--- /dev/null
+From f50bd70dc6bf6fd52d270c520017bcea12f25c04 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 20 Jun 2019 16:49:35 +0100
+Subject: afs: Fix uninitialised spinlock afs_volume::cb_break_lock
+
+[ Upstream commit 90fa9b64523a645a97edc0bdcf2d74759957eeee ]
+
+Fix the cb_break_lock spinlock in afs_volume struct by initialising it when
+the volume record is allocated.
+
+Also rename the lock to cb_v_break_lock to distinguish it from the lock of
+the same name in the afs_server struct.
+
+Without this, the following trace may be observed when a volume-break
+callback is received:
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ CPU: 2 PID: 50 Comm: kworker/2:1 Not tainted 5.2.0-rc1-fscache+ #3045
+ Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
+ Workqueue: afs SRXAFSCB_CallBack
+ Call Trace:
+ dump_stack+0x67/0x8e
+ register_lock_class+0x23b/0x421
+ ? check_usage_forwards+0x13c/0x13c
+ __lock_acquire+0x89/0xf73
+ lock_acquire+0x13b/0x166
+ ? afs_break_callbacks+0x1b2/0x3dd
+ _raw_write_lock+0x2c/0x36
+ ? afs_break_callbacks+0x1b2/0x3dd
+ afs_break_callbacks+0x1b2/0x3dd
+ ? trace_event_raw_event_afs_server+0x61/0xac
+ SRXAFSCB_CallBack+0x11f/0x16c
+ process_one_work+0x2c5/0x4ee
+ ? worker_thread+0x234/0x2ac
+ worker_thread+0x1d8/0x2ac
+ ? cancel_delayed_work_sync+0xf/0xf
+ kthread+0x11f/0x127
+ ? kthread_park+0x76/0x76
+ ret_from_fork+0x24/0x30
+
+Fixes: 68251f0a6818 ("afs: Fix whole-volume callback handling")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/callback.c | 4 ++--
+ fs/afs/internal.h | 2 +-
+ fs/afs/volume.c | 1 +
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/afs/callback.c b/fs/afs/callback.c
+index 128f2dbe256a..fee6fde79e6b 100644
+--- a/fs/afs/callback.c
++++ b/fs/afs/callback.c
+@@ -278,9 +278,9 @@ static void afs_break_one_callback(struct afs_server *server,
+ struct afs_super_info *as = AFS_FS_S(cbi->sb);
+ struct afs_volume *volume = as->volume;
+
+- write_lock(&volume->cb_break_lock);
++ write_lock(&volume->cb_v_break_lock);
+ volume->cb_v_break++;
+- write_unlock(&volume->cb_break_lock);
++ write_unlock(&volume->cb_v_break_lock);
+ } else {
+ data.volume = NULL;
+ data.fid = *fid;
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index 3904ab0b9563..fd0750fb96a5 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -582,7 +582,7 @@ struct afs_volume {
+ unsigned int servers_seq; /* Incremented each time ->servers changes */
+
+ unsigned cb_v_break; /* Break-everything counter. */
+- rwlock_t cb_break_lock;
++ rwlock_t cb_v_break_lock;
+
+ afs_voltype_t type; /* type of volume */
+ short error;
+diff --git a/fs/afs/volume.c b/fs/afs/volume.c
+index f6eba2def0a1..3e8dbee09f87 100644
+--- a/fs/afs/volume.c
++++ b/fs/afs/volume.c
+@@ -47,6 +47,7 @@ static struct afs_volume *afs_alloc_volume(struct afs_fs_context *params,
+ atomic_set(&volume->usage, 1);
+ INIT_LIST_HEAD(&volume->proc_link);
+ rwlock_init(&volume->servers_lock);
++ rwlock_init(&volume->cb_v_break_lock);
+ memcpy(volume->name, vldb->name, vldb->name_len + 1);
+
+ slist = afs_alloc_server_list(params->cell, params->key, vldb, type_mask);
+--
+2.20.1
+
--- /dev/null
+From 041c7c535570239963cba6a6a8d6f9420688bf66 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sun, 16 Jun 2019 23:40:13 +0200
+Subject: ARM: dts: gemini Fix up DNS-313 compatible string
+
+[ Upstream commit 36558020128b1a48b7bddd5792ee70e3f64b04b0 ]
+
+It's a simple typo in the DNS file, which was pretty serious.
