..d0655ca894816 100644
+--- a/fs/char_dev.c
++++ b/fs/char_dev.c
+@@ -130,6 +130,12 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor,
+ ret = -EBUSY;
+ goto out;
+ }
++
++ if (new_min < old_min && new_max > old_max) {
++ ret = -EBUSY;
++ goto out;
++ }
++
+ }
+
+ cd->next = *cp;
+--
+2.20.1
+
--- /dev/null
+From b576e7df3910b23b1093a4d0770e6b77a11e2f4f Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:52 +0800
+Subject: cpufreq/pasemi: fix possible object reference leak
+
+[ Upstream commit a9acc26b75f652f697e02a9febe2ab0da648a571 ]
+
+The call to of_get_cpu_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/pasemi-cpufreq.c:212:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
+./drivers/cpufreq/pasemi-cpufreq.c:220:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/pasemi-cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
+index 35dd4d7ffee08..58c933f483004 100644
+--- a/drivers/cpufreq/pasemi-cpufreq.c
++++ b/drivers/cpufreq/pasemi-cpufreq.c
+@@ -146,6 +146,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
+
+ cpu = of_get_cpu_node(policy->cpu, NULL);
+
++ of_node_put(cpu);
+ if (!cpu)
+ goto out;
+
+--
+2.20.1
+
--- /dev/null
+From ad530bf74c75ae48b3acb699602c45cb65f31812 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:53 +0800
+Subject: cpufreq: pmac32: fix possible object reference leak
+
+[ Upstream commit 8d10dc28a9ea6e8c02e825dab28699f3c72b02d9 ]
+
+The call to of_find_node_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/pmac32-cpufreq.c:557:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
+./drivers/cpufreq/pmac32-cpufreq.c:569:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
+./drivers/cpufreq/pmac32-cpufreq.c:598:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 587, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: linux-pm@vger.kernel.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/pmac32-cpufreq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c
+index 1f49d97a70ea1..14928e0dc3265 100644
+--- a/drivers/cpufreq/pmac32-cpufreq.c
++++ b/drivers/cpufreq/pmac32-cpufreq.c
+@@ -549,6 +549,7 @@ static int pmac_cpufreq_init_7447A(struct device_node *cpunode)
+ volt_gpio_np = of_find_node_by_name(NULL, "cpu-vcore-select");
+ if (volt_gpio_np)
+ voltage_gpio = read_gpio(volt_gpio_np);
++ of_node_put(volt_gpio_np);
+ if (!voltage_gpio){
+ printk(KERN_ERR "cpufreq: missing cpu-vcore-select gpio\n");
+ return 1;
+@@ -585,6 +586,7 @@ static int pmac_cpufreq_init_750FX(struct device_node *cpunode)
+ if (volt_gpio_np)
+ voltage_gpio = read_gpio(volt_gpio_np);
+
++ of_node_put(volt_gpio_np);
+ pvr = mfspr(SPRN_PVR);
+ has_cpu_l2lve = !((pvr & 0xf00) == 0x100);
+
+--
+2.20.1
+
--- /dev/null
+From 78b07f7e18ccc1149ef3e29318c6c22cb304998d Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Mon, 1 Apr 2019 09:37:54 +0800
+Subject: cpufreq: ppc_cbe: fix possible object reference leak
+
+[ Upstream commit 233298032803f2802fe99892d0de4ab653bfece4 ]
+
+The call to of_get_cpu_node returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
+./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
+Cc: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: linux-pm@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/ppc_cbe_cpufreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/ppc_cbe_cpufreq.c b/drivers/cpufreq/ppc_cbe_cpufreq.c
+index 5a4c5a639f618..2eaeebcc93afe 100644
+--- a/drivers/cpufreq/ppc_cbe_cpufreq.c
++++ b/drivers/cpufreq/ppc_cbe_cpufreq.c
+@@ -86,6 +86,7 @@ static int cbe_cpufreq_cpu_init(struct cpufreq_policy *policy)
+ if (!cbe_get_cpu_pmd_regs(policy->cpu) ||
+ !cbe_get_cpu_mic_tm_regs(policy->cpu)) {
+ pr_info("invalid CBE regs pointers for cpufreq\n");
++ of_node_put(cpu);
+ return -EINVAL;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 153b291de4f8fe6edf2d9c4745c2763771fefcb2 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 29 Mar 2019 10:27:26 -0500
+Subject: cxgb3/l2t: Fix undefined behaviour
+
+[ Upstream commit 76497732932f15e7323dc805e8ea8dc11bb587cf ]
+
+The use of zero-sized array causes undefined behaviour when it is not
+the last member in a structure. As it happens to be in this case.
+
+Also, the current code makes use of a language extension to the C90
+standard, but the preferred mechanism to declare variable-length
+types such as this one is a flexible array member, introduced in
+C99:
+
+struct foo {
+ int stuff;
+ struct boo array[];
+};
+
+By making use of the mechanism above, we will get a compiler warning
+in case the flexible array does not occur last. Which is beneficial
+to cultivate a high-quality code.
+
+Fixes: e48f129c2f20 ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+index 8cffcdfd56782..38b5858c335a9 100644
+--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
++++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+@@ -75,8 +75,8 @@ struct l2t_data {
+ struct l2t_entry *rover; /* starting point for next allocation */
+ atomic_t nfree; /* number of free entries */
+ rwlock_t lock;
+- struct l2t_entry l2tab[0];
+ struct rcu_head rcu_head; /* to handle rcu cleanup */
++ struct l2t_entry l2tab[];
+ };
+
+ typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
+--
+2.20.1
+
--- /dev/null
+From 722dcdb2e77e6273c2398aaaccdd75461715b5f2 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 6 May 2019 23:57:54 +0800
+Subject: cxgb4: Fix error path in cxgb4_init_module
+
+[ Upstream commit a3147770bea76c8dbad73eca3a24c2118da5e719 ]
+
+BUG: unable to handle kernel paging request at ffffffffa016a270
+PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bbd067 PTE 0
+Oops: 0000 [#1
+CPU: 0 PID: 6134 Comm: modprobe Not tainted 5.1.0+ #33
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+RIP: 0010:atomic_notifier_chain_register+0x24/0x60
+Code: 1f 80 00 00 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 fb e8 ae b4 38 01 48 8b 53 38 48 8d 4b 38 48 85 d2 74 20 45 8b 44 24 10 <44> 3b 42 10 7e 08 eb 13 44 39 42 10 7c 0d 48 8d 4a 08 48 8b 52 08
+RSP: 0018:ffffc90000e2bc60 EFLAGS: 00010086
+RAX: 0000000000000292 RBX: ffffffff83467240 RCX: ffffffff83467278
+RDX: ffffffffa016a260 RSI: ffffffff83752140 RDI: ffffffff83467240
+RBP: ffffc90000e2bc70 R08: 0000000000000000 R09: 0000000000000001
+R10: 0000000000000000 R11: 00000000014fa61f R12: ffffffffa01c8260
+R13: ffff888231091e00 R14: 0000000000000000 R15: ffffc90000e2be78
+FS: 00007fbd8d7cd540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa016a270 CR3: 000000022c7e3000 CR4: 00000000000006f0
+Call Trace:
+ register_inet6addr_notifier+0x13/0x20
+ cxgb4_init_module+0x6c/0x1000 [cxgb4
+ ? 0xffffffffa01d7000
+ do_one_initcall+0x6c/0x3cc
+ ? do_init_module+0x22/0x1f1
+ ? rcu_read_lock_sched_held+0x97/0xb0
+ ? kmem_cache_alloc_trace+0x325/0x3b0
+ do_init_module+0x5b/0x1f1
+ load_module+0x1db1/0x2690
+ ? m_show+0x1d0/0x1d0
+ __do_sys_finit_module+0xc5/0xd0
+ __x64_sys_finit_module+0x15/0x20
+ do_syscall_64+0x6b/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+If pci_register_driver fails, register inet6addr_notifier is
+pointless. This patch fix the error path in cxgb4_init_module.
+
+Fixes: b5a02f503caa ("cxgb4 : Update ipv6 address handling api")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index a3e1498ca67ce..3b96622de8ff2 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -5061,15 +5061,24 @@ static int __init cxgb4_init_module(void)
+
+ ret = pci_register_driver(&cxgb4_driver);
+ if (ret < 0)
+- debugfs_remove(cxgb4_debugfs_root);
++ goto err_pci;
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (!inet6addr_registered) {
+- register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
+- inet6addr_registered = true;
++ ret = register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
++ if (ret)
++ pci_unregister_driver(&cxgb4_driver);
++ else
++ inet6addr_registered = true;
+ }
+ #endif
+
++ if (ret == 0)
++ return ret;
++
++err_pci:
++ debugfs_remove(cxgb4_debugfs_root);
++
+ return ret;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5fab0292dd849574f4383d04616dd3486cf9a59d Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+Date: Wed, 3 Apr 2019 12:23:57 +0200
+Subject: dmaengine: at_xdmac: remove BUG_ON macro in tasklet
+
+[ Upstream commit e2c114c06da2d9ffad5b16690abf008d6696f689 ]
+
+Even if this case shouldn't happen when controller is properly programmed,
+it's still better to avoid dumping a kernel Oops for this.
+As the sequence may happen only for debugging purposes, log the error and
+just finish the tasklet call.
+
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index af24c5bf32d69..8aa3ccf42e55a 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -1608,7 +1608,11 @@ static void at_xdmac_tasklet(unsigned long data)
+ struct at_xdmac_desc,
+ xfer_node);
+ dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, desc);
+- BUG_ON(!desc->active_xfer);
++ if (!desc->active_xfer) {
++ dev_err(chan2dev(&atchan->chan), "Xfer not active: exiting");
++ spin_unlock_bh(&atchan->lock);
++ return;
++ }
+
+ txd = &desc->tx_dma_desc;
+
+--
+2.20.1
+
--- /dev/null
+From e6db1196a55d55fb9533cca214c81390d808ed3d Mon Sep 17 00:00:00 2001
+From: Sugar Zhang <sugar.zhang@rock-chips.com>
+Date: Wed, 3 Apr 2019 19:06:22 +0800
+Subject: dmaengine: pl330: _stop: clear interrupt status
+
+[ Upstream commit 2da254cc7908105a60a6bb219d18e8dced03dcb9 ]
+
+This patch kill instructs the DMAC to immediately terminate
+execution of a thread. and then clear the interrupt status,
+at last, stop generating interrupts for DMA_SEV. to guarantee
+the next dma start is clean. otherwise, one interrupt maybe leave
+to next start and make some mistake.
+
+we can reporduce the problem as follows:
+
+DMASEV: modify the event-interrupt resource, and if the INTEN sets
+function as interrupt, the DMAC will set irq<event_num> HIGH to
+generate interrupt. write INTCLR to clear interrupt.
+
+ DMA EXECUTING INSTRUCTS DMA TERMINATE
+ | |
+ | |
+ ... _stop
+ | |
+ | spin_lock_irqsave
+ DMASEV |
+ | |
+ | mask INTEN
+ | |
+ | DMAKILL
+ | |
+ | spin_unlock_irqrestore
+
+in above case, a interrupt was left, and if we unmask INTEN, the DMAC
+will set irq<event_num> HIGH to generate interrupt.
+
+to fix this, do as follows:
+
+ DMA EXECUTING INSTRUCTS DMA TERMINATE
+ | |
+ | |
+ ... _stop
+ | |
+ | spin_lock_irqsave
+ DMASEV |
+ | |
+ | DMAKILL
+ | |
+ | clear INTCLR
+ | mask INTEN
+ | |
+ | spin_unlock_irqrestore
+
+Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/pl330.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
+index 95619ee33112c..799c182c3eacc 100644
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -1006,6 +1006,7 @@ static void _stop(struct pl330_thread *thrd)
+ {
+ void __iomem *regs = thrd->dmac->base;
+ u8 insn[6] = {0, 0, 0, 0, 0, 0};
++ u32 inten = readl(regs + INTEN);
+
+ if (_state(thrd) == PL330_STATE_FAULT_COMPLETING)
+ UNTIL(thrd, PL330_STATE_FAULTING | PL330_STATE_KILLING);
+@@ -1018,10 +1019,13 @@ static void _stop(struct pl330_thread *thrd)
+
+ _emit_KILL(0, insn);
+
+- /* Stop generating interrupts for SEV */
+- writel(readl(regs + INTEN) & ~(1 << thrd->ev), regs + INTEN);
+-
+ _execute_DBGINSN(thrd, insn, is_manager(thrd));
++
++ /* clear the event */
++ if (inten & (1 << thrd->ev))
++ writel(1 << thrd->ev, regs + INTCLR);
++ /* Stop generating interrupts for SEV */
++ writel(inten & ~(1 << thrd->ev), regs + INTEN);
+ }
+
+ /* Start doing req 'idx' of thread 'thrd' */
+--
+2.20.1
+
--- /dev/null
+From 55887771451f248b24648caf31269d3a926178db Mon Sep 17 00:00:00 2001
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+Date: Thu, 4 Apr 2019 17:33:56 +0100
+Subject: extcon: arizona: Disable mic detect if running when driver is removed
+
+[ Upstream commit 00053de52231117ddc154042549f2256183ffb86 ]
+
+Microphone detection provides the button detection features on the
+Arizona CODECs as such it will be running if the jack is currently
+inserted. If the driver is unbound whilst the jack is still inserted
+this will cause warnings from the regulator framework as the MICVDD
+regulator is put but was never disabled.
+
+Correct this by disabling microphone detection on driver removal and if
+the microphone detection was running disable the regulator and put the
+runtime reference that was currently held.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index e4890dd4fefd6..38fb212e58ee8 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -1616,6 +1616,16 @@ static int arizona_extcon_remove(struct platform_device *pdev)
+ struct arizona_extcon_info *info = platform_get_drvdata(pdev);
+ struct arizona *arizona = info->arizona;
+ int jack_irq_rise, jack_irq_fall;
++ bool change;
++
++ regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1,
++ ARIZONA_MICD_ENA, 0,
++ &change);
++
++ if (change) {
++ regulator_disable(info->micvdd);
++ pm_runtime_put(info->dev);
++ }
+
+ gpiod_put(info->micd_pol_gpio);
+
+--
+2.20.1
+
--- /dev/null
+From acf6321a8d3b601d600f35331b185a1868a09ef2 Mon Sep 17 00:00:00 2001
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Wed, 27 Mar 2019 17:09:17 +0000
+Subject: gfs2: Fix lru_count going negative
+
+[ Upstream commit 7881ef3f33bb80f459ea6020d1e021fc524a6348 ]
+
+Under certain conditions, lru_count may drop below zero resulting in
+a large amount of log spam like this:
+
+vmscan: shrink_slab: gfs2_dump_glock+0x3b0/0x630 [gfs2] \
+ negative objects to delete nr=-1
+
+This happens as follows:
+1) A glock is moved from lru_list to the dispose list and lru_count is
+ decremented.
+2) The dispose function calls cond_resched() and drops the lru lock.
+3) Another thread takes the lru lock and tries to add the same glock to
+ lru_list, checking if the glock is on an lru list.
+4) It is on a list (actually the dispose list) and so it avoids
+ incrementing lru_count.
+5) The glock is moved to lru_list.
+5) The original thread doesn't dispose it because it has been re-added
+ to the lru list but the lru_count has still decreased by one.
+
+Fix by checking if the LRU flag is set on the glock rather than checking
+if the glock is on some list and rearrange the code so that the LRU flag
+is added/removed precisely when the glock is added/removed from lru_list.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/glock.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
+index 09a0cf5f3dd86..1eb737c466ddc 100644
+--- a/fs/gfs2/glock.c
++++ b/fs/gfs2/glock.c
+@@ -136,22 +136,26 @@ static int demote_ok(const struct gfs2_glock *gl)
+
+ void gfs2_glock_add_to_lru(struct gfs2_glock *gl)
+ {
++ if (!(gl->gl_ops->go_flags & GLOF_LRU))
++ return;
++
+ spin_lock(&lru_lock);
+
+- if (!list_empty(&gl->gl_lru))
+- list_del_init(&gl->gl_lru);
+- else
++ list_del(&gl->gl_lru);
++ list_add_tail(&gl->gl_lru, &lru_list);
++
++ if (!test_bit(GLF_LRU, &gl->gl_flags)) {
++ set_bit(GLF_LRU, &gl->gl_flags);
+ atomic_inc(&lru_count);
++ }
+
+- list_add_tail(&gl->gl_lru, &lru_list);
+- set_bit(GLF_LRU, &gl->gl_flags);
+ spin_unlock(&lru_lock);
+ }
+
+ static void gfs2_glock_remove_from_lru(struct gfs2_glock *gl)
+ {
+ spin_lock(&lru_lock);
+- if (!list_empty(&gl->gl_lru)) {
++ if (test_bit(GLF_LRU, &gl->gl_flags)) {
+ list_del_init(&gl->gl_lru);
+ atomic_dec(&lru_count);
+ clear_bit(GLF_LRU, &gl->gl_flags);
+@@ -1040,8 +1044,7 @@ void gfs2_glock_dq(struct gfs2_holder *gh)
+ !test_bit(GLF_DEMOTE, &gl->gl_flags))
+ fast_path = 1;
+ }
+- if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl) &&
+- (glops->go_flags & GLOF_LRU))
++ if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl))
+ gfs2_glock_add_to_lru(gl);
+
+ trace_gfs2_glock_queue(gh, 0);
+@@ -1341,6 +1344,7 @@ __acquires(&lru_lock)
+ if (!spin_trylock(&gl->gl_lockref.lock)) {
+ add_back_to_lru:
+ list_add(&gl->gl_lru, &lru_list);
++ set_bit(GLF_LRU, &gl->gl_flags);
+ atomic_inc(&lru_count);
+ continue;
+ }
+@@ -1348,7 +1352,6 @@ __acquires(&lru_lock)
+ spin_unlock(&gl->gl_lockref.lock);
+ goto add_back_to_lru;
+ }
+- clear_bit(GLF_LRU, &gl->gl_flags);
+ gl->gl_lockref.count++;
+ if (demote_ok(gl))
+ handle_callback(gl, LM_ST_UNLOCKED, 0, false);
+@@ -1384,6 +1387,7 @@ static long gfs2_scan_glock_lru(int nr)
+ if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
+ list_move(&gl->gl_lru, &dispose);
+ atomic_dec(&lru_count);
++ clear_bit(GLF_LRU, &gl->gl_flags);
+ freed++;
+ continue;
+ }
+--
+2.20.1
+
--- /dev/null
+From 51878761d65fa02c43a15d339bd1a756bbf6a03d Mon Sep 17 00:00:00 2001
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Date: Wed, 27 Mar 2019 11:18:48 +0100
+Subject: HID: core: move Usage Page concatenation to Main item
+
+[ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ]
+
+As seen on some USB wireless keyboards manufactured by Primax, the HID
+parser was using some assumptions that are not always true. In this case
+it's s the fact that, inside the scope of a main item, an Usage Page
+will always precede an Usage.