+No scripts were working properly. Fix it up.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/gemini-dlink-dns-313.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/gemini-dlink-dns-313.dts b/arch/arm/boot/dts/gemini-dlink-dns-313.dts
+index b12504e10f0b..360642a02a48 100644
+--- a/arch/arm/boot/dts/gemini-dlink-dns-313.dts
++++ b/arch/arm/boot/dts/gemini-dlink-dns-313.dts
+@@ -11,7 +11,7 @@
+
+ / {
+ model = "D-Link DNS-313 1-Bay Network Storage Enclosure";
+- compatible = "dlink,dir-313", "cortina,gemini";
++ compatible = "dlink,dns-313", "cortina,gemini";
+ #address-cells = <1>;
+ #size-cells = <1>;
+
+--
+2.20.1
+
--- /dev/null
+From d4154e4c26cebc4bd453dfded046bd17ec8a7760 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?S=C3=A9bastien=20Szymanski?=
+ <sebastien.szymanski@armadeus.com>
+Date: Tue, 18 Jun 2019 17:58:34 +0200
+Subject: ARM: dts: imx6ul: fix PWM[1-4] interrupts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 3cf10132ac8d536565f2c02f60a3aeb315863a52 ]
+
+According to the i.MX6UL/L RM, table 3.1 "ARM Cortex A7 domain interrupt
+summary", the interrupts for the PWM[1-4] go from 83 to 86.
+
+Fixes: b9901fe84f02 ("ARM: dts: imx6ul: add pwm[1-4] nodes")
+Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6ul.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi
+index facd65602c2d..572c04296fe1 100644
+--- a/arch/arm/boot/dts/imx6ul.dtsi
++++ b/arch/arm/boot/dts/imx6ul.dtsi
+@@ -358,7 +358,7 @@
+ pwm1: pwm@2080000 {
+ compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm";
+ reg = <0x02080000 0x4000>;
+- interrupts = <GIC_SPI 115 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 83 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6UL_CLK_PWM1>,
+ <&clks IMX6UL_CLK_PWM1>;
+ clock-names = "ipg", "per";
+@@ -369,7 +369,7 @@
+ pwm2: pwm@2084000 {
+ compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm";
+ reg = <0x02084000 0x4000>;
+- interrupts = <GIC_SPI 116 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 84 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6UL_CLK_PWM2>,
+ <&clks IMX6UL_CLK_PWM2>;
+ clock-names = "ipg", "per";
+@@ -380,7 +380,7 @@
+ pwm3: pwm@2088000 {
+ compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm";
+ reg = <0x02088000 0x4000>;
+- interrupts = <GIC_SPI 117 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 85 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6UL_CLK_PWM3>,
+ <&clks IMX6UL_CLK_PWM3>;
+ clock-names = "ipg", "per";
+@@ -391,7 +391,7 @@
+ pwm4: pwm@208c000 {
+ compatible = "fsl,imx6ul-pwm", "fsl,imx27-pwm";
+ reg = <0x0208c000 0x4000>;
+- interrupts = <GIC_SPI 118 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 86 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6UL_CLK_PWM4>,
+ <&clks IMX6UL_CLK_PWM4>;
+ clock-names = "ipg", "per";
+--
+2.20.1
+
--- /dev/null
+From 5ad86d14363549e5a6c5f9b84b4a61c96adf9e86 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sat, 20 Apr 2019 11:32:57 +0200
+Subject: ARM: dts: meson8: fix GPU interrupts and drop an undocumented
+ property
+
+[ Upstream commit 01dfdd7b4693496854ac92d1ebfb18d7b108f777 ]
+
+The interrupts in Amlogic's vendor kernel sources are all contiguous.
+There are two typos leading to pp2 and pp4 as well as ppmmu2 and ppmmu4
+incorrectly sharing the same interrupt line.
+Fix this by using interrupt 170 for pp2 and 171 for ppmmu2.
+
+Also drop the undocumented "switch-delay" which is a left-over from my
+experiments with an early lima kernel driver when it was still
+out-of-tree and required this property on Amlogic SoCs.
+
+Fixes: 7d3f6b536e72c9 ("ARM: dts: meson8: add the Mali-450 MP6 GPU")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/meson8.dtsi | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/meson8.dtsi b/arch/arm/boot/dts/meson8.dtsi
+index a9781243453e..048b55c8dc1e 100644
+--- a/arch/arm/boot/dts/meson8.dtsi
++++ b/arch/arm/boot/dts/meson8.dtsi
+@@ -248,8 +248,8 @@
+ <GIC_SPI 167 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 168 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 169 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 172 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 173 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 170 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 171 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 172 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 173 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 174 IRQ_TYPE_LEVEL_HIGH>,
+@@ -264,7 +264,6 @@
+ clocks = <&clkc CLKID_CLK81>, <&clkc CLKID_MALI>;
+ clock-names = "bus", "core";
+ operating-points-v2 = <&gpu_opp_table>;
+- switch-delay = <0xffff>;
+ };
+ };
+ }; /* end of / */
+--
+2.20.1
+
--- /dev/null
+From d7b4f8a5a7a74de1b00f92269f11e428902c8c2a Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Sun, 12 May 2019 21:39:36 +0200
+Subject: ARM: dts: meson8b: fix the operating voltage of the Mali GPU
+
+[ Upstream commit 26d65140e92a626e39c73c9abf769fd174bf5076 ]
+
+Amlogic's vendor kernel defines an OPP for the GPU on Meson8b boards
+with a voltage of 1.15V. It turns out that the vendor kernel relies on
+the bootloader to set up the voltage. The bootloader however sets a
+fixed voltage of 1.10V.
+
+Amlogic's patched u-boot sources (uboot-2015-01-15-23a3562521) confirm
+this:
+$ grep -oiE "VDD(EE|AO)_VOLTAGE[ ]+[0-9]+" board/amlogic/configs/m8b_*
+ board/amlogic/configs/m8b_m100_v1.h:VDDAO_VOLTAGE 1100
+ board/amlogic/configs/m8b_m101_v1.h:VDDAO_VOLTAGE 1100
+ board/amlogic/configs/m8b_m102_v1.h:VDDAO_VOLTAGE 1100
+ board/amlogic/configs/m8b_m200_v1.h:VDDAO_VOLTAGE 1100
+ board/amlogic/configs/m8b_m201_v1.h:VDDEE_VOLTAGE 1100
+ board/amlogic/configs/m8b_m201_v1.h:VDDEE_VOLTAGE 1100
+ board/amlogic/configs/m8b_m202_v1.h:VDDEE_VOLTAGE 1100
+
+Another hint at this is the VDDEE voltage on the EC-100 and Odroid-C1
+boards. The VDDEE regulator supplies the Mali GPU. It's basically a copy
+of the VCCK (CPU supply) which means it's limited to 0.86V to 1.14V.
+
+Update the operating voltage of the Mali GPU on Meson8b to 1.10V so it
+matches with what the vendor u-boot sets.