+
+The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
+is interpreted as a Usage ID and concatenated with the Usage Page".
+While 6.2.2.8 states "When the parser encounters a main item it
+concatenates the last declared Usage Page with a Usage to form a
+complete usage value." Being somewhat contradictory it was decided to
+match Window's implementation, which follows 6.2.2.8.
+
+In summary, the patch moves the Usage Page concatenation from the local
+item parsing function to the main item parsing function.
+
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Reviewed-by: Terry Junge <terry.junge@poly.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 36 ++++++++++++++++++++++++------------
+ include/linux/hid.h | 1 +
+ 2 files changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 4564ecf711815..9b2b41d683dea 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -200,13 +200,14 @@ static unsigned hid_lookup_collection(struct hid_parser *parser, unsigned type)
+ * Add a usage to the temporary parser table.
+ */
+
+-static int hid_add_usage(struct hid_parser *parser, unsigned usage)
++static int hid_add_usage(struct hid_parser *parser, unsigned usage, u8 size)
+ {
+ if (parser->local.usage_index >= HID_MAX_USAGES) {
+ hid_err(parser->device, "usage index exceeded\n");
+ return -1;
+ }
+ parser->local.usage[parser->local.usage_index] = usage;
++ parser->local.usage_size[parser->local.usage_index] = size;
+ parser->local.collection_index[parser->local.usage_index] =
+ parser->collection_stack_ptr ?
+ parser->collection_stack[parser->collection_stack_ptr - 1] : 0;
+@@ -463,10 +464,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+- return hid_add_usage(parser, data);
++ return hid_add_usage(parser, data, item->size);
+
+ case HID_LOCAL_ITEM_TAG_USAGE_MINIMUM:
+
+@@ -475,9 +473,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+ parser->local.usage_minimum = data;
+ return 0;
+
+@@ -488,9 +483,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
+- if (item->size <= 2)
+- data = (parser->global.usage_page << 16) + data;
+-
+ count = data - parser->local.usage_minimum;
+ if (count + parser->local.usage_index >= HID_MAX_USAGES) {
+ /*
+@@ -510,7 +502,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ }
+
+ for (n = parser->local.usage_minimum; n <= data; n++)
+- if (hid_add_usage(parser, n)) {
++ if (hid_add_usage(parser, n, item->size)) {
+ dbg_hid("hid_add_usage failed\n");
+ return -1;
+ }
+@@ -524,6 +516,22 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
+ return 0;
+ }
+
++/*
++ * Concatenate Usage Pages into Usages where relevant:
++ * As per specification, 6.2.2.8: "When the parser encounters a main item it
++ * concatenates the last declared Usage Page with a Usage to form a complete
++ * usage value."
++ */
++
++static void hid_concatenate_usage_page(struct hid_parser *parser)
++{
++ int i;
++
++ for (i = 0; i < parser->local.usage_index; i++)
++ if (parser->local.usage_size[i] <= 2)
++ parser->local.usage[i] += parser->global.usage_page << 16;
++}
++
+ /*
+ * Process a main item.
+ */
+@@ -533,6 +541,8 @@ static int hid_parser_main(struct hid_parser *parser, struct hid_item *item)
+ __u32 data;
+ int ret;
+
++ hid_concatenate_usage_page(parser);
++
+ data = item_udata(item);
+
+ switch (item->tag) {
+@@ -746,6 +756,8 @@ static int hid_scan_main(struct hid_parser *parser, struct hid_item *item)
+ __u32 data;
+ int i;
+
++ hid_concatenate_usage_page(parser);
++
+ data = item_udata(item);
+
+ switch (item->tag) {
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index fd86687f81196..5f31318851366 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -372,6 +372,7 @@ struct hid_global {
+
+ struct hid_local {
+ unsigned usage[HID_MAX_USAGES]; /* usage array */
++ u8 usage_size[HID_MAX_USAGES]; /* usage size array */
+ unsigned collection_index[HID_MAX_USAGES]; /* collection index array */
+ unsigned usage_index;
+ unsigned usage_minimum;
+--
+2.20.1
+
--- /dev/null
+From cdc790dc8e568d3478cdf4bc3146b40ca66258ac Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 20 Apr 2019 13:22:10 +0200
+Subject: HID: logitech-hidpp: use RAP instead of FAP to get the protocol
+ version
+
+[ Upstream commit 096377525cdb8251e4656085efc988bdf733fb4c ]
+
+According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
+https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
+
+We should use a register-access-protocol request using the short input /
+output report ids. This is necessary because 27MHz HID++ receivers have
+a max-packetsize on their HIP++ endpoint of 8, so they cannot support
+long reports. Using a feature-access-protocol request (which is always
+long or very-long) with these will cause a timeout error, followed by
+the hidpp driver treating the device as not being HID++ capable.
+
+This commit fixes this by switching to using a rap request to get the
+protocol version.
+
+Besides being tested with a (046d:c517) 27MHz receiver with various
+27MHz keyboards and mice, this has also been tested to not cause
+regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
+k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
+(046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index 5fd97860aec4d..3666e5064d0d3 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -414,13 +414,16 @@ static int hidpp_root_get_feature(struct hidpp_device *hidpp, u16 feature,
+
+ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
+ {
++ const u8 ping_byte = 0x5a;
++ u8 ping_data[3] = { 0, 0, ping_byte };
+ struct hidpp_report response;
+ int ret;
+
+- ret = hidpp_send_fap_command_sync(hidpp,
++ ret = hidpp_send_rap_command_sync(hidpp,
++ REPORT_ID_HIDPP_SHORT,
+ HIDPP_PAGE_ROOT_IDX,
+ CMD_ROOT_GET_PROTOCOL_VERSION,
+- NULL, 0, &response);
++ ping_data, sizeof(ping_data), &response);
+
+ if (ret == HIDPP_ERROR_INVALID_SUBID) {
+ hidpp->protocol_major = 1;
+@@ -440,8 +443,14 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
+ if (ret)
+ return ret;
+
+- hidpp->protocol_major = response.fap.params[0];
+- hidpp->protocol_minor = response.fap.params[1];
++ if (response.rap.params[2] != ping_byte) {
++ hid_err(hidpp->hid_dev, "%s: ping mismatch 0x%02x != 0x%02x\n",
++ __func__, response.rap.params[2], ping_byte);
++ return -EPROTO;
++ }
++
++ hidpp->protocol_major = response.rap.params[0];
++ hidpp->protocol_minor = response.rap.params[1];
+
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From 8c20e729f900e90d3b7bfbbb6d585e6e792a11b5 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 10:52:43 -0700
+Subject: hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 73e6ff71a7ea924fb7121d576a2d41e3be3fc6b5 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Unable to handle kernel paging request at virtual address ffffffbffee0002e
+pgd = ffffffc1d68d4000
+[ffffffbffee0002e] *pgd=0000000000000000, *pud=0000000000000000
+Internal error: Oops: 94000046 [#1] PREEMPT SMP
+Modules linked in: f71805f(+) hwmon
+CPU: 3 PID: 1659 Comm: insmod Not tainted 4.5.0+ #88
+Hardware name: linux,dummy-virt (DT)
+task: ffffffc1f6665400 ti: ffffffc1d6418000 task.ti: ffffffc1d6418000
+PC is at f71805f_find+0x6c/0x358 [f71805f]
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple
+drivers is synchronized.
+
+Fixes: e53004e20a58e ("hwmon: New f71805f driver")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/f71805f.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c
+index facd05cda26da..e8c0898864277 100644
+--- a/drivers/hwmon/f71805f.c
++++ b/drivers/hwmon/f71805f.c
+@@ -96,17 +96,23 @@ superio_select(int base, int ld)
+ outb(ld, base + 1);
+ }
+
+-static inline void
++static inline int
+ superio_enter(int base)
+ {
++ if (!request_muxed_region(base, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x87, base);
+ outb(0x87, base);
++
++ return 0;
+ }
+
+ static inline void
+ superio_exit(int base)
+ {
+ outb(0xaa, base);
++ release_region(base, 2);
+ }
+
+ /*
+@@ -1561,7 +1567,7 @@ static int __init f71805f_device_add(unsigned short address,
+ static int __init f71805f_find(int sioaddr, unsigned short *address,
+ struct f71805f_sio_data *sio_data)
+ {
+- int err = -ENODEV;
++ int err;
+ u16 devid;
+
+ static const char * const names[] = {
+@@ -1569,8 +1575,11 @@ static int __init f71805f_find(int sioaddr, unsigned short *address,
+ "F71872F/FG or F71806F/FG",
+ };
+
+- superio_enter(sioaddr);
++ err = superio_enter(sioaddr);
++ if (err)
++ return err;
+
++ err = -ENODEV;
+ devid = superio_inw(sioaddr, SIO_REG_MANID);
+ if (devid != SIO_FINTEK_ID)
+ goto exit;
+--
+2.20.1
+
--- /dev/null
+From 85770069abc314bc8c98380d9851da23b3857a46 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:16:20 -0700
+Subject: hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 755a9b0f8aaa5639ba5671ca50080852babb89ce ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: ba224e2c4f0a7 ("hwmon: New PC87427 hardware monitoring driver")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pc87427.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/pc87427.c b/drivers/hwmon/pc87427.c
+index cb9fdd37bd0d9..2b5b8c3de8fce 100644
+--- a/drivers/hwmon/pc87427.c
++++ b/drivers/hwmon/pc87427.c
+@@ -106,6 +106,13 @@ static const char *logdev_str[2] = { DRVNAME " FMC", DRVNAME " HMC" };
+ #define LD_IN 1
+ #define LD_TEMP 1
+
++static inline int superio_enter(int sioaddr)
++{
++ if (!request_muxed_region(sioaddr, 2, DRVNAME))
++ return -EBUSY;
++ return 0;
++}
++
+ static inline void superio_outb(int sioaddr, int reg, int val)
+ {
+ outb(reg, sioaddr);
+@@ -122,6 +129,7 @@ static inline void superio_exit(int sioaddr)
+ {
+ outb(0x02, sioaddr);
+ outb(0x02, sioaddr + 1);
++ release_region(sioaddr, 2);
+ }
+
+ /*
+@@ -1220,7 +1228,11 @@ static int __init pc87427_find(int sioaddr, struct pc87427_sio_data *sio_data)
+ {
+ u16 val;
+ u8 cfg, cfg_b;
+- int i, err = 0;
++ int i, err;
++
++ err = superio_enter(sioaddr);
++ if (err)
++ return err;
+
+ /* Identify device */
+ val = force_id ? force_id : superio_inb(sioaddr, SIOREG_DEVID);
+--
+2.20.1
+
--- /dev/null
+From 056e4008ea95bfc4da7d8efab09fe2d779d9329f Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:22:42 -0700
+Subject: hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 8c0826756744c0ac1df600a5e4cca1a341b13101 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/smsc47b397.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/smsc47b397.c b/drivers/hwmon/smsc47b397.c
+index 6bd2007565603..cbdb5c4991ae3 100644
+--- a/drivers/hwmon/smsc47b397.c
++++ b/drivers/hwmon/smsc47b397.c
+@@ -72,14 +72,19 @@ static inline void superio_select(int ld)
+ superio_outb(0x07, ld);
+ }
+
+-static inline void superio_enter(void)
++static inline int superio_enter(void)
+ {
++ if (!request_muxed_region(REG, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x55, REG);
++ return 0;
+ }
+
+ static inline void superio_exit(void)
+ {
+ outb(0xAA, REG);
++ release_region(REG, 2);
+ }
+
+ #define SUPERIO_REG_DEVID 0x20
+@@ -300,8 +305,12 @@ static int __init smsc47b397_find(void)
+ u8 id, rev;
+ char *name;
+ unsigned short addr;
++ int err;
++
++ err = superio_enter();
++ if (err)
++ return err;
+
+- superio_enter();
+ id = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
+
+ switch (id) {
+--
+2.20.1
+
--- /dev/null
+From 396bccc5f60d886c07ad9d5e00347909367632f3 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 4 Apr 2019 11:28:37 -0700
+Subject: hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit d6410408ad2a798c4cc685252c1baa713be0ad69 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Cc: John Garry <john.garry@huawei.com>
+Acked-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/smsc47m1.c | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/hwmon/smsc47m1.c b/drivers/hwmon/smsc47m1.c
+index 5d323186d2c10..d24df0c50bea4 100644
+--- a/drivers/hwmon/smsc47m1.c
++++ b/drivers/hwmon/smsc47m1.c
+@@ -73,16 +73,21 @@ superio_inb(int reg)
+ /* logical device for fans is 0x0A */
+ #define superio_select() superio_outb(0x07, 0x0A)
+
+-static inline void
++static inline int
+ superio_enter(void)
+ {
++ if (!request_muxed_region(REG, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x55, REG);
++ return 0;
+ }
+
+ static inline void
+ superio_exit(void)
+ {
+ outb(0xAA, REG);
++ release_region(REG, 2);
+ }
+
+ #define SUPERIO_REG_ACT 0x30
+@@ -531,8 +536,12 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
+ {
+ u8 val;
+ unsigned short addr;
++ int err;
++
++ err = superio_enter();
++ if (err)
++ return err;
+
+- superio_enter();
+ val = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
+
+ /*
+@@ -608,13 +617,14 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
+ static void smsc47m1_restore(const struct smsc47m1_sio_data *sio_data)
+ {
+ if ((sio_data->activate & 0x01) == 0) {
+- superio_enter();
+- superio_select();
+-
+- pr_info("Disabling device\n");
+- superio_outb(SUPERIO_REG_ACT, sio_data->activate);
+-
+- superio_exit();
++ if (!superio_enter()) {
++ superio_select();
++ pr_info("Disabling device\n");
++ superio_outb(SUPERIO_REG_ACT, sio_data->activate);
++ superio_exit();
++ } else {
++ pr_warn("Failed to disable device\n");
++ }
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 5e9bc436a6569aab736aa7c126a554679e21babe Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 5 Apr 2019 08:53:08 -0700
+Subject: hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
+
+[ Upstream commit 14b97ba5c20056102b3dd22696bf17b057e60976 ]
+
+Super-IO accesses may fail on a system with no or unmapped LPC bus.
+
+Also, other drivers may attempt to access the LPC bus at the same time,
+resulting in undefined behavior.
+
+Use request_muxed_region() to ensure that IO access on the requested
+address space is supported, and to ensure that access by multiple drivers
+is synchronized.
+
+Fixes: 2219cd81a6cd ("hwmon/vt1211: Add probing of alternate config index port")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/vt1211.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwmon/vt1211.c b/drivers/hwmon/vt1211.c
+index 3a6bfa51cb94f..95d5e8ec8b7fc 100644
+--- a/drivers/hwmon/vt1211.c
++++ b/drivers/hwmon/vt1211.c
+@@ -226,15 +226,21 @@ static inline void superio_select(int sio_cip, int ldn)
+ outb(ldn, sio_cip + 1);
+ }
+
+-static inline void superio_enter(int sio_cip)
++static inline int superio_enter(int sio_cip)
+ {
++ if (!request_muxed_region(sio_cip, 2, DRVNAME))
++ return -EBUSY;
++
+ outb(0x87, sio_cip);
+ outb(0x87, sio_cip);
++
++ return 0;
+ }
+
+ static inline void superio_exit(int sio_cip)
+ {
+ outb(0xaa, sio_cip);
++ release_region(sio_cip, 2);
+ }
+
+ /* ---------------------------------------------------------------------
+@@ -1282,11 +1288,14 @@ static int __init vt1211_device_add(unsigned short address)
+
+ static int __init vt1211_find(int sio_cip, unsigned short *address)
+ {
+- int err = -ENODEV;
++ int err;
+ int devid;
+
+- superio_enter(sio_cip);
++ err = superio_enter(sio_cip);
++ if (err)
++ return err;
+
++ err = -ENODEV;
+ devid = force_id ? force_id : superio_inb(sio_cip, SIO_VT1211_DEVID);
+ if (devid != SIO_VT1211_ID)
+ goto EXIT;
+--
+2.20.1
+
--- /dev/null
+From 9f6d2507384f998d0579495bdf59adecef23181a Mon Sep 17 00:00:00 2001
+From: Nicholas Nunley <nicholas.d.nunley@intel.com>
+Date: Wed, 6 Feb 2019 15:08:17 -0800
+Subject: i40e: don't allow changes to HW VLAN stripping on active port VLANs
+
+[ Upstream commit bfb0ebed53857cfc57f11c63fa3689940d71c1c8 ]
+
+Modifying the VLAN stripping options when a port VLAN is configured
+will break traffic for the VSI, and conceptually doesn't make sense,
+so don't allow this.
+
+Signed-off-by: Nicholas Nunley <nicholas.d.nunley@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 06b38f50980c5..22c43a776c6cd 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2263,6 +2263,10 @@ void i40e_vlan_stripping_enable(struct i40e_vsi *vsi)
+ struct i40e_vsi_context ctxt;
+ i40e_status ret;
+
++ /* Don't modify stripping options if a port VLAN is active */
++ if (vsi->info.pvid)
++ return;
++
+ if ((vsi->info.valid_sections &
+ cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
+ ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_MODE_MASK) == 0))
+@@ -2293,6 +2297,10 @@ void i40e_vlan_stripping_disable(struct i40e_vsi *vsi)
+ struct i40e_vsi_context ctxt;
+ i40e_status ret;
+
++ /* Don't modify stripping options if a port VLAN is active */
++ if (vsi->info.pvid)
++ return;
++
+ if ((vsi->info.valid_sections &
+ cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
+ ((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_EMOD_MASK) ==
+--
+2.20.1
+
--- /dev/null
+From 4cdc7b73c2b35d57eff9544d57c104799bb04efe Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Tue, 19 Mar 2019 13:37:55 +0200
+Subject: iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
+
+[ Upstream commit df1d80aee963480c5c2938c64ec0ac3e4a0df2e0 ]
+
+For devices from the SigmaDelta family we need to keep CS low when doing a
+conversion, since the device will use the MISO line as a interrupt to
+indicate that the conversion is complete.
+
+This is why the driver locks the SPI bus and when the SPI bus is locked
+keeps as long as a conversion is going on. The current implementation gets
+one small detail wrong though. CS is only de-asserted after the SPI bus is
+unlocked. This means it is possible for a different SPI device on the same
+bus to send a message which would be wrongfully be addressed to the
+SigmaDelta device as well. Make sure that the last SPI transfer that is
+done while holding the SPI bus lock de-asserts the CS signal.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Alexandru Ardelean <Alexandru.Ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 16 +++++++++++-----
+ include/linux/iio/adc/ad_sigma_delta.h | 1 +
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
+index a1d072ecb7171..30f200ad6b978 100644
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -62,7 +62,7 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
+ struct spi_transfer t = {
+ .tx_buf = data,
+ .len = size + 1,
+- .cs_change = sigma_delta->bus_locked,
++ .cs_change = sigma_delta->keep_cs_asserted,
+ };
+ struct spi_message m;
+ int ret;
+@@ -217,6 +217,7 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ret = ad_sigma_delta_set_mode(sigma_delta, mode);
+@@ -234,9 +235,10 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+ ret = 0;
+ }
+ out:
++ sigma_delta->keep_cs_asserted = false;
++ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
+ spi_bus_unlock(sigma_delta->spi->master);
+- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ return ret;
+ }
+@@ -288,6 +290,7 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
+ reinit_completion(&sigma_delta->completion);
+
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_SINGLE);
+@@ -297,9 +300,6 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ ret = wait_for_completion_interruptible_timeout(
+ &sigma_delta->completion, HZ);
+
+- sigma_delta->bus_locked = false;
+- spi_bus_unlock(sigma_delta->spi->master);
+-
+ if (ret == 0)
+ ret = -EIO;
+ if (ret < 0)
+@@ -315,7 +315,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
++ sigma_delta->bus_locked = false;
++ spi_bus_unlock(sigma_delta->spi->master);
+ mutex_unlock(&indio_dev->mlock);
+
+ if (ret)
+@@ -352,6 +355,8 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev)
+
+ spi_bus_lock(sigma_delta->spi->master);
+ sigma_delta->bus_locked = true;
++ sigma_delta->keep_cs_asserted = true;
++
+ ret = ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_CONTINUOUS);
+ if (ret)
+ goto err_unlock;
+@@ -380,6 +385,7 @@ static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
+ sigma_delta->irq_dis = true;
+ }
+
++ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+
+ sigma_delta->bus_locked = false;
+diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h
+index 6cc48ac55fd2a..40b14736c73de 100644
+--- a/include/linux/iio/adc/ad_sigma_delta.h
++++ b/include/linux/iio/adc/ad_sigma_delta.h
+@@ -66,6 +66,7 @@ struct ad_sigma_delta {
+ bool irq_dis;
+
+ bool bus_locked;
++ bool keep_cs_asserted;
+
+ uint8_t comm;
+
+--
+2.20.1
+
--- /dev/null
+From b440f03b5f6426ae28df1d075af9e8b090e77adf Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <natechancellor@gmail.com>
+Date: Thu, 7 Mar 2019 14:45:46 -0700
+Subject: iio: common: ssp_sensors: Initialize calculated_time in
+ ssp_common_process_data
+
+[ Upstream commit 6f9ca1d3eb74b81f811a87002de2d51640d135b1 ]
+
+When building with -Wsometimes-uninitialized, Clang warns:
+
+drivers/iio/common/ssp_sensors/ssp_iio.c:95:6: warning: variable
+'calculated_time' is used uninitialized whenever 'if' condition is false
+[-Wsometimes-uninitialized]
+
+While it isn't wrong, this will never be a problem because
+iio_push_to_buffers_with_timestamp only uses calculated_time
+on the same condition that it is assigned (when scan_timestamp
+is not zero). While iio_push_to_buffers_with_timestamp is marked
+as inline, Clang does inlining in the optimization stage, which
+happens after the semantic analysis phase (plus inline is merely
+a hint to the compiler).
+
+Fix this by just zero initializing calculated_time.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/394
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/common/ssp_sensors/ssp_iio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/common/ssp_sensors/ssp_iio.c b/drivers/iio/common/ssp_sensors/ssp_iio.c
+index a3ae165f8d9f3..16180e6321bd4 100644
+--- a/drivers/iio/common/ssp_sensors/ssp_iio.c
++++ b/drivers/iio/common/ssp_sensors/ssp_iio.c
+@@ -80,7 +80,7 @@ int ssp_common_process_data(struct iio_dev *indio_dev, void *buf,
+ unsigned int len, int64_t timestamp)
+ {
+ __le32 time;
+- int64_t calculated_time;
++ int64_t calculated_time = 0;
+ struct ssp_sensor_data *spd = iio_priv(indio_dev);
+
+ if (indio_dev->scan_bytes == 0)
+--
+2.20.1
+
--- /dev/null
+From df84317ba5f17a088b6558bcea0c6238b83bd942 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Sat, 16 Mar 2019 17:08:33 -0500
+Subject: iio: hmc5843: fix potential NULL pointer dereferences
+
+[ Upstream commit 536cc27deade8f1ec3c1beefa60d5fbe0f6fcb28 ]
+
+devm_regmap_init_i2c may fail and return NULL. The fix returns
+the error when it fails.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/iio/magnetometer/hmc5843_i2c.c | 7 ++++++-
+ drivers/staging/iio/magnetometer/hmc5843_spi.c | 7 ++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/iio/magnetometer/hmc5843_i2c.c b/drivers/staging/iio/magnetometer/hmc5843_i2c.c
+index 3e06ceb320596..676a8e329eeb6 100644
+--- a/drivers/staging/iio/magnetometer/hmc5843_i2c.c
++++ b/drivers/staging/iio/magnetometer/hmc5843_i2c.c
+@@ -59,8 +59,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config = {
+ static int hmc5843_i2c_probe(struct i2c_client *cli,
+ const struct i2c_device_id *id)
+ {
++ struct regmap *regmap = devm_regmap_init_i2c(cli,
++ &hmc5843_i2c_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&cli->dev,
+- devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+diff --git a/drivers/staging/iio/magnetometer/hmc5843_spi.c b/drivers/staging/iio/magnetometer/hmc5843_spi.c
+index 8be198058ea20..fded442a3c1d1 100644
+--- a/drivers/staging/iio/magnetometer/hmc5843_spi.c
++++ b/drivers/staging/iio/magnetometer/hmc5843_spi.c
+@@ -59,6 +59,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = {
+ static int hmc5843_spi_probe(struct spi_device *spi)
+ {
+ int ret;
++ struct regmap *regmap;
+ const struct spi_device_id *id = spi_get_device_id(spi);
+
+ spi->mode = SPI_MODE_3;
+@@ -68,8 +69,12 @@ static int hmc5843_spi_probe(struct spi_device *spi)
+ if (ret)
+ return ret;
+
++ regmap = devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config);
++ if (IS_ERR(regmap))
++ return PTR_ERR(regmap);
++
+ return hmc5843_common_probe(&spi->dev,
+- devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config),
++ regmap,
+ id->driver_data, id->name);
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 6c17d17476b84f747c1ebb81fc922a5f8c10e966 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Date: Tue, 26 Mar 2019 09:27:37 +0000
+Subject: mac80211/cfg80211: update bss channel on channel switch
+
+[ Upstream commit 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 ]
+
+FullMAC STAs have no way to update bss channel after CSA channel switch
+completion. As a result, user-space tools may provide inconsistent
+channel info. For instance, consider the following two commands:
+$ sudo iw dev wlan0 link
+$ sudo iw dev wlan0 info
+The latter command gets channel info from the hardware, so most probably
+its output will be correct. However the former command gets channel info
+from scan cache, so its output will contain outdated channel info.
+In fact, current bss channel info will not be updated until the
+next [re-]connect.
+
+Note that mac80211 STAs have a workaround for this, but it requires
+access to internal cfg80211 data, see ieee80211_chswitch_work:
+
+ /* XXX: shouldn't really modify cfg80211-owned data! */
+ ifmgd->associated->channel = sdata->csa_chandef.chan;
+
+This patch suggests to convert mac80211 workaround into cfg80211 behavior
+and to update current bss channel in cfg80211_ch_switch_notify.
+
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 3 ---
+ net/wireless/nl80211.c | 5 +++++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index ed4fef32b394f..08384dbf426c8 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1104,9 +1104,6 @@ static void ieee80211_chswitch_work(struct work_struct *work)
+ goto out;
+ }
+
+- /* XXX: shouldn't really modify cfg80211-owned data! */
+- ifmgd->associated->channel = sdata->csa_chandef.chan;
+-
+ ifmgd->csa_waiting_bcn = true;
+
+ ieee80211_sta_reset_beacon_monitor(sdata);
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 81013490a99f4..1968998e6c6c2 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -12788,6 +12788,11 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
+
+ wdev->chandef = *chandef;
+ wdev->preset_chandef = *chandef;
++
++ if (wdev->iftype == NL80211_IFTYPE_STATION &&
++ !WARN_ON(!wdev->current_bss))
++ wdev->current_bss->pub.channel = chandef->chan;
++
+ nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
+ NL80211_CMD_CH_SWITCH_NOTIFY, 0);
+ }
+--
+2.20.1
+
--- /dev/null
+From a8b76b93fe22279cc00d1496880da92685e576e3 Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuah@kernel.org>
+Date: Mon, 1 Apr 2019 20:43:17 -0400
+Subject: media: au0828: Fix NULL pointer dereference in
+ au0828_analog_stream_enable()
+
+[ Upstream commit 898bc40bfcc26abb6e06e960d6d4754c36c58b50 ]
+
+Fix au0828_analog_stream_enable() to check if device is in the right
+state first. When unbind happens while bind is in progress, usbdev
+pointer could be invalid in au0828_analog_stream_enable() and a call
+to usb_ifnum_to_if() will result in the null pointer dereference.
+
+This problem is found with the new media_dev_allocator.sh test.
+
+kernel: [ 590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
+kernel: [ 590.359627] #PF error: [normal kernel read fault]
+kernel: [ 590.359629] PGD 0 P4D 0
+kernel: [ 590.359632] Oops: 0000 [#1] SMP PTI
+kernel: [ 590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
+kernel: [ 590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
+kernel: [ 590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
+kernel: [ 590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
+ 10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
+6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
+9 74
+kernel: [ 590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
+kernel: [ 590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
+kernel: [ 590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
+kernel: [ 590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
+kernel: [ 590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
+kernel: [ 590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
+kernel: [ 590.359654] FS: 00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
+kernel: [ 590.359655] CS: 0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
+kernel: [ 590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
+kernel: [ 590.359658] Call Trace:
+kernel: [ 590.359664] ? au0828_analog_stream_enable+0x2c/0x180
+kernel: [ 590.359666] au0828_v4l2_open+0xa4/0x110
+kernel: [ 590.359670] v4l2_open+0x8b/0x120
+kernel: [ 590.359674] chrdev_open+0xa6/0x1c0
+kernel: [ 590.359676] ? cdev_put.part.3+0x20/0x20
+kernel: [ 590.359678] do_dentry_open+0x1f6/0x360
+kernel: [ 590.359681] vfs_open+0x2f/0x40
+kernel: [ 590.359684] path_openat+0x299/0xc20
+kernel: [ 590.359688] do_filp_open+0x9b/0x110
+kernel: [ 590.359695] ? _raw_spin_unlock+0x27/0x40
+kernel: [ 590.359697] ? __alloc_fd+0xb2/0x160
+kernel: [ 590.359700] do_sys_open+0x1ba/0x260
+kernel: [ 590.359702] ? do_sys_open+0x1ba/0x260
+kernel: [ 590.359712] __x64_sys_openat+0x20/0x30
+kernel: [ 590.359715] do_syscall_64+0x5a/0x120
+kernel: [ 590.359718] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-video.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index 1ff66e7e26a81..1df23c01ad374 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -711,6 +711,9 @@ static int au0828_analog_stream_enable(struct au0828_dev *d)
+
+ dprintk(1, "au0828_analog_stream_enable called\n");
+
++ if (test_bit(DEV_DISCONNECTED, &d->dev_state))
++ return -ENODEV;
++
+ iface = usb_ifnum_to_if(d->usbdev, 0);
+ if (iface && iface->cur_altsetting->desc.bAlternateSetting != 5) {
+ dprintk(1, "Changing intf#0 to alt 5\n");
+--
+2.20.1
+
--- /dev/null
+From 5d9cbf45e2293a27b7da86c22a96ab8bd33897d3 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Tue, 2 Apr 2019 03:24:15 -0400
+Subject: media: au0828: stop video streaming only when last user stops
+
+[ Upstream commit f604f0f5afb88045944567f604409951b5eb6af8 ]
+
+If the application was streaming from both videoX and vbiX, and streaming
+from videoX was stopped, then the vbi streaming also stopped.
+
+The cause being that stop_streaming for video stopped the subdevs as well,
+instead of only doing that if dev->streaming_users reached 0.
+
+au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
+at all when dev->streaming_users reached 0.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Tested-by: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/au0828/au0828-video.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
+index 7b2fe1b56039e..1ff66e7e26a81 100644
+--- a/drivers/media/usb/au0828/au0828-video.c
++++ b/drivers/media/usb/au0828/au0828-video.c
+@@ -799,9 +799,9 @@ int au0828_start_analog_streaming(struct vb2_queue *vq, unsigned int count)
+ return rc;
+ }
+
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 1);
++
+ if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) {
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video,
+- s_stream, 1);
+ dev->vid_timeout_running = 1;
+ mod_timer(&dev->vid_timeout, jiffies + (HZ / 10));
+ } else if (vq->type == V4L2_BUF_TYPE_VBI_CAPTURE) {
+@@ -821,10 +821,11 @@ static void au0828_stop_streaming(struct vb2_queue *vq)
+
+ dprintk(1, "au0828_stop_streaming called %d\n", dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+- v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
+ dev->vid_timeout_running = 0;
+ del_timer_sync(&dev->vid_timeout);
+
+@@ -853,8 +854,10 @@ void au0828_stop_vbi_streaming(struct vb2_queue *vq)
+ dprintk(1, "au0828_stop_vbi_streaming called %d\n",
+ dev->streaming_users);
+
+- if (dev->streaming_users-- == 1)
++ if (dev->streaming_users-- == 1) {
+ au0828_uninit_isoc(dev);
++ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
++ }
+
+ spin_lock_irqsave(&dev->slock, flags);
+ if (dev->isoc_ctl.vbi_buf != NULL) {
+--
+2.20.1
+
--- /dev/null
+From 512f1fdb9a7096405014d1466fc37e7e7cef2caf Mon Sep 17 00:00:00 2001
+From: Philipp Zabel <p.zabel@pengutronix.de>
+Date: Mon, 8 Apr 2019 08:32:49 -0400
+Subject: media: coda: clear error return value before picture run
+
+[ Upstream commit bbeefa7357a648afe70e7183914c87c3878d528d ]
+
+The error return value is not written by some firmware codecs, such as
+MPEG-2 decode on CodaHx4. Clear the error return value before starting
+the picture run to avoid misinterpreting unrelated values returned by
+sequence initialization as error return value.
+
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/coda/coda-bit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
+index d76511c1c1e3f..a4639813cf35d 100644
+--- a/drivers/media/platform/coda/coda-bit.c
++++ b/drivers/media/platform/coda/coda-bit.c
+@@ -1829,6 +1829,9 @@ static int coda_prepare_decode(struct coda_ctx *ctx)
+ /* Clear decode success flag */
+ coda_write(dev, 0, CODA_RET_DEC_PIC_SUCCESS);
+
++ /* Clear error return value */
++ coda_write(dev, 0, CODA_RET_DEC_PIC_ERR_MB);
++
+ trace_coda_dec_pic_run(ctx, meta);
+
+ coda_command_async(ctx, CODA_COMMAND_PIC_RUN);
+--
+2.20.1
+
--- /dev/null
+From b542c9f167481af14ea715399d9277ecd5f9c48d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:58 -0500
+Subject: media: go7007: avoid clang frame overflow warning with KASAN
+
+[ Upstream commit ed713a4a1367aca5c0f2f329579465db00c17995 ]
+
+clang-8 warns about one function here when KASAN is enabled, even
+without the 'asan-stack' option:
+
+drivers/media/usb/go7007/go7007-fw.c:1551:5: warning: stack frame size of 2656 bytes in function
+
+I have reported this issue in the llvm bugzilla, but to make
+it work with the clang-8 release, a small annotation is still
+needed.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=38809
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warning]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/go7007/go7007-fw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c
+index 60bf5f0644d11..a5efcd4f7b4f5 100644
+--- a/drivers/media/usb/go7007/go7007-fw.c
++++ b/drivers/media/usb/go7007/go7007-fw.c
+@@ -1499,8 +1499,8 @@ static int modet_to_package(struct go7007 *go, __le16 *code, int space)
+ return cnt;
+ }
+
+-static int do_special(struct go7007 *go, u16 type, __le16 *code, int space,
+- int *framelen)
++static noinline_for_stack int do_special(struct go7007 *go, u16 type,
++ __le16 *code, int space, int *framelen)
+ {
+ switch (type) {
+ case SPECIAL_FRM_HEAD:
+--
+2.20.1
+
--- /dev/null
+From bdcaf7f3bde8ebd7a8e70e2bc3d945190b1b68d7 Mon Sep 17 00:00:00 2001
+From: James Hutchinson <jahutchinson99@googlemail.com>
+Date: Sun, 13 Jan 2019 16:13:47 -0500
+Subject: media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
+
+[ Upstream commit 981fbe3da20a6f35f17977453bce7dfc1664d74f ]
+
+Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323
+
+Users are experiencing problems with the DVBSky S960/S960C USB devices
+since the following commit:
+
+9d659ae: ("locking/mutex: Add lock handoff to avoid starvation")
+
+The device malfunctions after running for an indeterminable period of
+time, and the problem can only be cleared by rebooting the machine.