+
+Fixes: c3ea80b6138cae ("ARM: dts: meson8b: add the Mali-450 MP2 GPU")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kevin Hilman <khilman@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/meson8b.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/boot/dts/meson8b.dtsi b/arch/arm/boot/dts/meson8b.dtsi
+index fe84a8c3ce81..6b80aff32fc2 100644
+--- a/arch/arm/boot/dts/meson8b.dtsi
++++ b/arch/arm/boot/dts/meson8b.dtsi
+@@ -163,23 +163,23 @@
+
+ opp-255000000 {
+ opp-hz = /bits/ 64 <255000000>;
+- opp-microvolt = <1150000>;
++ opp-microvolt = <1100000>;
+ };
+ opp-364300000 {
+ opp-hz = /bits/ 64 <364300000>;
+- opp-microvolt = <1150000>;
++ opp-microvolt = <1100000>;
+ };
+ opp-425000000 {
+ opp-hz = /bits/ 64 <425000000>;
+- opp-microvolt = <1150000>;
++ opp-microvolt = <1100000>;
+ };
+ opp-510000000 {
+ opp-hz = /bits/ 64 <510000000>;
+- opp-microvolt = <1150000>;
++ opp-microvolt = <1100000>;
+ };
+ opp-637500000 {
+ opp-hz = /bits/ 64 <637500000>;
+- opp-microvolt = <1150000>;
++ opp-microvolt = <1100000>;
+ turbo-mode;
+ };
+ };
+--
+2.20.1
+
--- /dev/null
+From 835709d96ecdfbd1689f88e47fd097b67c587455 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 19 Jun 2019 15:04:54 +0200
+Subject: ARM: omap2: remove incorrect __init annotation
+
+[ Upstream commit 27e23d8975270df6999f8b5b3156fc0c04927451 ]
+
+omap3xxx_prm_enable_io_wakeup() is marked __init, but its caller is not, so
+we get a warning with clang-8:
+
+WARNING: vmlinux.o(.text+0x343c8): Section mismatch in reference from the function omap3xxx_prm_late_init() to the function .init.text:omap3xxx_prm_enable_io_wakeup()
+The function omap3xxx_prm_late_init() references
+the function __init omap3xxx_prm_enable_io_wakeup().
+This is often because omap3xxx_prm_late_init lacks a __init
+annotation or the annotation of omap3xxx_prm_enable_io_wakeup is wrong.
+
+When building with gcc, omap3xxx_prm_enable_io_wakeup() is always
+inlined, so we never noticed in the past.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Andrew Murray <andrew.murray@arm.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/prm3xxx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/prm3xxx.c b/arch/arm/mach-omap2/prm3xxx.c
+index 05858f966f7d..dfa65fc2c82b 100644
+--- a/arch/arm/mach-omap2/prm3xxx.c
++++ b/arch/arm/mach-omap2/prm3xxx.c
+@@ -433,7 +433,7 @@ static void omap3_prm_reconfigure_io_chain(void)
+ * registers, and omap3xxx_prm_reconfigure_io_chain() must be called.
+ * No return value.
+ */
+-static void __init omap3xxx_prm_enable_io_wakeup(void)
++static void omap3xxx_prm_enable_io_wakeup(void)
+ {
+ if (prm_features & PRM_HAS_IO_WAKEUP)
+ omap2_prm_set_mod_reg_bits(OMAP3430_EN_IO_MASK, WKUP_MOD,
+--
+2.20.1
+
--- /dev/null
+From 56288ae403751755dd2e8298b305611d2c4d884c Mon Sep 17 00:00:00 2001
+From: Ran Wang <ran.wang_1@nxp.com>
+Date: Fri, 17 May 2019 12:57:53 +0800
+Subject: arm64: dts: ls1028a: Fix CPU idle fail.
+
+[ Upstream commit 53f2ac9d3aa881ed419054076042898b77c27ee4 ]
+
+PSCI spec define 1st parameter's bit 16 of function CPU_SUSPEND to
+indicate CPU State Type: 0 for standby, 1 for power down. In this
+case, we want to select standby for CPU idle feature. But current
+setting wrongly select power down and cause CPU SUSPEND fail every
+time. Need this fix.