+
+It is possible to encourage the problem to surface by blocking the
+signal to the LNB.
+
+Further debugging revealed the cause of the problem.
+
+In the following capture:
+- thread #1325 is running m88ds3103_set_frontend
+- thread #42 is running ts2020_stat_work
+
+a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66
+ [42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+ [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b
+ [1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
+
+Two i2c messages are sent to perform a reset in m88ds3103_set_frontend:
+
+ a. 0x07, 0x80
+ b. 0x07, 0x00
+
+However, as shown in the capture, the regmap mutex is being handed over
+to another thread (ts2020_stat_work) in between these two messages.
+
+>From here, the device responds to every i2c message with an 07 message,
+and will only return to normal operation following a power cycle.
+
+Use regmap_multi_reg_write to group the two reset messages, ensuring
+both are processed before the regmap mutex is unlocked.
+
+Signed-off-by: James Hutchinson <jahutchinson99@googlemail.com>
+Reviewed-by: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/m88ds3103.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
+index d14d075ab1d63..9f0956e739a45 100644
+--- a/drivers/media/dvb-frontends/m88ds3103.c
++++ b/drivers/media/dvb-frontends/m88ds3103.c
+@@ -309,6 +309,9 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ u16 u16tmp, divide_ratio = 0;
+ u32 tuner_frequency, target_mclk;
+ s32 s32tmp;
++ static const struct reg_sequence reset_buf[] = {
++ {0x07, 0x80}, {0x07, 0x00}
++ };
+
+ dev_dbg(&client->dev,
+ "delivery_system=%d modulation=%d frequency=%u symbol_rate=%d inversion=%d pilot=%d rolloff=%d\n",
+@@ -321,11 +324,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
+ }
+
+ /* reset */
+- ret = regmap_write(dev->regmap, 0x07, 0x80);
+- if (ret)
+- goto err;
+-
+- ret = regmap_write(dev->regmap, 0x07, 0x00);
++ ret = regmap_multi_reg_write(dev->regmap, reset_buf, 2);
+ if (ret)
+ goto err;
+
+--
+2.20.1
+
--- /dev/null
+From 0ffdaba5b7078f9259ed43e4a9d6b24eceb2fd4d Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita@gmail.com>
+Date: Sat, 30 Mar 2019 10:01:31 -0400
+Subject: media: ov2659: make S_FMT succeed even if requested format doesn't
+ match
+
+[ Upstream commit bccb89cf9cd07a0690d519696a00c00a973b3fe4 ]
+
+This driver returns an error if unsupported media bus pixel code is
+requested by VIDIOC_SUBDEV_S_FMT.
+
+But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
+
+Drivers must not return an error solely because the requested format
+doesn't match the device capabilities. They must instead modify the
+format to match what the hardware can provide.
+
+So select default format code and return success in that case.
+
+This is detected by v4l2-compliance.
+
+Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
+Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
+Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ov2659.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
+index 49109f4f5bb4a..fadec1d705829 100644
+--- a/drivers/media/i2c/ov2659.c
++++ b/drivers/media/i2c/ov2659.c
+@@ -1117,8 +1117,10 @@ static int ov2659_set_fmt(struct v4l2_subdev *sd,
+ if (ov2659_formats[index].code == mf->code)
+ break;
+
+- if (index < 0)
+- return -EINVAL;
++ if (index < 0) {
++ index = 0;
++ mf->code = ov2659_formats[index].code;
++ }
+
+ mf->colorspace = V4L2_COLORSPACE_SRGB;
+ mf->code = ov2659_formats[index].code;
+--
+2.20.1
+
--- /dev/null
+From 8a16eba42e733dcf4c7a0af32aaac5bcb679e613 Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Date: Fri, 29 Mar 2019 21:06:09 -0400
+Subject: media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
+
+[ Upstream commit ccdd85d518d8b9320ace1d87271f0ba2175f21fa ]
+
+In preparation for adding asynchronous subdevice support to the driver,
+don't acquire v4l2_clk from the driver .probe() callback as that may
+fail if the clock is provided by a bridge driver which may be not yet
+initialized. Move the v4l2_clk_get() to ov6650_video_probe() helper
+which is going to be converted to v4l2_subdev_internal_ops.registered()
+callback, executed only when the bridge driver is ready.
+
+Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/soc_camera/ov6650.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/media/i2c/soc_camera/ov6650.c b/drivers/media/i2c/soc_camera/ov6650.c
+index 1e9ebfda25525..4e19f5e5d8cf7 100644
+--- a/drivers/media/i2c/soc_camera/ov6650.c
++++ b/drivers/media/i2c/soc_camera/ov6650.c
+@@ -839,9 +839,16 @@ static int ov6650_video_probe(struct i2c_client *client)
+ u8 pidh, pidl, midh, midl;
+ int ret;
+
++ priv->clk = v4l2_clk_get(&client->dev, NULL);
++ if (IS_ERR(priv->clk)) {
++ ret = PTR_ERR(priv->clk);
++ dev_err(&client->dev, "v4l2_clk request err: %d\n", ret);
++ return ret;
++ }
++
+ ret = ov6650_s_power(&priv->subdev, 1);
+ if (ret < 0)
+- return ret;
++ goto eclkput;
+
+ msleep(20);
+
+@@ -878,6 +885,11 @@ static int ov6650_video_probe(struct i2c_client *client)
+
+ done:
+ ov6650_s_power(&priv->subdev, 0);
++ if (!ret)
++ return 0;
++eclkput:
++ v4l2_clk_put(priv->clk);
++
+ return ret;
+ }
+
+@@ -1035,18 +1047,9 @@ static int ov6650_probe(struct i2c_client *client,
+ priv->code = MEDIA_BUS_FMT_YUYV8_2X8;
+ priv->colorspace = V4L2_COLORSPACE_JPEG;
+
+- priv->clk = v4l2_clk_get(&client->dev, NULL);
+- if (IS_ERR(priv->clk)) {
+- ret = PTR_ERR(priv->clk);
+- goto eclkget;
+- }
+-
+ ret = ov6650_video_probe(client);
+- if (ret) {
+- v4l2_clk_put(priv->clk);
+-eclkget:
++ if (ret)
+ v4l2_ctrl_handler_free(&priv->hdl);
+- }
+
+ return ret;
+ }
+--
+2.20.1
+
--- /dev/null
+From d06cc526cc78f6bbdbfc944aea133c2a7ccc5b3b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 8 Apr 2019 05:52:38 -0400
+Subject: media: pvrusb2: Prevent a buffer overflow
+
+[ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]
+
+The ctrl_check_input() function is called from pvr2_ctrl_range_check().
+It's supposed to validate user supplied input and return true or false
+depending on whether the input is valid or not. The problem is that
+negative shifts or shifts greater than 31 are undefined in C. In
+practice with GCC they result in shift wrapping so this function returns
+true for some inputs which are not valid and this could result in a
+buffer overflow:
+
+ drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
+ warn: uncapped user index 'names[val]'
+
+The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
+and the highest valid bit is BIT(4).
+
+Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+index 0533ef20decfe..232b0fd3e4784 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -670,6 +670,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp)
+
+ static int ctrl_check_input(struct pvr2_ctrl *cptr,int v)
+ {
++ if (v < 0 || v > PVR2_CVAL_INPUT_MAX)
++ return 0;
+ return ((1 << v) & cptr->hdw->input_allowed_mask) != 0;
+ }
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+index a82a00dd73293..80869990ffbbb 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+@@ -54,6 +54,7 @@
+ #define PVR2_CVAL_INPUT_COMPOSITE 2
+ #define PVR2_CVAL_INPUT_SVIDEO 3
+ #define PVR2_CVAL_INPUT_RADIO 4
++#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO
+
+ enum pvr2_config {
+ pvr2_config_empty, /* No configuration */
+--
+2.20.1
+
--- /dev/null
+From 071d906f242d00d0932a8cc2a1b2d6a1676b776e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 Feb 2019 12:01:56 -0500
+Subject: media: saa7146: avoid high stack usage with clang
+
+[ Upstream commit 03aa4f191a36f33fce015387f84efa0eee94408e ]
+
+Two saa7146/hexium files contain a construct that causes a warning
+when built with clang:
+
+drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_probe(struct saa7146_dev *dev)
+ ^
+drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach'
+ [-Werror,-Wframe-larger-than=]
+static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
+ ^
+
+This one happens regardless of KASAN, and the problem is that a
+constructor to initialize a dynamically allocated structure leads
+to a copy of that structure on the stack, whereas gcc initializes
+it in place.
+
+Link: https://bugs.llvm.org/show_bug.cgi?id=40776
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil-cisco@xs4all.nl: fix checkpatch warnings]
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7146/hexium_gemini.c | 5 ++---
+ drivers/media/pci/saa7146/hexium_orion.c | 5 ++---
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
+index 03cbcd2095c6e..d4b3ce8282856 100644
+--- a/drivers/media/pci/saa7146/hexium_gemini.c
++++ b/drivers/media/pci/saa7146/hexium_gemini.c
+@@ -270,9 +270,8 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
+ /* enable i2c-port pins */
+ saa7146_write(dev, MC1, (MASK_08 | MASK_24 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium gemini",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium gemini",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
+index 15f0d66ff78a2..214396b1ca73c 100644
+--- a/drivers/media/pci/saa7146/hexium_orion.c
++++ b/drivers/media/pci/saa7146/hexium_orion.c
+@@ -232,9 +232,8 @@ static int hexium_probe(struct saa7146_dev *dev)
+ saa7146_write(dev, DD1_STREAM_B, 0x00000000);
+ saa7146_write(dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26));
+
+- hexium->i2c_adapter = (struct i2c_adapter) {
+- .name = "hexium orion",
+- };
++ strscpy(hexium->i2c_adapter.name, "hexium orion",
++ sizeof(hexium->i2c_adapter.name));
+ saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
+ if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
+ DEB_S("cannot register i2c-device. skipping.\n");
+--
+2.20.1
+
--- /dev/null
+From 27595e80a573667ee8954defa3be9ee701eee729 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 26 Mar 2019 01:12:07 -0400
+Subject: media: wl128x: prevent two potential buffer overflows
+
+[ Upstream commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 ]
+
+Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
+can copy up to 255 bytes and we only have room for two bytes. Even
+if this comes from the firmware and we trust it, the new policy
+generally is just to fix it as kernel hardenning.
+
+I can't test this code so I tried to be very conservative. I considered
+not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
+whole variable but in the end I decided to allow it and manually
+initialized "asic_id" and "asic_ver" to zero.
+
+Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/radio/wl128x/fmdrv_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
+index ebc73b0342496..51639a3f7abe4 100644
+--- a/drivers/media/radio/wl128x/fmdrv_common.c
++++ b/drivers/media/radio/wl128x/fmdrv_common.c
+@@ -494,7 +494,8 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload,
+ return -EIO;
+ }
+ /* Send response data to caller */
+- if (response != NULL && response_len != NULL && evt_hdr->dlen) {
++ if (response != NULL && response_len != NULL && evt_hdr->dlen &&
++ evt_hdr->dlen <= payload_len) {
+ /* Skip header info and copy only response data */
+ skb_pull(skb, sizeof(struct fm_event_msg_hdr));
+ memcpy(response, skb->data, evt_hdr->dlen);
+@@ -590,6 +591,8 @@ static void fm_irq_handle_flag_getcmd_resp(struct fmdev *fmdev)
+ return;
+
+ fm_evt_hdr = (void *)skb->data;
++ if (fm_evt_hdr->dlen > sizeof(fmdev->irq_info.flag))
++ return;
+
+ /* Skip header info and copy only response data */
+ skb_pull(skb, sizeof(struct fm_event_msg_hdr));
+@@ -1315,7 +1318,7 @@ static int load_default_rx_configuration(struct fmdev *fmdev)
+ static int fm_power_up(struct fmdev *fmdev, u8 mode)
+ {
+ u16 payload;
+- __be16 asic_id, asic_ver;
++ __be16 asic_id = 0, asic_ver = 0;
+ int resp_len, ret;
+ u8 fw_name[50];
+
+--
+2.20.1
+
--- /dev/null
+From 982905e15342cbc5ede3350cd37224d23b6ebc47 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 24 Apr 2019 09:19:25 +0200
+Subject: mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older
+ GCC versions
+
+[ Upstream commit 29da93fea3ea39ab9b12270cc6be1b70ef201c9e ]
+
+Randy reported objtool triggered on his (GCC-7.4) build:
+
+ lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled
+ lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled
+
+This is due to UBSAN generating signed-overflow-UB warnings where it
+should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel
+uses through -fno-strict-overflow).
+
+Make the functions use 'unsigned long' throughout.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: luto@kernel.org
+Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/strncpy_from_user.c | 5 +++--
+ lib/strnlen_user.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
+index e0af6ff73d146..f8b1e3cb716b9 100644
+--- a/lib/strncpy_from_user.c
++++ b/lib/strncpy_from_user.c
+@@ -20,10 +20,11 @@
+ * hit it), 'max' is the address space maximum (and we return
+ * -EFAULT if we hit it).
+ */
+-static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
++static inline long do_strncpy_from_user(char *dst, const char __user *src,
++ unsigned long count, unsigned long max)
+ {
+ const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
+- long res = 0;
++ unsigned long res = 0;
+
+ /*
+ * Truncate 'max' to the user-specified limit, so that
+diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
+index 3a5f2b366d84e..1c87bfa63db7f 100644
+--- a/lib/strnlen_user.c
++++ b/lib/strnlen_user.c
+@@ -27,7 +27,7 @@
+ static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
+ {
+ const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
+- long align, res = 0;
++ unsigned long align, res = 0;
+ unsigned long c;
+
+ /*
+@@ -41,7 +41,7 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
+ * Do everything aligned. But that means that we
+ * need to also expand the maximum..
+ */
+- align = (sizeof(long) - 1) & (unsigned long)src;
++ align = (sizeof(unsigned long) - 1) & (unsigned long)src;
+ src -= align;
+ max += align;
+
+--
+2.20.1
+
--- /dev/null
+From 364c1e631d79b3d825bdb9f2db7fc68633de4a30 Mon Sep 17 00:00:00 2001
+From: Raul E Rangel <rrangel@chromium.org>
+Date: Mon, 29 Apr 2019 11:32:39 -0600
+Subject: mmc: core: Verify SD bus width
+
+[ Upstream commit 9e4be8d03f50d1b25c38e2b59e73b194c130df7d ]
+
+The SD Physical Layer Spec says the following: Since the SD Memory Card
+shall support at least the two bus modes 1-bit or 4-bit width, then any SD
+Card shall set at least bits 0 and 2 (SD_BUS_WIDTH="0101").
+
+This change verifies the card has specified a bus width.
+
+AMD SDHC Device 7806 can get into a bad state after a card disconnect
+where anything transferred via the DATA lines will always result in a
+zero filled buffer. Currently the driver will continue without error if
+the HC is in this condition. A block device will be created, but reading
+from it will result in a zero buffer. This makes it seem like the SD
+device has been erased, when in actuality the data is never getting
+copied from the DATA lines to the data buffer.
+
+SCR is the first command in the SD initialization sequence that uses the
+DATA lines. By checking that the response was invalid, we can abort
+mounting the card.
+
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Raul E Rangel <rrangel@chromium.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
+index 967535d76e346..fb8741f18c1f5 100644
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -216,6 +216,14 @@ static int mmc_decode_scr(struct mmc_card *card)
+
+ if (scr->sda_spec3)
+ scr->cmds = UNSTUFF_BITS(resp, 32, 2);
++
++ /* SD Spec says: any SD Card shall set at least bits 0 and 2 */
++ if (!(scr->bus_widths & SD_SCR_BUS_WIDTH_1) ||
++ !(scr->bus_widths & SD_SCR_BUS_WIDTH_4)) {
++ pr_err("%s: invalid bus width\n", mmc_hostname(card->host));
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From d7735df1090923b5ebdffbb9505d247936446e09 Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:40 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 05cb6b2a66fa7837211a060878e91be5eb10cb07 ]
+
+eSDHC-A001: The data timeout counter (SYSCTL[DTOCV]) is not
+reliable for DTOCV values 0x4(2^17 SD clock), 0x8(2^21 SD clock),
+and 0xC(2^25 SD clock). The data timeout counter can count from
+2^13–2^27, but for values 2^17, 2^21, and 2^25, the timeout
+counter counts for only 2^13 SD clocks.
+A-008358: The data timeout counter value loaded into the timeout
+counter is less than expected and can result into early timeout
+error in case of eSDHC data transactions. The table below shows
+the expected vs actual timeout period for different values of
+SYSCTL[DTOCV]:
+these two erratum has the same quirk to control it, and set
+SDHCI_QUIRK_RESET_AFTER_REQUEST to fix above issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index a5a11e7ab53b4..356b294c93c9e 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -624,8 +624,10 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
+ if (esdhc->vendor_ver > VENDOR_V_22)
+ host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+
+- if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) {
+ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
++ host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL;
++ }
+
+ if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
+ of_device_is_compatible(np, "fsl,p5020-esdhc") ||
+--
+2.20.1
+
--- /dev/null
+From c1b088615ffed125ecf4966ea0cd3303244592b1 Mon Sep 17 00:00:00 2001
+From: Yinbo Zhu <yinbo.zhu@nxp.com>
+Date: Mon, 11 Mar 2019 02:16:36 +0000
+Subject: mmc: sdhci-of-esdhc: add erratum eSDHC5 support
+
+[ Upstream commit a46e42712596b51874f04c73f1cdf1017f88df52 ]
+
+Software writing to the Transfer Type configuration register
+(system clock domain) can cause a setup/hold violation in the
+CRC flops (card clock domain), which can cause write accesses
+to be sent with corrupt CRC values. This issue occurs only for
+write preceded by read. this erratum is to fix this issue.
+
+Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
+index ac66c61d9433c..a5a11e7ab53b4 100644
+--- a/drivers/mmc/host/sdhci-of-esdhc.c
++++ b/drivers/mmc/host/sdhci-of-esdhc.c
+@@ -624,6 +624,9 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
+ if (esdhc->vendor_ver > VENDOR_V_22)
+ host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+
++ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
++ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
++
+ if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
+ of_device_is_compatible(np, "fsl,p5020-esdhc") ||
+ of_device_is_compatible(np, "fsl,p4080-esdhc") ||
+--
+2.20.1
+
--- /dev/null
+From 87f53b63c6b4583dee395a93836663746697e19b Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Mon, 11 Mar 2019 00:53:33 -0500
+Subject: mmc_spi: add a status check for spi_sync_locked
+
+[ Upstream commit 611025983b7976df0183390a63a2166411d177f1 ]
+
+In case spi_sync_locked fails, the fix reports the error and
+returns the error code upstream.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmc_spi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
+index e03ec74f3fb08..40a369c7005a8 100644
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct spi_transfer *t,
+ }
+
+ status = spi_sync_locked(spi, &host->m);
++ if (status < 0) {
++ dev_dbg(&spi->dev, "read error %d\n", status);
++ return status;
++ }
+
+ if (host->dma_dev) {
+ dma_sync_single_for_cpu(host->dma_dev,
+--
+2.20.1
+
--- /dev/null
+From 54a037b6c83754287b645dc6414d8f139c6a5973 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 4 Apr 2019 11:44:23 +0300
+Subject: mwifiex: prevent an array overflow
+
+[ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ]
+
+The "rate_index" is only used as an index into the phist_data->rx_rate[]
+array in the mwifiex_hist_data_set() function. That array has
+MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
+debugfs information. The "rate_index" variable comes from the network
+skb->data[] and it is a u8 so it's in the 0-255 range. We need to cap
+it to prevent an array overflow.
+
+Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mwifiex/cfp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/mwifiex/cfp.c b/drivers/net/wireless/mwifiex/cfp.c
+index 3ddb8ec676ed3..6dd331dfb5179 100644
+--- a/drivers/net/wireless/mwifiex/cfp.c
++++ b/drivers/net/wireless/mwifiex/cfp.c
+@@ -533,5 +533,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv,
+ rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ?
+ rx_rate - 1 : rx_rate;
+
++ if (rate_index >= MWIFIEX_MAX_AC_RX_RATES)
++ rate_index = MWIFIEX_MAX_AC_RX_RATES - 1;
++
+ return rate_index;
+ }
+--
+2.20.1
+
--- /dev/null
+From 568f9d646f493553bd2b9afdef083b9c6c15c882 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 03:05:02 -0500
+Subject: net: cw1200: fix a NULL pointer dereference
+
+[ Upstream commit 0ed2a005347400500a39ea7c7318f1fea57fb3ca ]
+
+In case create_singlethread_workqueue fails, the fix free the
+hardware and returns NULL to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/cw1200/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/cw1200/main.c b/drivers/net/wireless/cw1200/main.c
+index 0e51e27d2e3f1..317daa968e037 100644
+--- a/drivers/net/wireless/cw1200/main.c
++++ b/drivers/net/wireless/cw1200/main.c
+@@ -345,6 +345,11 @@ static struct ieee80211_hw *cw1200_init_common(const u8 *macaddr,
+ mutex_init(&priv->wsm_cmd_mux);
+ mutex_init(&priv->conf_mutex);
+ priv->workqueue = create_singlethread_workqueue("cw1200_wq");
++ if (!priv->workqueue) {
++ ieee80211_free_hw(hw);
++ return NULL;
++ }
++
+ sema_init(&priv->scan.lock, 1);
+ INIT_WORK(&priv->scan.work, cw1200_scan_work);
+ INIT_DELAYED_WORK(&priv->scan.probe_work, cw1200_probe_work);
+--
+2.20.1
+
--- /dev/null
+From 0a42179d1902b0a9b2aa10c68abe774e8f8d52e3 Mon Sep 17 00:00:00 2001
+From: Wen Yang <wen.yang99@zte.com.cn>
+Date: Fri, 12 Apr 2019 14:02:19 +0800
+Subject: pinctrl: pistachio: fix leaked of_node references
+
+[ Upstream commit 44a4455ac2c6b0981eace683a2b6eccf47689022 ]
+
+The call to of_get_child_by_name returns a node pointer with refcount
+incremented thus it must be explicitly decremented after the last
+usage.
+
+Detected by coccinelle with the following warnings:
+./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
+
+Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: linux-gpio@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-pistachio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-pistachio.c b/drivers/pinctrl/pinctrl-pistachio.c
+index 98a459b1c095a..86e8d989092c8 100644
+--- a/drivers/pinctrl/pinctrl-pistachio.c
++++ b/drivers/pinctrl/pinctrl-pistachio.c
+@@ -1373,6 +1373,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ if (!of_find_property(child, "gpio-controller", NULL)) {
+ dev_err(pctl->dev,
+ "No gpio-controller property for bank %u\n", i);
++ of_node_put(child);
+ ret = -ENODEV;
+ goto err;
+ }
+@@ -1380,6 +1381,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
+ irq = irq_of_parse_and_map(child, 0);
+ if (irq < 0) {
+ dev_err(pctl->dev, "No IRQ for bank %u: %d\n", i, irq);
++ of_node_put(child);
+ ret = irq;
+ goto err;
+ }
+--
+2.20.1
+
--- /dev/null
+From 08f456deb611d773872574d5931c710205fad64c Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 10 Apr 2019 11:55:16 +0200
+Subject: PM / core: Propagate dev->power.wakeup_path when no callbacks
+
+[ Upstream commit dc351d4c5f4fe4d0f274d6d660227be0c3a03317 ]
+
+The dev->power.direct_complete flag may become set in device_prepare() in
+case the device don't have any PM callbacks (dev->power.no_pm_callbacks is
+set). This leads to a broken behaviour, when there is child having wakeup
+enabled and relies on its parent to be used in the wakeup path.
+
+More precisely, when the direct complete path becomes selected for the
+child in __device_suspend(), the propagation of the dev->power.wakeup_path
+becomes skipped as well.
+
+Let's address this problem, by checking if the device is a part the wakeup
+path or has wakeup enabled, then prevent the direct complete path from
+being used.
+
+Reported-by: Loic Pallardy <loic.pallardy@st.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ rjw: Comment cleanup ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 05409141ec077..8efdb823826c8 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1378,6 +1378,10 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
+ if (dev->power.syscore)
+ goto Complete;
+
++ /* Avoid direct_complete to let wakeup_path propagate. */
++ if (device_may_wakeup(dev) || dev->power.wakeup_path)
++ dev->power.direct_complete = false;
++
+ if (dev->power.direct_complete) {
+ if (pm_runtime_status_suspended(dev)) {
+ pm_runtime_disable(dev);
+--
+2.20.1
+
--- /dev/null
+From 4dd85d768a56ed9a0a1a531d805329304a556600 Mon Sep 17 00:00:00 2001
+From: Bo YU <tsu.yubo@gmail.com>
+Date: Tue, 30 Oct 2018 09:21:55 -0400
+Subject: powerpc/boot: Fix missing check of lseek() return value
+
+[ Upstream commit 5d085ec04a000fefb5182d3b03ee46ca96d8389b ]
+
+This is detected by Coverity scan: CID: 1440481
+
+Signed-off-by: Bo YU <tsu.yubo@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/addnote.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c
+index 9d9f6f334d3cc..3da3e2b1b51bc 100644
+--- a/arch/powerpc/boot/addnote.c
++++ b/arch/powerpc/boot/addnote.c
+@@ -223,7 +223,11 @@ main(int ac, char **av)
+ PUT_16(E_PHNUM, np + 2);
+
+ /* write back */
+- lseek(fd, (long) 0, SEEK_SET);
++ i = lseek(fd, (long) 0, SEEK_SET);
++ if (i < 0) {
++ perror("lseek");
++ exit(1);
++ }
+ i = write(fd, buf, n);
+ if (i < 0) {
+ perror("write");
+--
+2.20.1
+
--- /dev/null
+From 42b02c1f8b7584c6fcdd7cd458269c72464e64c3 Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathanl@linux.ibm.com>
+Date: Thu, 18 Apr 2019 13:56:57 -0500
+Subject: powerpc/numa: improve control of topology updates
+
+[ Upstream commit 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f ]
+
+When booted with "topology_updates=no", or when "off" is written to
+/proc/powerpc/topology_updates, NUMA reassignments are inhibited for
+PRRN and VPHN events. However, migration and suspend unconditionally
+re-enable reassignments via start_topology_update(). This is
+incoherent.
+
+Check the topology_updates_enabled flag in
+start/stop_topology_update() so that callers of those APIs need not be
+aware of whether reassignments are enabled. This allows the
+administrative decision on reassignments to remain in force across
+migrations and suspensions.
+
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/numa.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
+index bb3df222ae71f..215bff2b84703 100644
+--- a/arch/powerpc/mm/numa.c
++++ b/arch/powerpc/mm/numa.c
+@@ -1611,6 +1611,9 @@ int start_topology_update(void)
+ {
+ int rc = 0;
+
++ if (!topology_updates_enabled)
++ return 0;
++
+ if (firmware_has_feature(FW_FEATURE_PRRN)) {
+ if (!prrn_enabled) {
+ prrn_enabled = 1;
+@@ -1640,6 +1643,9 @@ int stop_topology_update(void)
+ {
+ int rc = 0;
+
++ if (!topology_updates_enabled)
++ return 0;
++
+ if (prrn_enabled) {
+ prrn_enabled = 0;
+ #ifdef CONFIG_SMP
+@@ -1685,11 +1691,13 @@ static ssize_t topology_write(struct file *file, const char __user *buf,
+
+ kbuf[read_len] = '\0';
+
+- if (!strncmp(kbuf, "on", 2))
++ if (!strncmp(kbuf, "on", 2)) {
++ topology_updates_enabled = true;
+ start_topology_update();
+- else if (!strncmp(kbuf, "off", 3))
++ } else if (!strncmp(kbuf, "off", 3)) {
+ stop_topology_update();
+- else
++ topology_updates_enabled = false;
++ } else
+ return -EINVAL;
+
+ return count;
+@@ -1704,9 +1712,7 @@ static const struct file_operations topology_ops = {
+
+ static int topology_update_init(void)
+ {
+- /* Do not poll for changes if disabled at boot */
+- if (topology_updates_enabled)
+- start_topology_update();
++ start_topology_update();
+
+ if (!proc_create("powerpc/topology_updates", 0644, NULL, &topology_ops))
+ return -ENOMEM;
+--
+2.20.1
+
--- /dev/null
+From 934b974e4b3d1245ba60db9061e98da902eb8291 Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.ibm.com>
+Date: Thu, 21 Mar 2019 09:27:28 -0700
+Subject: rcutorture: Fix cleanup path for invalid torture_type strings
+
+[ Upstream commit b813afae7ab6a5e91b4e16cc567331d9c2ae1f04 ]
+
+If the specified rcutorture.torture_type is not in the rcu_torture_init()
+function's torture_ops[] array, rcutorture prints some console messages
+and then invokes rcu_torture_cleanup() to set state so that a future
+torture test can run. However, rcu_torture_cleanup() also attempts to
+end the test that didn't actually start, and in doing so relies on the
+value of cur_ops, a value that is not particularly relevant in this case.
+This can result in confusing output or even follow-on failures due to
+attempts to use facilities that have not been properly initialized.
+
+This commit therefore sets the value of cur_ops to NULL in this case
+and inserts a check near the beginning of rcu_torture_cleanup(),
+thus avoiding relying on an irrelevant cur_ops value.
+
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/rcutorture.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
+index d89328e260df6..041a02b334d73 100644
+--- a/kernel/rcu/rcutorture.c
++++ b/kernel/rcu/rcutorture.c
+@@ -1603,6 +1603,10 @@ rcu_torture_cleanup(void)
+ cur_ops->cb_barrier();
+ return;
+ }
++ if (!cur_ops) {
++ torture_cleanup_end();
++ return;
++ }
+
+ rcu_torture_barrier_cleanup();
+ torture_stop_kthread(rcu_torture_stall, stall_task);
+@@ -1741,6 +1745,7 @@ rcu_torture_init(void)
+ pr_alert(" %s", torture_ops[i]->name);
+ pr_alert("\n");
+ firsterr = -EINVAL;
++ cur_ops = NULL;
+ goto unwind;
+ }
+ if (cur_ops->fqs == NULL && fqs_duration != 0) {
+--
+2.20.1
+
--- /dev/null
+From 33963c60bb63145227c96a9593526841d7f74809 Mon Sep 17 00:00:00 2001
+From: Parav Pandit <parav@mellanox.com>
+Date: Wed, 10 Apr 2019 11:23:04 +0300
+Subject: RDMA/cma: Consider scope_id while binding to ipv6 ll address
+
+[ Upstream commit 5d7ed2f27bbd482fd29e6b2e204b1a1ee8a0b268 ]
+
+When two netdev have same link local addresses (such as vlan and non
+vlan), two rdma cm listen id should be able to bind to following different
+addresses.
+
+listener-1: addr=lla, scope_id=A, port=X
+listener-2: addr=lla, scope_id=B, port=X
+
+However while comparing the addresses only addr and port are considered,
+due to which 2nd listener fails to listen.
+
+In below example of two listeners, 2nd listener is failing with address in
+use error.
+
+$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1 -p 4545&
+
+$ rping -sv -a fe80::268a:7ff:feb3:d113%ens2f1.200 -p 4545
+rdma_bind_addr: Address already in use
+
+To overcome this, consider the scope_ids as well which forms the accurate
+IPv6 link local address.
+
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 1454290078def..76e7eca35a110 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -902,18 +902,31 @@ static inline int cma_any_addr(struct sockaddr *addr)
+ return cma_zero_addr(addr) || cma_loopback_addr(addr);
+ }
+
+-static int cma_addr_cmp(struct sockaddr *src, struct sockaddr *dst)
++static int cma_addr_cmp(const struct sockaddr *src, const struct sockaddr *dst)
+ {
+ if (src->sa_family != dst->sa_family)
+ return -1;
+
+ switch (src->sa_family) {
+ case AF_INET:
+- return ((struct sockaddr_in *) src)->sin_addr.s_addr !=
+- ((struct sockaddr_in *) dst)->sin_addr.s_addr;
+- case AF_INET6:
+- return ipv6_addr_cmp(&((struct sockaddr_in6 *) src)->sin6_addr,
+- &((struct sockaddr_in6 *) dst)->sin6_addr);
++ return ((struct sockaddr_in *)src)->sin_addr.s_addr !=
++ ((struct sockaddr_in *)dst)->sin_addr.s_addr;
++ case AF_INET6: {
++ struct sockaddr_in6 *src_addr6 = (struct sockaddr_in6 *)src;
++ struct sockaddr_in6 *dst_addr6 = (struct sockaddr_in6 *)dst;
++ bool link_local;
++
++ if (ipv6_addr_cmp(&src_addr6->sin6_addr,
++ &dst_addr6->sin6_addr))
++ return 1;
++ link_local = ipv6_addr_type(&dst_addr6->sin6_addr) &
++ IPV6_ADDR_LINKLOCAL;
++ /* Link local must match their scope_ids */
++ return link_local ? (src_addr6->sin6_scope_id !=
++ dst_addr6->sin6_scope_id) :
++ 0;
++ }
++
+ default:
+ return ib_addr_cmp(&((struct sockaddr_ib *) src)->sib_addr,
+ &((struct sockaddr_ib *) dst)->sib_addr);
+--
+2.20.1
+
--- /dev/null
+From ea539ce1e1373c013ccedfb6cddc97661b5b59fe Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 13 Apr 2019 17:00:26 +0100
+Subject: RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
+
+[ Upstream commit a6d2a5a92e67d151c98886babdc86d530d27111c ]
+
+Currently if alloc_skb fails to allocate the skb a null skb is passed to
+t4_set_arp_err_handler and this ends up dereferencing the null skb. Avoid
+the NULL pointer dereference by checking for a NULL skb and returning
+early.
+
+Addresses-Coverity: ("Dereference null return")
+Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index c9cffced00ca1..54fd4d81a3f1f 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -360,6 +360,8 @@ static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
+ skb_reset_transport_header(skb);
+ } else {
+ skb = alloc_skb(len, gfp);
++ if (!skb)
++ return NULL;
+ }
+ t4_set_arp_err_handler(skb, NULL, NULL);
+ return skb;
+--
+2.20.1
+
--- /dev/null
+From 90079eaf32c2a7da3b24b1fa3fdfc227d39aff07 Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Fri, 26 Apr 2019 14:36:35 -0400
+Subject: rtc: 88pm860x: prevent use-after-free on device remove
+
+[ Upstream commit f22b1ba15ee5785aa028384ebf77dd39e8e47b70 ]
+
+The device's remove() attempts to shut down the delayed_work scheduled
+on the kernel-global workqueue by calling flush_scheduled_work().
+
+Unfortunately, flush_scheduled_work() does not prevent the delayed_work
+from re-scheduling itself. The delayed_work might run after the device
+has been removed, and touch the already de-allocated info structure.
+This is a potential use-after-free.
+
+Fix by calling cancel_delayed_work_sync() during remove(): this ensures
+that the delayed work is properly cancelled, is no longer running, and
+is not able to re-schedule itself.