+
+Fixes: 8897f3255c9c ("arm64: dts: Add support for NXP LS1028A SoC")
+Signed-off-by: Ran Wang <ran.wang_1@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi b/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
+index 2896bbcfa3bb..228872549f01 100644
+--- a/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
++++ b/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
+@@ -28,7 +28,7 @@
+ enable-method = "psci";
+ clocks = <&clockgen 1 0>;
+ next-level-cache = <&l2>;
+- cpu-idle-states = <&CPU_PH20>;
++ cpu-idle-states = <&CPU_PW20>;
+ };
+
+ cpu1: cpu@1 {
+@@ -38,7 +38,7 @@
+ enable-method = "psci";
+ clocks = <&clockgen 1 0>;
+ next-level-cache = <&l2>;
+- cpu-idle-states = <&CPU_PH20>;
++ cpu-idle-states = <&CPU_PW20>;
+ };
+
+ l2: l2-cache {
+@@ -53,13 +53,13 @@
+ */
+ entry-method = "arm,psci";
+
+- CPU_PH20: cpu-ph20 {
+- compatible = "arm,idle-state";
+- idle-state-name = "PH20";
+- arm,psci-suspend-param = <0x00010000>;
+- entry-latency-us = <1000>;
+- exit-latency-us = <1000>;
+- min-residency-us = <3000>;
++ CPU_PW20: cpu-pw20 {
++ compatible = "arm,idle-state";
++ idle-state-name = "PW20";
++ arm,psci-suspend-param = <0x0>;
++ entry-latency-us = <2000>;
++ exit-latency-us = <2000>;
++ min-residency-us = <6000>;
+ };
+ };
+
+--
+2.20.1
+
--- /dev/null
+From b9f0a071c8e21c0ead118dcf9aa7fb8193325e46 Mon Sep 17 00:00:00 2001
+From: Petr Oros <poros@redhat.com>
+Date: Wed, 19 Jun 2019 14:29:42 +0200
+Subject: be2net: fix link failure after ethtool offline test
+
+[ Upstream commit 2e5db6eb3c23e5dc8171eb8f6af7a97ef9fcf3a9 ]
+
+Certain cards in conjunction with certain switches need a little more
+time for link setup that results in ethtool link test failure after
+offline test. Patch adds a loop that waits for a link setup finish.
+
+Changes in v2:
+- added fixes header
+
+Fixes: 4276e47e2d1c ("be2net: Add link test to list of ethtool self tests.")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/emulex/benet/be_ethtool.c | 28 +++++++++++++++----
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_ethtool.c b/drivers/net/ethernet/emulex/benet/be_ethtool.c
+index 6e635debc7fd..cfa01efa5b48 100644
+--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c
++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c
+@@ -895,7 +895,7 @@ static void be_self_test(struct net_device *netdev, struct ethtool_test *test,
+ u64 *data)
+ {
+ struct be_adapter *adapter = netdev_priv(netdev);
+- int status;
++ int status, cnt;
+ u8 link_status = 0;
+
+ if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC) {
+@@ -906,6 +906,9 @@ static void be_self_test(struct net_device *netdev, struct ethtool_test *test,
+
+ memset(data, 0, sizeof(u64) * ETHTOOL_TESTS_NUM);
+
++ /* check link status before offline tests */
++ link_status = netif_carrier_ok(netdev);
++
+ if (test->flags & ETH_TEST_FL_OFFLINE) {
+ if (be_loopback_test(adapter, BE_MAC_LOOPBACK, &data[0]) != 0)
+ test->flags |= ETH_TEST_FL_FAILED;
+@@ -926,13 +929,26 @@ static void be_self_test(struct net_device *netdev, struct ethtool_test *test,
+ test->flags |= ETH_TEST_FL_FAILED;
+ }
+
+- status = be_cmd_link_status_query(adapter, NULL, &link_status, 0);
+- if (status) {
+- test->flags |= ETH_TEST_FL_FAILED;
+- data[4] = -1;
+- } else if (!link_status) {
++ /* link status was down prior to test */
++ if (!link_status) {
+ test->flags |= ETH_TEST_FL_FAILED;
+ data[4] = 1;
++ return;
++ }
++
++ for (cnt = 10; cnt; cnt--) {
++ status = be_cmd_link_status_query(adapter, NULL, &link_status,
++ 0);
++ if (status) {
++ test->flags |= ETH_TEST_FL_FAILED;
++ data[4] = -1;
++ break;
++ }
++
++ if (link_status)
++ break;
++
++ msleep_interruptible(500);
+ }
+ }
+
+--
+2.20.1
+
--- /dev/null
+From 4fc4471b32ddb9f3ad862862f006a1b0197d16c9 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 29 May 2019 23:55:57 -0700
+Subject: clk: ti: clkctrl: Fix returning uninitialized data
+
+[ Upstream commit 41b3588dba6ef4b7995735a97e47ff0aeea6c276 ]
+
+If we do a clk_get() for a clock that does not exists, we have
+_ti_omap4_clkctrl_xlate() return uninitialized data if no match
+is found. This can be seen in some cases with SLAB_DEBUG enabled:
+
+Unable to handle kernel paging request at virtual address 5a5a5a5a
+...