+
+This issue was detected with the help of Coccinelle.
+
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-88pm860x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c
+index 19e53b3b8e005..166faae3a59cd 100644
+--- a/drivers/rtc/rtc-88pm860x.c
++++ b/drivers/rtc/rtc-88pm860x.c
+@@ -414,7 +414,7 @@ static int pm860x_rtc_remove(struct platform_device *pdev)
+ struct pm860x_rtc_info *info = platform_get_drvdata(pdev);
+
+ #ifdef VRTC_CALIBRATION
+- flush_scheduled_work();
++ cancel_delayed_work_sync(&info->calib_work);
+ /* disable measurement */
+ pm860x_set_bits(info->i2c, PM8607_MEAS_EN2, MEAS2_VRTC, 0);
+ #endif /* VRTC_CALIBRATION */
+--
+2.20.1
+
--- /dev/null
+From efe49bfc86f78ad7c1514843b5c699783dc8724a Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Tue, 12 Mar 2019 02:56:33 -0500
+Subject: rtlwifi: fix a potential NULL pointer dereference
+
+[ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ]
+
+In case alloc_workqueue fails, the fix reports the error and
+returns to avoid NULL pointer dereference.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index aab752328c269..5013d8c1d4a60 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -466,6 +466,11 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw)
+ /* <2> work queue */
+ rtlpriv->works.hw = hw;
+ rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name);
++ if (unlikely(!rtlpriv->works.rtl_wq)) {
++ pr_err("Failed to allocate work queue\n");
++ return;
++ }
++
+ INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq,
+ (void *)rtl_watchdog_wq_callback);
+ INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq,
+--
+2.20.1
+
--- /dev/null
+From 39ac0e0d8f05ca344c24f76e36508970eecdfd9b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 8 Apr 2019 23:26:20 +0200
+Subject: s390: cio: fix cio_irb declaration
+
+[ Upstream commit e91012ee855ad9f5ef2ab106a3de51db93fe4d0c ]
+
+clang points out that the declaration of cio_irb does not match the
+definition exactly, it is missing the alignment attribute:
+
+../drivers/s390/cio/cio.c:50:1: warning: section does not match previous declaration [-Wsection]
+DEFINE_PER_CPU_ALIGNED(struct irb, cio_irb);
+^
+../include/linux/percpu-defs.h:150:2: note: expanded from macro 'DEFINE_PER_CPU_ALIGNED'
+ DEFINE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION) \
+ ^
+../include/linux/percpu-defs.h:93:9: note: expanded from macro 'DEFINE_PER_CPU_SECTION'
+ extern __PCPU_ATTRS(sec) __typeof__(type) name; \
+ ^
+../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
+ __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
+ ^
+../drivers/s390/cio/cio.h:118:1: note: previous attribute is here
+DECLARE_PER_CPU(struct irb, cio_irb);
+^
+../include/linux/percpu-defs.h:111:2: note: expanded from macro 'DECLARE_PER_CPU'
+ DECLARE_PER_CPU_SECTION(type, name, "")
+ ^
+../include/linux/percpu-defs.h:87:9: note: expanded from macro 'DECLARE_PER_CPU_SECTION'
+ extern __PCPU_ATTRS(sec) __typeof__(type) name
+ ^
+../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
+ __percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
+ ^
+Use DECLARE_PER_CPU_ALIGNED() here, to make the two match.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/cio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
+index a01376ae17493..fdb87520543fe 100644
+--- a/drivers/s390/cio/cio.h
++++ b/drivers/s390/cio/cio.h
+@@ -102,7 +102,7 @@ struct subchannel {
+ struct schib_config config;
+ } __attribute__ ((aligned(8)));
+
+-DECLARE_PER_CPU(struct irb, cio_irb);
++DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb);
+
+ #define to_subchannel(n) container_of(n, struct subchannel, dev)
+
+--
+2.20.1
+
--- /dev/null
+From 7b117a3e1c3bfe529ae3ca8845809f6a18b0ff17 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:20 +0300
+Subject: sched/core: Check quota and period overflow at usec to nsec
+ conversion
+
+[ Upstream commit 1a8b4540db732ca16c9e43ac7c08b1b8f0b252d8 ]
+
+Large values could overflow u64 and pass following sanity checks.
+
+ # echo 18446744073750000 > cpu.cfs_period_us
+ # cat cpu.cfs_period_us
+ 40448
+
+ # echo 18446744073750000 > cpu.cfs_quota_us
+ # cat cpu.cfs_quota_us
+ 40448
+
+After this patch they will fail with -EINVAL.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index d35a7d528ea66..1ef2fb4bbd6bd 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8460,8 +8460,10 @@ int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us)
+ period = ktime_to_ns(tg->cfs_bandwidth.period);
+ if (cfs_quota_us < 0)
+ quota = RUNTIME_INF;
+- else
++ else if ((u64)cfs_quota_us <= U64_MAX / NSEC_PER_USEC)
+ quota = (u64)cfs_quota_us * NSEC_PER_USEC;
++ else
++ return -EINVAL;
+
+ return tg_set_cfs_bandwidth(tg, period, quota);
+ }
+@@ -8483,6 +8485,9 @@ int tg_set_cfs_period(struct task_group *tg, long cfs_period_us)
+ {
+ u64 quota, period;
+
++ if ((u64)cfs_period_us > U64_MAX / NSEC_PER_USEC)
++ return -EINVAL;
++
+ period = (u64)cfs_period_us * NSEC_PER_USEC;
+ quota = tg->cfs_bandwidth.quota;
+
+--
+2.20.1
+
--- /dev/null
+From b71440acfd194bfd362c4d16dcf2856fdf01b8fd Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 27 Feb 2019 11:10:18 +0300
+Subject: sched/core: Handle overflow in cpu_shares_write_u64
+
+[ Upstream commit 5b61d50ab4ef590f5e1d4df15cd2cea5f5715308 ]
+
+Bit shift in scale_load() could overflow shares. This patch saturates
+it to MAX_SHARES like following sched_group_set_shares().
+
+Example:
+
+ # echo 9223372036854776832 > cpu.shares
+ # cat cpu.shares
+
+Before patch: 1024
+After pattch: 262144
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 1ef2fb4bbd6bd..0e70bfeded7fd 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8361,6 +8361,8 @@ static void cpu_cgroup_attach(struct cgroup_taskset *tset)
+ static int cpu_shares_write_u64(struct cgroup_subsys_state *css,
+ struct cftype *cftype, u64 shareval)
+ {
++ if (shareval > scale_load_down(ULONG_MAX))
++ shareval = MAX_SHARES;
+ return sched_group_set_shares(css_tg(css), scale_load(shareval));
+ }
+
+--
+2.20.1
+
--- /dev/null
+From b7b72a33e073279bcf55cc1d3a0f8550cd9d093b Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Fri, 12 Apr 2019 16:57:56 +0800
+Subject: scsi: libsas: Do discovery on empty PHY to update PHY info
+
+[ Upstream commit d8649fc1c5e40e691d589ed825998c36a947491c ]
+
+When we discover the PHY is empty in sas_rediscover_dev(), the PHY
+information (like negotiated linkrate) is not updated.
+
+As such, for a user examining sysfs for that PHY, they would see
+incorrect values:
+
+root@(none)$ cd /sys/class/sas_phy/phy-0:0:20
+root@(none)$ more negotiated_linkrate
+3.0 Gbit
+root@(none)$ echo 0 > enable
+root@(none)$ more negotiated_linkrate
+3.0 Gbit
+
+So fix this, simply discover the PHY again, even though we know it's empty;
+in the above example, this gives us:
+
+root@(none)$ more negotiated_linkrate
+Phy disabled
+
+We must do this after unregistering the device associated with the PHY
+(in sas_unregister_devs_sas_addr()).
+
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index 1a6f65db615e8..ee1f9ee995e53 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -2027,6 +2027,11 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id, bool last)
+ if ((SAS_ADDR(sas_addr) == 0) || (res == -ECOMM)) {
+ phy->phy_state = PHY_EMPTY;
+ sas_unregister_devs_sas_addr(dev, phy_id, last);
++ /*
++ * Even though the PHY is empty, for convenience we discover
++ * the PHY to update the PHY info, like negotiated linkrate.
++ */
++ sas_ex_phy_discover(dev, phy_id);
+ return res;
+ } else if (SAS_ADDR(sas_addr) == SAS_ADDR(phy->attached_sas_addr) &&
+ dev_type_flutter(type, phy->attached_dev_type)) {
+--
+2.20.1
+
--- /dev/null
+From 8b6cc19e49e45f2afe61b2586eb250206eebc1b2 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Tue, 12 Mar 2019 16:30:07 -0700
+Subject: scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
+
+[ Upstream commit c95a3b4b0fb8d351e2329a96f87c4fc96a149505 ]
+
+During debug, it was seen that the driver is issuing commands specific to
+SLI3 on SLI4 devices. Although the adapter correctly rejected the command,
+this should not be done.
+
+Revise the code to stop sending these commands on a SLI4 adapter.
+
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 4131addfb8729..a67950908db17 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -902,7 +902,11 @@ lpfc_linkdown(struct lpfc_hba *phba)
+ lpfc_linkdown_port(vports[i]);
+ }
+ lpfc_destroy_vport_work_array(phba, vports);
+- /* Clean up any firmware default rpi's */
++
++ /* Clean up any SLI3 firmware default rpi's */
++ if (phba->sli_rev > LPFC_SLI_REV3)
++ goto skip_unreg_did;
++
+ mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (mb) {
+ lpfc_unreg_did(phba, 0xffff, LPFC_UNREG_ALL_DFLT_RPIS, mb);
+@@ -914,6 +918,7 @@ lpfc_linkdown(struct lpfc_hba *phba)
+ }
+ }
+
++ skip_unreg_did:
+ /* Setup myDID for link up if we are in pt2pt mode */
+ if (phba->pport->fc_flag & FC_PT2PT) {
+ phba->pport->fc_myDID = 0;
+@@ -4647,6 +4652,10 @@ lpfc_unreg_default_rpis(struct lpfc_vport *vport)
+ LPFC_MBOXQ_t *mbox;
+ int rc;
+
++ /* Unreg DID is an SLI3 operation. */
++ if (phba->sli_rev > LPFC_SLI_REV3)
++ return;
++
+ mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (mbox) {
+ lpfc_unreg_did(phba, vport->vpi, LPFC_UNREG_ALL_DFLT_RPIS,
+--
+2.20.1
+
--- /dev/null
+From 8256f43fcb13e186302a89124f75ed439fa263ba Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Mar 2019 15:25:03 +0100
+Subject: scsi: qla4xxx: avoid freeing unallocated dma memory
+
+[ Upstream commit 608f729c31d4caf52216ea00d20092a80959256d ]
+
+Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA
+memory in get_fw_boot_info() but attempt to free it anyway:
+
+drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false
+ [-Werror,-Wsometimes-uninitialized]
+ if (!(val & 0x07)) {
+ ^~~~~~~~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here
+ dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma);
+ ^~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true
+ if (!(val & 0x07)) {
+ ^~~~~~~~~~~~~~~~~~~
+drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning
+ dma_addr_t buf_dma;
+ ^
+ = 0
+
+Skip the call to dma_free_coherent() here.
+
+Fixes: 2a991c215978 ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index c158967b59d7b..d220b4f691c77 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -5939,7 +5939,7 @@ static int get_fw_boot_info(struct scsi_qla_host *ha, uint16_t ddb_index[])
+ val = rd_nvram_byte(ha, sec_addr);
+ if (val & BIT_7)
+ ddb_index[1] = (val & 0x7f);
+-
++ goto exit_boot_info;
+ } else if (is_qla80XX(ha)) {
+ buf = dma_alloc_coherent(&ha->pdev->dev, size,
+ &buf_dma, GFP_KERNEL);
+--
+2.20.1
+
--- /dev/null
+From 256ccd0ba857bc1395094cb3bd8c03a6aca9b537 Mon Sep 17 00:00:00 2001
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Thu, 28 Mar 2019 17:16:24 +0800
+Subject: scsi: ufs: Avoid configuring regulator with undefined voltage range
+
+[ Upstream commit 3b141e8cfd54ba3e5c610717295b2a02aab26a05 ]
+
+For regulators used by UFS, vcc, vccq and vccq2 will have voltage range
+initialized by ufshcd_populate_vreg(), however other regulators may have
+undefined voltage range if dt-bindings have no such definition.
+
+In above undefined case, both "min_uV" and "max_uV" fields in ufs_vreg
+struct will be zero values and these values will be configured on
+regulators in different power modes.
+
+Currently this may have no harm if both "min_uV" and "max_uV" always keep
+"zero values" because regulator_set_voltage() will always bypass such
+invalid values and return "good" results.
+
+However improper values shall be fixed to avoid potential bugs. Simply
+bypass voltage configuration if voltage range is not defined.
+
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index ed76381fce4cc..7322a17660d10 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4434,12 +4434,15 @@ static int ufshcd_config_vreg(struct device *dev,
+ name = vreg->name;
+
+ if (regulator_count_voltages(reg) > 0) {
+- min_uV = on ? vreg->min_uV : 0;
+- ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
+- if (ret) {
+- dev_err(dev, "%s: %s set voltage failed, err=%d\n",
++ if (vreg->min_uV && vreg->max_uV) {
++ min_uV = on ? vreg->min_uV : 0;
++ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
++ if (ret) {
++ dev_err(dev,
++ "%s: %s set voltage failed, err=%d\n",
+ __func__, name, ret);
+- goto out;
++ goto out;
++ }
+ }
+
+ uA_load = on ? vreg->max_uA : 0;
+--
+2.20.1
+
--- /dev/null
+From 3710d2d4878dd86e1f8a53de6347442bc0958cf3 Mon Sep 17 00:00:00 2001
+From: Stanley Chu <stanley.chu@mediatek.com>
+Date: Thu, 28 Mar 2019 17:16:25 +0800
+Subject: scsi: ufs: Fix regulator load and icc-level configuration
+
+[ Upstream commit 0487fff76632ec023d394a05b82e87a971db8c03 ]
+
+Currently if a regulator has "<name>-fixed-regulator" property in device
+tree, it will skip current limit initialization. This lead to a zero
+"max_uA" value in struct ufs_vreg.
+
+However, "regulator_set_load" operation shall be required on regulators
+which have valid current limits, otherwise a zero "max_uA" set by
+"regulator_set_load" may cause unexpected behavior when this regulator is
+enabled or set as high power mode.
+
+Similarly, in device's icc_level configuration flow, the target icc_level
+shall be updated if regulator also has valid current limit, otherwise a
+wrong icc_level will be calculated by zero "max_uA" and thus causes
+unexpected results after it is written to device.
+
+Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index c94d465de941e..ed76381fce4cc 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4144,19 +4144,19 @@ static u32 ufshcd_find_max_sup_active_icc_level(struct ufs_hba *hba,
+ goto out;
+ }
+
+- if (hba->vreg_info.vcc)
++ if (hba->vreg_info.vcc && hba->vreg_info.vcc->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vcc->max_uA,
+ POWER_DESC_MAX_ACTV_ICC_LVLS - 1,
+ &desc_buf[PWR_DESC_ACTIVE_LVLS_VCC_0]);
+
+- if (hba->vreg_info.vccq)
++ if (hba->vreg_info.vccq && hba->vreg_info.vccq->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vccq->max_uA,
+ icc_level,
+ &desc_buf[PWR_DESC_ACTIVE_LVLS_VCCQ_0]);
+
+- if (hba->vreg_info.vccq2)
++ if (hba->vreg_info.vccq2 && hba->vreg_info.vccq2->max_uA)
+ icc_level = ufshcd_get_max_icc_level(
+ hba->vreg_info.vccq2->max_uA,
+ icc_level,
+@@ -4390,6 +4390,15 @@ static int ufshcd_config_vreg_load(struct device *dev, struct ufs_vreg *vreg,
+ if (!vreg)
+ return 0;
+
++ /*
++ * "set_load" operation shall be required on those regulators
++ * which specifically configured current limitation. Otherwise
++ * zero max_uA may cause unexpected behavior when regulator is
++ * enabled or set as high power mode.
++ */
++ if (!vreg->max_uA)
++ return 0;
++
+ ret = regulator_set_load(vreg->reg, ua);
+ if (ret < 0) {
+ dev_err(dev, "%s: %s set load (ua=%d) failed, err=%d\n",
+--
+2.20.1
+
at76c50x-usb-don-t-register-led_trigger-if-usb_register_driver-failed.patch
perf-tools-no-need-to-include-bitops.h-in-util.h.patch
tools-include-adopt-linux-bits.h.patch
+gfs2-fix-lru_count-going-negative.patch
+cxgb4-fix-error-path-in-cxgb4_init_module.patch
+mmc-core-verify-sd-bus-width.patch
+powerpc-boot-fix-missing-check-of-lseek-return-value.patch
+asoc-imx-fix-fiq-dependencies.patch
+spi-pxa2xx-fix-scr-divisor-calculation.patch
+brcm80211-potential-null-dereference-in-brcmf_cfg802.patch
+rtc-88pm860x-prevent-use-after-free-on-device-remove.patch
+w1-fix-the-resume-command-api.patch
+dmaengine-pl330-_stop-clear-interrupt-status.patch
+mac80211-cfg80211-update-bss-channel-on-channel-swit.patch
+asoc-fsl_sai-update-is_slave_mode-with-correct-value.patch
+mwifiex-prevent-an-array-overflow.patch
+net-cw1200-fix-a-null-pointer-dereference.patch
+bcache-return-error-immediately-in-bch_journal_repla.patch
+bcache-fix-failure-in-journal-relplay.patch
+bcache-add-failure-check-to-run_cache_set-for-journa.patch
+bcache-avoid-clang-wunintialized-warning.patch
+rdma-cma-consider-scope_id-while-binding-to-ipv6-ll-.patch
+x86-build-move-_etext-to-actual-end-of-.text.patch
+smpboot-place-the-__percpu-annotation-correctly.patch
+x86-mm-remove-in_nmi-warning-from-64-bit-implementat.patch
+mm-uaccess-use-unsigned-long-to-placate-ubsan-warnin.patch
+hid-logitech-hidpp-use-rap-instead-of-fap-to-get-the.patch
+pinctrl-pistachio-fix-leaked-of_node-references.patch
+dmaengine-at_xdmac-remove-bug_on-macro-in-tasklet.patch
+media-coda-clear-error-return-value-before-picture-r.patch
+media-ov6650-move-v4l2_clk_get-to-ov6650_video_probe.patch
+media-au0828-stop-video-streaming-only-when-last-use.patch
+media-ov2659-make-s_fmt-succeed-even-if-requested-fo.patch
+audit-fix-a-memory-leak-bug.patch
+media-au0828-fix-null-pointer-dereference-in-au0828_.patch
+media-pvrusb2-prevent-a-buffer-overflow.patch
+powerpc-numa-improve-control-of-topology-updates.patch
+sched-core-check-quota-and-period-overflow-at-usec-t.patch
+sched-core-handle-overflow-in-cpu_shares_write_u64.patch
+usb-core-don-t-unbind-interfaces-following-device-re.patch
+x86-irq-64-limit-ist-stack-overflow-check-to-db-stac.patch
+i40e-don-t-allow-changes-to-hw-vlan-stripping-on-act.patch
+rdma-cxgb4-fix-null-pointer-dereference-on-alloc_skb.patch
+hwmon-vt1211-use-request_muxed_region-for-super-io-a.patch
+hwmon-smsc47m1-use-request_muxed_region-for-super-io.patch
+hwmon-smsc47b397-use-request_muxed_region-for-super-.patch
+hwmon-pc87427-use-request_muxed_region-for-super-io-.patch
+hwmon-f71805f-use-request_muxed_region-for-super-io-.patch
+scsi-libsas-do-discovery-on-empty-phy-to-update-phy-.patch
+mmc_spi-add-a-status-check-for-spi_sync_locked.patch
+mmc-sdhci-of-esdhc-add-erratum-esdhc5-support.patch
+mmc-sdhci-of-esdhc-add-erratum-esdhc-a001-and-a-0083.patch
+pm-core-propagate-dev-power.wakeup_path-when-no-call.patch
+extcon-arizona-disable-mic-detect-if-running-when-dr.patch
+s390-cio-fix-cio_irb-declaration.patch
+cpufreq-ppc_cbe-fix-possible-object-reference-leak.patch
+cpufreq-pasemi-fix-possible-object-reference-leak.patch
+cpufreq-pmac32-fix-possible-object-reference-leak.patch
+x86-build-keep-local-relocations-with-ld.lld.patch
+iio-ad_sigma_delta-properly-handle-spi-bus-locking-v.patch
+iio-hmc5843-fix-potential-null-pointer-dereferences.patch
+iio-common-ssp_sensors-initialize-calculated_time-in.patch
+rtlwifi-fix-a-potential-null-pointer-dereference.patch
+brcmfmac-fix-missing-checks-for-kmemdup.patch
+b43-shut-up-clang-wuninitialized-variable-warning.patch
+brcmfmac-convert-dev_init_lock-mutex-to-completion.patch
+brcmfmac-fix-race-during-disconnect-when-usb-complet.patch
+scsi-ufs-fix-regulator-load-and-icc-level-configurat.patch
+scsi-ufs-avoid-configuring-regulator-with-undefined-.patch
+arm64-cpu_ops-fix-a-leaked-reference-by-adding-missi.patch
+x86-ia32-fix-ia32_restore_sigcontext-ac-leak.patch
+chardev-add-additional-check-for-minor-range-overlap.patch
+hid-core-move-usage-page-concatenation-to-main-item.patch
+asoc-eukrea-tlv320-fix-a-leaked-reference-by-adding-.patch
+asoc-fsl_utils-fix-a-leaked-reference-by-adding-miss.patch
+cxgb3-l2t-fix-undefined-behaviour.patch
+spi-tegra114-reset-controller-on-probe.patch
+media-wl128x-prevent-two-potential-buffer-overflows.patch
+virtio_console-initialize-vtermno-value-for-ports.patch
+tty-ipwireless-fix-missing-checks-for-ioremap.patch
+rcutorture-fix-cleanup-path-for-invalid-torture_type.patch
+usb-core-add-pm-runtime-calls-to-usb_hcd_platform_sh.patch
+scsi-qla4xxx-avoid-freeing-unallocated-dma-memory.patch
+media-m88ds3103-serialize-reset-messages-in-m88ds310.patch
+media-go7007-avoid-clang-frame-overflow-warning-with.patch
+media-saa7146-avoid-high-stack-usage-with-clang.patch
+scsi-lpfc-fix-sli3-commands-being-issued-on-sli4-dev.patch
+spi-spi-topcliff-pch-fix-to-handle-empty-dma-buffers.patch
+spi-rspi-fix-sequencer-reset-during-initialization.patch
+spi-fix-zero-length-xfer-bug.patch
+asoc-davinci-mcasp-fix-clang-warning-without-config_.patch
--- /dev/null
+From cce4239f9094dc7faf913793ba1959dde3b9effc Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 24 Apr 2019 10:52:53 +0200
+Subject: smpboot: Place the __percpu annotation correctly
+
+[ Upstream commit d4645d30b50d1691c26ff0f8fa4e718b08f8d3bb ]
+
+The test robot reported a wrong assignment of a per-CPU variable which
+it detected by using sparse and sent a report. The assignment itself is
+correct. The annotation for sparse was wrong and hence the report.
+The first pointer is a "normal" pointer and points to the per-CPU memory
+area. That means that the __percpu annotation has to be moved.
+
+Move the __percpu annotation to pointer which points to the per-CPU
+area. This change affects only the sparse tool (and is ignored by the
+compiler).
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Paul E. McKenney <paulmck@linux.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: f97f8f06a49fe ("smpboot: Provide infrastructure for percpu hotplug threads")
+Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/smpboot.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/smpboot.h b/include/linux/smpboot.h
+index 12910cf19869c..12a4b09f4d08b 100644
+--- a/include/linux/smpboot.h
++++ b/include/linux/smpboot.h
+@@ -30,7 +30,7 @@ struct smpboot_thread_data;
+ * @thread_comm: The base name of the thread
+ */
+ struct smp_hotplug_thread {
+- struct task_struct __percpu **store;
++ struct task_struct * __percpu *store;
+ struct list_head list;
+ int (*thread_should_run)(unsigned int cpu);
+ void (*thread_fn)(unsigned int cpu);
+--
+2.20.1
+
--- /dev/null
+From 10de7ce50a7f99f93255fb576dc49fd914ae33ec Mon Sep 17 00:00:00 2001
+From: Chris Lesiak <chris.lesiak@licor.com>
+Date: Thu, 7 Mar 2019 20:39:00 +0000
+Subject: spi: Fix zero length xfer bug
+
+[ Upstream commit 5442dcaa0d90fc376bdfc179a018931a8f43dea4 ]
+
+This fixes a bug for messages containing both zero length and
+unidirectional xfers.
+
+The function spi_map_msg will allocate dummy tx and/or rx buffers
+for use with unidirectional transfers when the hardware can only do
+a bidirectional transfer. That dummy buffer will be used in place
+of a NULL buffer even when the xfer length is 0.
+
+Then in the function __spi_map_msg, if he hardware can dma,
+the zero length xfer will have spi_map_buf called on the dummy
+buffer.
+
+Eventually, __sg_alloc_table is called and returns -EINVAL
+because nents == 0.
+
+This fix prevents the error by not using the dummy buffer when
+the xfer length is zero.
+
+Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 04fd651f9e3e3..c132c676df3a6 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -903,6 +903,8 @@ static int spi_map_msg(struct spi_master *master, struct spi_message *msg)
+ if (max_tx || max_rx) {
+ list_for_each_entry(xfer, &msg->transfers,
+ transfer_list) {
++ if (!xfer->len)
++ continue;
+ if (!xfer->tx_buf)
+ xfer->tx_buf = master->dummy_tx;
+ if (!xfer->rx_buf)
+--
+2.20.1
+
--- /dev/null
+From 8eeeaa4f14a3109d0e0c5ce6dc2ae52c57edc891 Mon Sep 17 00:00:00 2001
+From: Flavio Suligoi <f.suligoi@asem.it>
+Date: Fri, 12 Apr 2019 09:32:19 +0200
+Subject: spi: pxa2xx: fix SCR (divisor) calculation
+
+[ Upstream commit 29f2133717c527f492933b0622a4aafe0b3cbe9e ]
+
+Calculate the divisor for the SCR (Serial Clock Rate), avoiding
+that the SSP transmission rate can be greater than the device rate.
+
+When the division between the SSP clock and the device rate generates
+a reminder, we have to increment by one the divisor.
+In this way the resulting SSP clock will never be greater than the
+device SPI max frequency.
+
+For example, with:
+
+ - ssp_clk = 50 MHz
+ - dev freq = 15 MHz
+
+without this patch the SSP clock will be greater than 15 MHz:
+
+ - 25 MHz for PXA25x_SSP and CE4100_SSP
+ - 16,56 MHz for the others
+
+Instead, with this patch, we have in both case an SSP clock of 12.5MHz,
+so the max rate of the SPI device clock is respected.
+
+Signed-off-by: Flavio Suligoi <f.suligoi@asem.it>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-pxa2xx.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
+index 3cac73e4c3e4a..e87b6fc9f4c63 100644
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -859,10 +859,14 @@ static unsigned int ssp_get_clk_div(struct driver_data *drv_data, int rate)
+
+ rate = min_t(int, ssp_clk, rate);
+
++ /*
++ * Calculate the divisor for the SCR (Serial Clock Rate), avoiding
++ * that the SSP transmission rate can be greater than the device rate
++ */
+ if (ssp->type == PXA25x_SSP || ssp->type == CE4100_SSP)
+- return (ssp_clk / (2 * rate) - 1) & 0xff;
++ return (DIV_ROUND_UP(ssp_clk, 2 * rate) - 1) & 0xff;
+ else
+- return (ssp_clk / rate - 1) & 0xfff;
++ return (DIV_ROUND_UP(ssp_clk, rate) - 1) & 0xfff;
+ }
+
+ static unsigned int pxa2xx_ssp_get_clk_div(struct driver_data *drv_data,
+--
+2.20.1
+
--- /dev/null
+From a0e953123be456c103de492f5503f08011b3abb8 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 12 Mar 2019 19:45:13 +0100
+Subject: spi: rspi: Fix sequencer reset during initialization
+
+[ Upstream commit 26843bb128590edd7eba1ad7ce22e4b9f1066ce3 ]
+
+While the sequencer is reset after each SPI message since commit
+880c6d114fd79a69 ("spi: rspi: Add support for Quad and Dual SPI
+Transfers on QSPI"), it was never reset for the first message, thus
+relying on reset state or bootloader settings.
+
+Fix this by initializing it explicitly during configuration.
+
+Fixes: 0b2182ddac4b8837 ("spi: add support for Renesas RSPI")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-rspi.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c
+index 9882d93e7566d..0556259377f77 100644
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -279,7 +279,8 @@ static int rspi_set_config_register(struct rspi_data *rspi, int access_size)
+ /* Sets parity, interrupt mask */
+ rspi_write8(rspi, 0x00, RSPI_SPCR2);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+@@ -313,7 +314,8 @@ static int rspi_rz_set_config_register(struct rspi_data *rspi, int access_size)
+ rspi_write8(rspi, 0x00, RSPI_SSLND);
+ rspi_write8(rspi, 0x00, RSPI_SPND);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+@@ -364,7 +366,8 @@ static int qspi_set_config_register(struct rspi_data *rspi, int access_size)
+ /* Sets buffer to allow normal operation */
+ rspi_write8(rspi, 0x00, QSPI_SPBFCR);
+
+- /* Sets SPCMD */
++ /* Resets sequencer */
++ rspi_write8(rspi, 0, RSPI_SPSCR);
+ rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
+
+ /* Enables SPI function in master mode */
+--
+2.20.1
+
--- /dev/null
+From 05ad9b5a6b0c285e486b9b9a6fc8e8a0b5836ac4 Mon Sep 17 00:00:00 2001
+From: Aditya Pakki <pakki001@umn.edu>
+Date: Wed, 13 Mar 2019 11:55:41 -0500
+Subject: spi : spi-topcliff-pch: Fix to handle empty DMA buffers
+
+[ Upstream commit f37d8e67f39e6d3eaf4cc5471e8a3d21209843c6 ]
+
+pch_alloc_dma_buf allocated tx, rx DMA buffers which can fail. Further,
+these buffers are used without a check. The patch checks for these
+failures and sends the error upstream.
+
+Signed-off-by: Aditya Pakki <pakki001@umn.edu>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-topcliff-pch.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
+index 93dfcee0f987b..9f30a4ab2004a 100644
+--- a/drivers/spi/spi-topcliff-pch.c
++++ b/drivers/spi/spi-topcliff-pch.c
+@@ -1326,18 +1326,27 @@ static void pch_free_dma_buf(struct pch_spi_board_data *board_dat,
+ return;
+ }
+
+-static void pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
++static int pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
+ struct pch_spi_data *data)
+ {
+ struct pch_spi_dma_ctrl *dma;
++ int ret;
+
+ dma = &data->dma;
++ ret = 0;
+ /* Get Consistent memory for Tx DMA */
+ dma->tx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
+ PCH_BUF_SIZE, &dma->tx_buf_dma, GFP_KERNEL);
++ if (!dma->tx_buf_virt)
++ ret = -ENOMEM;
++
+ /* Get Consistent memory for Rx DMA */
+ dma->rx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
+ PCH_BUF_SIZE, &dma->rx_buf_dma, GFP_KERNEL);
++ if (!dma->rx_buf_virt)
++ ret = -ENOMEM;
++
++ return ret;
+ }
+
+ static int pch_spi_pd_probe(struct platform_device *plat_dev)
+@@ -1414,7 +1423,9 @@ static int pch_spi_pd_probe(struct platform_device *plat_dev)
+
+ if (use_dma) {
+ dev_info(&plat_dev->dev, "Use DMA for data transfers\n");
+- pch_alloc_dma_buf(board_dat, data);
++ ret = pch_alloc_dma_buf(board_dat, data);
++ if (ret)
++ goto err_spi_register_master;
+ }
+
+ ret = spi_register_master(master);
+--
+2.20.1
+
--- /dev/null
+From fce4bd58064922a22d90c2872caad547af4451c7 Mon Sep 17 00:00:00 2001
+From: Sowjanya Komatineni <skomatineni@nvidia.com>
+Date: Tue, 26 Mar 2019 22:56:32 -0700
+Subject: spi: tegra114: reset controller on probe
+
+[ Upstream commit 019194933339b3e9b486639c8cb3692020844d65 ]
+
+Fixes: SPI driver can be built as module so perform SPI controller reset
+on probe to make sure it is in valid state before initiating transfer.
+
+Signed-off-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra114.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
+index 73779cecc3bbc..705f515863d4f 100644
+--- a/drivers/spi/spi-tegra114.c
++++ b/drivers/spi/spi-tegra114.c
+@@ -1067,27 +1067,19 @@ static int tegra_spi_probe(struct platform_device *pdev)
+
+ spi_irq = platform_get_irq(pdev, 0);
+ tspi->irq = spi_irq;
+- ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
+- tegra_spi_isr_thread, IRQF_ONESHOT,
+- dev_name(&pdev->dev), tspi);
+- if (ret < 0) {
+- dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
+- tspi->irq);
+- goto exit_free_master;
+- }
+
+ tspi->clk = devm_clk_get(&pdev->dev, "spi");
+ if (IS_ERR(tspi->clk)) {
+ dev_err(&pdev->dev, "can not get clock\n");
+ ret = PTR_ERR(tspi->clk);
+- goto exit_free_irq;
++ goto exit_free_master;
+ }
+
+ tspi->rst = devm_reset_control_get(&pdev->dev, "spi");
+ if (IS_ERR(tspi->rst)) {
+ dev_err(&pdev->dev, "can not get reset\n");
+ ret = PTR_ERR(tspi->rst);
+- goto exit_free_irq;
++ goto exit_free_master;
+ }
+
+ tspi->max_buf_size = SPI_FIFO_DEPTH << 2;
+@@ -1095,7 +1087,7 @@ static int tegra_spi_probe(struct platform_device *pdev)
+
+ ret = tegra_spi_init_dma_param(tspi, true);
+ if (ret < 0)
+- goto exit_free_irq;
++ goto exit_free_master;
+ ret = tegra_spi_init_dma_param(tspi, false);
+ if (ret < 0)
+ goto exit_rx_dma_free;
+@@ -1117,18 +1109,32 @@ static int tegra_spi_probe(struct platform_device *pdev)
+ dev_err(&pdev->dev, "pm runtime get failed, e = %d\n", ret);
+ goto exit_pm_disable;
+ }
++
++ reset_control_assert(tspi->rst);
++ udelay(2);
++ reset_control_deassert(tspi->rst);
+ tspi->def_command1_reg = SPI_M_S;
+ tegra_spi_writel(tspi, tspi->def_command1_reg, SPI_COMMAND1);
+ pm_runtime_put(&pdev->dev);
++ ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
++ tegra_spi_isr_thread, IRQF_ONESHOT,
++ dev_name(&pdev->dev), tspi);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
++ tspi->irq);
++ goto exit_pm_disable;
++ }
+
+ master->dev.of_node = pdev->dev.of_node;
+ ret = devm_spi_register_master(&pdev->dev, master);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "can not register to master err %d\n", ret);
+- goto exit_pm_disable;
++ goto exit_free_irq;
+ }
+ return ret;
+
++exit_free_irq:
++ free_irq(spi_irq, tspi);
+ exit_pm_disable:
+ pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+@@ -1136,8 +1142,6 @@ static int tegra_spi_probe(struct platform_device *pdev)
+ tegra_spi_deinit_dma_param(tspi, false);
+ exit_rx_dma_free:
+ tegra_spi_deinit_dma_param(tspi, true);
+-exit_free_irq:
+- free_irq(spi_irq, tspi);
+ exit_free_master:
+ spi_master_put(master);
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 8e604d1126cff8c47321fad93f3242b1b0072ae2 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kjlu@umn.edu>
+Date: Fri, 15 Mar 2019 02:07:12 -0500
+Subject: tty: ipwireless: fix missing checks for ioremap
+
+[ Upstream commit 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 ]
+
+ipw->attr_memory and ipw->common_memory are assigned with the
+return value of ioremap. ioremap may fail, but no checks
+are enforced. The fix inserts the checks to avoid potential
+NULL pointer dereferences.