+clk_hw_create_clk.part.33
+sysc_notifier_call
+notifier_call_chain
+blocking_notifier_call_chain
+device_add
+
+Let's fix this by setting a found flag only when we find a match.
+
+Reported-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Fixes: 88a172526c32 ("clk: ti: add support for clkctrl clocks")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Tested-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Tested-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clkctrl.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/ti/clkctrl.c b/drivers/clk/ti/clkctrl.c
+index 3325ee43bcc1..626090b59cd7 100644
+--- a/drivers/clk/ti/clkctrl.c
++++ b/drivers/clk/ti/clkctrl.c
+@@ -229,6 +229,7 @@ static struct clk_hw *_ti_omap4_clkctrl_xlate(struct of_phandle_args *clkspec,
+ {
+ struct omap_clkctrl_provider *provider = data;
+ struct omap_clkctrl_clk *entry;
++ bool found = false;
+
+ if (clkspec->args_count != 2)
+ return ERR_PTR(-EINVAL);
+@@ -238,11 +239,13 @@ static struct clk_hw *_ti_omap4_clkctrl_xlate(struct of_phandle_args *clkspec,
+
+ list_for_each_entry(entry, &provider->clocks, node) {
+ if (entry->reg_offset == clkspec->args[0] &&
+- entry->bit_offset == clkspec->args[1])
++ entry->bit_offset == clkspec->args[1]) {
++ found = true;
+ break;
++ }
+ }
+
+- if (!entry)
++ if (!found)
+ return ERR_PTR(-EINVAL);
+
+ return entry->clk;
+--
+2.20.1
+
--- /dev/null
+From 3cf1ca3b2dfecc5a9ab108015e7aa59be08ec631 Mon Sep 17 00:00:00 2001
+From: Eiichi Tsukata <devel@etsukata.com>
+Date: Thu, 27 Jun 2019 11:47:32 +0900
+Subject: cpu/hotplug: Fix out-of-bounds read when setting fail state
+
+[ Upstream commit 33d4a5a7a5b4d02915d765064b2319e90a11cbde ]
+
+Setting invalid value to /sys/devices/system/cpu/cpuX/hotplug/fail
+can control `struct cpuhp_step *sp` address, results in the following
+global-out-of-bounds read.
+
+Reproducer:
+
+ # echo -2 > /sys/devices/system/cpu/cpu0/hotplug/fail
+
+KASAN report:
+
+ BUG: KASAN: global-out-of-bounds in write_cpuhp_fail+0x2cd/0x2e0
+ Read of size 8 at addr ffffffff89734438 by task bash/1941
+
+ CPU: 0 PID: 1941 Comm: bash Not tainted 5.2.0-rc6+ #31
+ Call Trace:
+ write_cpuhp_fail+0x2cd/0x2e0
+ dev_attr_store+0x58/0x80
+ sysfs_kf_write+0x13d/0x1a0
+ kernfs_fop_write+0x2bc/0x460
+ vfs_write+0x1e1/0x560
+ ksys_write+0x126/0x250
+ do_syscall_64+0xc1/0x390
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7f05e4f4c970
+
+ The buggy address belongs to the variable:
+ cpu_hotplug_lock+0x98/0xa0
+
+ Memory state around the buggy address:
+ ffffffff89734300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
+ ffffffff89734380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffffffff89734400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
+ ^
+ ffffffff89734480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffffffff89734500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Add a sanity check for the value written from user space.
+
+Fixes: 1db49484f21ed ("smp/hotplug: Hotplug state fail injection")
+Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Link: https://lkml.kernel.org/r/20190627024732.31672-1-devel@etsukata.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/cpu.c b/kernel/cpu.c
+index 6170034f4118..e97e7224ab47 100644
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1954,6 +1954,9 @@ static ssize_t write_cpuhp_fail(struct device *dev,
+ if (ret)
+ return ret;
+
++ if (fail < CPUHP_OFFLINE || fail > CPUHP_ONLINE)
++ return -EINVAL;
++
+ /*
+ * Cannot fail STARTING/DYING callbacks.
+ */
+--
+2.20.1
+
--- /dev/null
+From 589691a1a3ba1db327fb2daabcf69da391ca7240 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Wed, 12 Jun 2019 18:22:26 +0200
+Subject: dm table: don't copy from a NULL pointer in realloc_argv()
+
+[ Upstream commit a0651926553cfe7992166432e418987760882652 ]
+
+For the first call to realloc_argv() in dm_split_args(), old_argv is
+NULL and size is zero. Then memcpy is called, with the NULL old_argv
+as the source argument and a zero size argument. AFAIK, this is
+undefined behavior and generates the following warning when compiled
+with UBSAN on ppc64le:
+
+In file included from ./arch/powerpc/include/asm/paca.h:19,
+ from ./arch/powerpc/include/asm/current.h:16,
+ from ./include/linux/sched.h:12,
+ from ./include/linux/kthread.h:6,
+ from drivers/md/dm-core.h:12,
+ from drivers/md/dm-table.c:8:
+In function 'memcpy',
+ inlined from 'realloc_argv' at drivers/md/dm-table.c:565:3,
+ inlined from 'dm_split_args' at drivers/md/dm-table.c:588:9:
+./include/linux/string.h:345:9: error: argument 2 null where non-null expected [-Werror=nonnull]
+ return __builtin_memcpy(p, q, size);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+drivers/md/dm-table.c: In function 'dm_split_args':
+./include/linux/string.h:345:9: note: in a call to built-in function '__builtin_memcpy'
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-table.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
+index 350cf0451456..ec8b27e20de3 100644
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -561,7 +561,7 @@ static char **realloc_argv(unsigned *size, char **old_argv)
+ gfp = GFP_NOIO;
+ }
+ argv = kmalloc_array(new_size, sizeof(*argv), gfp);
+- if (argv) {
++ if (argv && old_argv) {
+ memcpy(argv, old_argv, *size * sizeof(*argv));
+ *size = new_size;
+ }
+--
+2.20.1
+
--- /dev/null
+From 35b613e881c011b8c8cc88fde430272ffb47e53a Mon Sep 17 00:00:00 2001
+From: Milan Broz <gmazyland@gmail.com>
+Date: Thu, 20 Jun 2019 13:00:19 +0200
+Subject: dm verity: use message limit for data block corruption message
+
+[ Upstream commit 2eba4e640b2c4161e31ae20090a53ee02a518657 ]
+
+DM verity should also use DMERR_LIMIT to limit repeat data block
+corruption messages.