+
+Signed-off-by: Kangjie Lu <kjlu@umn.edu>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/ipwireless/main.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c
+index 655c7948261c7..2fa4f91234693 100644
+--- a/drivers/tty/ipwireless/main.c
++++ b/drivers/tty/ipwireless/main.c
+@@ -113,6 +113,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->common_memory = ioremap(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]));
++ if (!ipw->common_memory) {
++ ret = -ENOMEM;
++ goto exit1;
++ }
+ if (!request_mem_region(p_dev->resource[2]->start,
+ resource_size(p_dev->resource[2]),
+ IPWIRELESS_PCCARD_NAME)) {
+@@ -133,6 +137,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
+
+ ipw->attr_memory = ioremap(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]));
++ if (!ipw->attr_memory) {
++ ret = -ENOMEM;
++ goto exit3;
++ }
+ if (!request_mem_region(p_dev->resource[3]->start,
+ resource_size(p_dev->resource[3]),
+ IPWIRELESS_PCCARD_NAME)) {
+--
+2.20.1
+
--- /dev/null
+From d880d712872ce346685c8199a47ddcbdcb29eb6d Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 22 Mar 2019 14:54:05 -0700
+Subject: usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
+
+[ Upstream commit 8ead7e817224d7832fe51a19783cb8fcadc79467 ]
+
+If ohci-platform is runtime suspended, we can currently get an "imprecise
+external abort" on reboot with ohci-platform loaded when PM runtime
+is implemented for the SoC.
+
+Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
+index 9c4f9b6e57e29..99c146f4b6b51 100644
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -3007,6 +3007,9 @@ usb_hcd_platform_shutdown(struct platform_device *dev)
+ {
+ struct usb_hcd *hcd = platform_get_drvdata(dev);
+
++ /* No need for pm_runtime_put(), we're shutting down */
++ pm_runtime_get_sync(&dev->dev);
++
+ if (hcd->driver->shutdown)
+ hcd->driver->shutdown(hcd);
+ }
+--
+2.20.1
+
--- /dev/null
+From af210cf50a3d616b5b54836801bb972adc41a986 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 16 Apr 2019 10:50:01 -0400
+Subject: USB: core: Don't unbind interfaces following device reset failure
+
+[ Upstream commit 381419fa720060ba48b7bbc483be787d5b1dca6f ]
+
+The SCSI core does not like to have devices or hosts unregistered
+while error recovery is in progress. Trying to do so can lead to
+self-deadlock: Part of the removal code tries to obtain a lock already
+held by the error handler.
+
+This can cause problems for the usb-storage and uas drivers, because
+their error handler routines perform a USB reset, and if the reset
+fails then the USB core automatically goes on to unbind all drivers
+from the device's interfaces -- all while still in the context of the
+SCSI error handler.
+
+As it turns out, practically all the scenarios leading to a USB reset
+failure end up causing a device disconnect (the main error pathway in
+usb_reset_and_verify_device(), at the end of the routine, calls
+hub_port_logical_disconnect() before returning). As a result, the
+hub_wq thread will soon become aware of the problem and will unbind
+all the device's drivers in its own context, not in the
+error-handler's context.
+
+This means that usb_reset_device() does not need to call
+usb_unbind_and_rebind_marked_interfaces() in cases where
+usb_reset_and_verify_device() has returned an error, because hub_wq
+will take care of everything anyway.
+
+This particular problem was observed in somewhat artificial
+circumstances, by using usbfs to tell a hub to power-down a port
+connected to a USB-3 mass storage device using the UAS protocol. With
+the port turned off, the currently executing command timed out and the
+error handler started running. The USB reset naturally failed,
+because the hub port was off, and the error handler deadlocked as
+described above. Not carrying out the call to
+usb_unbind_and_rebind_marked_interfaces() fixes this issue.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+Tested-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
+CC: Bart Van Assche <bvanassche@acm.org>
+CC: Martin K. Petersen <martin.petersen@oracle.com>
+CC: Jacky Cao <Jacky.Cao@sony.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hub.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 7c87c0b38bcfa..6e307de251630 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5637,7 +5637,10 @@ int usb_reset_device(struct usb_device *udev)
+ cintf->needs_binding = 1;
+ }
+ }
+- usb_unbind_and_rebind_marked_interfaces(udev);
++
++ /* If the reset failed, hub_wq will unbind drivers later */
++ if (ret == 0)
++ usb_unbind_and_rebind_marked_interfaces(udev);
+ }
+
+ usb_autosuspend_device(udev);
+--
+2.20.1
+
--- /dev/null
+From 7aaa89e6e9a11ccebe11c5be97913644c1bbd124 Mon Sep 17 00:00:00 2001
+From: Pankaj Gupta <pagupta@redhat.com>
+Date: Tue, 19 Mar 2019 11:34:06 +0530
+Subject: virtio_console: initialize vtermno value for ports
+
+[ Upstream commit 4b0a2c5ff7215206ea6135a405f17c5f6fca7d00 ]
+
+For regular serial ports we do not initialize value of vtermno
+variable. A garbage value is assigned for non console ports.
+The value can be observed as a random integer with [1].
+
+[1] vim /sys/kernel/debug/virtio-ports/vport*p*
+
+This patch initialize the value of vtermno for console serial
+ports to '1' and regular serial ports are initiaized to '0'.
+
+Reported-by: siliu@redhat.com
+Signed-off-by: Pankaj Gupta <pagupta@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/virtio_console.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index 2aca689061e1f..df9eab91c2d25 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -76,7 +76,7 @@ struct ports_driver_data {
+ /* All the console devices handled by this driver */
+ struct list_head consoles;
+ };
+-static struct ports_driver_data pdrvdata;
++static struct ports_driver_data pdrvdata = { .next_vtermno = 1};
+
+ static DEFINE_SPINLOCK(pdrvdata_lock);
+ static DECLARE_COMPLETION(early_console_added);
+@@ -1419,6 +1419,7 @@ static int add_port(struct ports_device *portdev, u32 id)
+ port->async_queue = NULL;
+
+ port->cons.ws.ws_row = port->cons.ws.ws_col = 0;
++ port->cons.vtermno = 0;
+
+ port->host_connected = port->guest_connected = false;
+ port->stats = (struct port_stats) { 0 };
+--
+2.20.1
+
--- /dev/null
+From afd945d03251787e8d3b97d8ae4f90f484ad6ffc Mon Sep 17 00:00:00 2001
+From: Mariusz Bialonczyk <manio@skyboo.net>
+Date: Thu, 21 Mar 2019 11:52:55 +0100
+Subject: w1: fix the resume command API
+
+[ Upstream commit 62909da8aca048ecf9fbd7e484e5100608f40a63 ]
+
+>From the DS2408 datasheet [1]:
+"Resume Command function checks the status of the RC flag and, if it is set,
+ directly transfers control to the control functions, similar to a Skip ROM
+ command. The only way to set the RC flag is through successfully executing
+ the Match ROM, Search ROM, Conditional Search ROM, or Overdrive-Match ROM
+ command"
+
+The function currently works perfectly fine in a multidrop bus, but when we
+have only a single slave connected, then only a Skip ROM is used and Match
+ROM is not called at all. This is leading to problems e.g. with single one
+DS2408 connected, as the Resume Command is not working properly and the
+device is responding with failing results after the Resume Command.
+
+This commit is fixing this by using a Skip ROM instead in those cases.
+The bandwidth / performance advantage is exactly the same.
+
+Refs:
+[1] https://datasheets.maximintegrated.com/en/ds/DS2408.pdf
+
+Signed-off-by: Mariusz Bialonczyk <manio@skyboo.net>
+Reviewed-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1_io.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/w1/w1_io.c b/drivers/w1/w1_io.c
+index 282092421cc9e..1a9d9ec8db4df 100644
+--- a/drivers/w1/w1_io.c
++++ b/drivers/w1/w1_io.c
+@@ -437,8 +437,7 @@ int w1_reset_resume_command(struct w1_master *dev)
+ if (w1_reset_bus(dev))
+ return -1;
+
+- /* This will make only the last matched slave perform a skip ROM. */
+- w1_write_8(dev, W1_RESUME_CMD);
++ w1_write_8(dev, dev->slave_count > 1 ? W1_RESUME_CMD : W1_SKIP_ROM);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(w1_reset_resume_command);
+--
+2.20.1
+
--- /dev/null
+From 5a61d7abff55f89fb5520f2550ecc297e1defa29 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 4 Apr 2019 14:40:27 -0700
+Subject: x86/build: Keep local relocations with ld.lld
+
+[ Upstream commit 7c21383f3429dd70da39c0c7f1efa12377a47ab6 ]
+
+The LLVM linker (ld.lld) defaults to removing local relocations, which
+causes KASLR boot failures. ld.bfd and ld.gold already handle this
+correctly. This adds the explicit instruction "--discard-none" during
+the link phase. There is no change in output for ld.bfd and ld.gold,
+but ld.lld now produces an image with all the needed relocations.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: clang-built-linux@googlegroups.com
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190404214027.GA7324@beast
+Link: https://github.com/ClangBuiltLinux/linux/issues/404
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index e26560cd18444..00e0226634fa9 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -47,7 +47,7 @@ export REALMODE_CFLAGS
+ export BITS
+
+ ifdef CONFIG_X86_NEED_RELOCS
+- LDFLAGS_vmlinux := --emit-relocs
++ LDFLAGS_vmlinux := --emit-relocs --discard-none
+ endif
+
+ #
+--
+2.20.1
+
--- /dev/null
+From 64b00a5c4d878b6ae2abaddea0111a82ce85ed04 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 23 Apr 2019 11:38:27 -0700
+Subject: x86/build: Move _etext to actual end of .text
+
+[ Upstream commit 392bef709659abea614abfe53cf228e7a59876a4 ]
+
+When building x86 with Clang LTO and CFI, CFI jump regions are
+automatically added to the end of the .text section late in linking. As a
+result, the _etext position was being labelled before the appended jump
+regions, causing confusion about where the boundaries of the executable
+region actually are in the running kernel, and broke at least the fault
+injection code. This moves the _etext mark to outside (and immediately
+after) the .text area, as it already the case on other architectures
+(e.g. arm64, arm).
+
+Reported-and-tested-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Borislav Petkov <bp@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20190423183827.GA4012@beast
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/vmlinux.lds.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
+index 17e1e60b6b400..68dd72248919b 100644
+--- a/arch/x86/kernel/vmlinux.lds.S
++++ b/arch/x86/kernel/vmlinux.lds.S
+@@ -110,11 +110,11 @@ SECTIONS
+ *(.text.__x86.indirect_thunk)
+ __indirect_thunk_end = .;
+ #endif
+-
+- /* End of text section */
+- _etext = .;
+ } :text = 0x9090
+
++ /* End of text section */
++ _etext = .;
++
+ NOTES :text :note
+
+ EXCEPTION_TABLE(16) :text = 0x9090
+--
+2.20.1
+
--- /dev/null
+From aef81d1d8b1a9ebdece247159e0ab54cde60ac43 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 25 Feb 2019 12:56:35 +0100
+Subject: x86/ia32: Fix ia32_restore_sigcontext() AC leak
+
+[ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ]
+
+Objtool spotted that we call native_load_gs_index() with AC set.
+Re-arrange the code to avoid that.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/ia32/ia32_signal.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
+index 0552884da18db..a7b9acd709dbc 100644
+--- a/arch/x86/ia32/ia32_signal.c
++++ b/arch/x86/ia32/ia32_signal.c
+@@ -60,9 +60,8 @@
+ } while (0)
+
+ #define RELOAD_SEG(seg) { \
+- unsigned int pre = GET_SEG(seg); \
++ unsigned int pre = (seg) | 3; \
+ unsigned int cur = get_user_seg(seg); \
+- pre |= 3; \
+ if (pre != cur) \
+ set_user_seg(seg, pre); \
+ }
+@@ -71,6 +70,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ struct sigcontext_32 __user *sc)
+ {
+ unsigned int tmpflags, err = 0;
++ u16 gs, fs, es, ds;
+ void __user *buf;
+ u32 tmp;
+
+@@ -78,16 +78,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ current->restart_block.fn = do_no_restart_syscall;
+
+ get_user_try {
+- /*
+- * Reload fs and gs if they have changed in the signal
+- * handler. This does not handle long fs/gs base changes in
+- * the handler, but does not clobber them at least in the
+- * normal case.
+- */
+- RELOAD_SEG(gs);
+- RELOAD_SEG(fs);
+- RELOAD_SEG(ds);
+- RELOAD_SEG(es);
++ gs = GET_SEG(gs);
++ fs = GET_SEG(fs);
++ ds = GET_SEG(ds);
++ es = GET_SEG(es);
+
+ COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx);
+ COPY(dx); COPY(cx); COPY(ip); COPY(ax);
+@@ -105,6 +99,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
+ buf = compat_ptr(tmp);
+ } get_user_catch(err);
+
++ /*
++ * Reload fs and gs if they have changed in the signal
++ * handler. This does not handle long fs/gs base changes in
++ * the handler, but does not clobber them at least in the
++ * normal case.
++ */
++ RELOAD_SEG(gs);
++ RELOAD_SEG(fs);
++ RELOAD_SEG(ds);
++ RELOAD_SEG(es);
++
+ err |= fpu__restore_sig(buf, 1);
+
+ force_iret();
+--
+2.20.1
+
--- /dev/null
+From b143a4738930b48ad211c408f0ba0c37aa96cc48 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Sun, 14 Apr 2019 17:59:38 +0200
+Subject: x86/irq/64: Limit IST stack overflow check to #DB stack
+
+[ Upstream commit 7dbcf2b0b770eeb803a416ee8dcbef78e6389d40 ]
+
+Commit
+
+ 37fe6a42b343 ("x86: Check stack overflow in detail")
+
+added a broad check for the full exception stack area, i.e. it considers
+the full exception stack area as valid.
+
+That's wrong in two aspects:
+
+ 1) It does not check the individual areas one by one
+
+ 2) #DF, NMI and #MCE are not enabling interrupts which means that a
+ regular device interrupt cannot happen in their context. In fact if a
+ device interrupt hits one of those IST stacks that's a bug because some
+ code path enabled interrupts while handling the exception.
+
+Limit the check to the #DB stack and consider all other IST stacks as
+'overflow' or invalid.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
+Cc: Nicolai Stange <nstange@suse.de>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: x86-ml <x86@kernel.org>
+Link: https://lkml.kernel.org/r/20190414160143.682135110@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/irq_64.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
+index 206d0b90a3ab1..e39d7197f9fb2 100644
+--- a/arch/x86/kernel/irq_64.c
++++ b/arch/x86/kernel/irq_64.c
+@@ -25,9 +25,18 @@ int sysctl_panic_on_stackoverflow;
+ /*
+ * Probabilistic stack overflow check:
+ *
+- * Only check the stack in process context, because everything else
+- * runs on the big interrupt stacks. Checking reliably is too expensive,
+- * so we just check from interrupts.
++ * Regular device interrupts can enter on the following stacks:
++ *
++ * - User stack
++ *
++ * - Kernel task stack
++ *
++ * - Interrupt stack if a device driver reenables interrupts
++ * which should only happen in really old drivers.
++ *
++ * - Debug IST stack
++ *
++ * All other contexts are invalid.
+ */
+ static inline void stack_overflow_check(struct pt_regs *regs)
+ {
+@@ -53,8 +62,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
+ return;
+
+ oist = this_cpu_ptr(&orig_ist);
+- estack_top = (u64)oist->ist[0] - EXCEPTION_STKSZ + STACK_TOP_MARGIN;
+- estack_bottom = (u64)oist->ist[N_EXCEPTION_STACKS - 1];
++ estack_bottom = (u64)oist->ist[DEBUG_STACK];
++ estack_top = estack_bottom - DEBUG_STKSZ + STACK_TOP_MARGIN;
+ if (regs->sp >= estack_top && regs->sp <= estack_bottom)
+ return;
+
+--
+2.20.1
+
--- /dev/null
+From 10b8b3cf5e68fb44c3e8eff76738c5cdb3a02c41 Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Wed, 24 Apr 2019 09:04:57 +0200
+Subject: x86/mm: Remove in_nmi() warning from 64-bit implementation of
+ vmalloc_fault()
+
+[ Upstream commit a65c88e16f32aa9ef2e8caa68ea5c29bd5eb0ff0 ]
+
+In-NMI warnings have been added to vmalloc_fault() via:
+
+ ebc8827f75 ("x86: Barf when vmalloc and kmemcheck faults happen in NMI")
+
+back in the time when our NMI entry code could not cope with nested NMIs.
+
+These days, it's perfectly fine to take a fault in NMI context and we
+don't have to care about the fact that IRET from the fault handler might
+cause NMI nesting.
+
+This warning has already been removed from 32-bit implementation of
+vmalloc_fault() in:
+
+ 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
+
+but the 64-bit version was omitted.
+
+Remove the bogus warning also from 64-bit implementation of vmalloc_fault().
+
+Reported-by: Nicolai Stange <nstange@suse.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
+Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pm
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/fault.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index c4dffae5d9390..462c5c30b9a21 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -373,8 +373,6 @@ static noinline int vmalloc_fault(unsigned long address)
+ if (!(address >= VMALLOC_START && address < VMALLOC_END))
+ return -1;
+
+- WARN_ON_ONCE(in_nmi());
+-
+ /*
+ * Copy kernel mappings over when needed. This can also
+ * happen within a race in page table update. In the later
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