+
+Signed-off-by: Milan Broz <gmazyland@gmail.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-verity-target.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
+index f4c31ffaa88e..cec1c0ff33eb 100644
+--- a/drivers/md/dm-verity-target.c
++++ b/drivers/md/dm-verity-target.c
+@@ -236,8 +236,8 @@ static int verity_handle_err(struct dm_verity *v, enum verity_block_type type,
+ BUG();
+ }
+
+- DMERR("%s: %s block %llu is corrupted", v->data_dev->name, type_str,
+- block);
++ DMERR_LIMIT("%s: %s block %llu is corrupted", v->data_dev->name,
++ type_str, block);
+
+ if (v->corrupted_errs == DM_VERITY_MAX_CORRUPTED_ERRS)
+ DMERR("%s: reached maximum errors", v->data_dev->name);
+--
+2.20.1
+
--- /dev/null
+From 1814f1cdc9d26a23cf44b8aefbd4f97ac4ead26f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 29 May 2019 15:28:28 +0200
+Subject: efi/bgrt: Drop BGRT status field reserved bits check
+
+[ Upstream commit a483fcab38b43fb34a7f12ab1daadd3907f150e2 ]
+
+Starting with ACPI 6.2 bits 1 and 2 of the BGRT status field are no longer
+reserved. These bits are now used to indicate if the image needs to be
+rotated before being displayed.
+
+The first device using these bits has now shown up (the GPD MicroPC) and
+the reserved bits check causes us to reject the valid BGRT table on this
+device.
+
+Rather then changing the reserved bits check, allowing only the 2 new bits,
+instead just completely remove it so that we do not end up with a similar
+problem when more bits are added in the future.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/efi-bgrt.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c
+index a2384184a7de..b07c17643210 100644
+--- a/drivers/firmware/efi/efi-bgrt.c
++++ b/drivers/firmware/efi/efi-bgrt.c
+@@ -47,11 +47,6 @@ void __init efi_bgrt_init(struct acpi_table_header *table)
+ bgrt->version);
+ goto out;
+ }
+- if (bgrt->status & 0xfe) {
+- pr_notice("Ignoring BGRT: reserved status bits are non-zero %u\n",
+- bgrt->status);
+- goto out;
+- }
+ if (bgrt->image_type != 0) {
+ pr_notice("Ignoring BGRT: invalid image type %u (expected 0)\n",
+ bgrt->image_type);
+--
+2.20.1
+
--- /dev/null
+From a0cd0314ab660fb543b07275d777faa8c79a59bd Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Fri, 28 Jun 2019 12:07:14 -0700
+Subject: fork,memcg: alloc_thread_stack_node needs to set tsk->stack
+
+[ Upstream commit 1bf4580e00a248a2c86269125390eb3648e1877c ]
+
+Commit 5eed6f1dff87 ("fork,memcg: fix crash in free_thread_stack on
+memcg charge fail") corrected two instances, but there was a third
+instance of this bug.
+
+Without setting tsk->stack, if memcg_charge_kernel_stack fails, it'll
+execute free_thread_stack() on a dangling pointer.
+
+Enterprise kernels are compiled with VMAP_STACK=y so this isn't
+critical, but custom VMAP_STACK=n builds should have some performance
+advantage, with the drawback of risking to fail fork because compaction
+didn't succeed. So as long as VMAP_STACK=n is a supported option it's
+worth fixing it upstream.
+
+Link: http://lkml.kernel.org/r/20190619011450.28048-1-aarcange@redhat.com
+Fixes: 9b6f7e163cd0 ("mm: rework memcg kernel stack accounting")
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+Reviewed-by: Rik van Riel <riel@surriel.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/fork.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 2628f3773ca8..ee24fea0eede 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -245,7 +245,11 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
+ struct page *page = alloc_pages_node(node, THREADINFO_GFP,
+ THREAD_SIZE_ORDER);
+
+- return page ? page_address(page) : NULL;
++ if (likely(page)) {
++ tsk->stack = page_address(page);
++ return tsk->stack;
++ }
++ return NULL;
+ #endif
+ }
+
+--
+2.20.1
+
--- /dev/null
+From c7ebb6108d54ad8c51320f9ccf035c9c97fa513d Mon Sep 17 00:00:00 2001
+From: Oleksandr Natalenko <oleksandr@redhat.com>
+Date: Fri, 21 Jun 2019 11:17:36 +0200
+Subject: HID: chicony: add another quirk for PixArt mouse
+
+[ Upstream commit dcf768b0ac868630e7bdb6f2f1c9fe72788012fa ]
+
+I've spotted another Chicony PixArt mouse in the wild, which requires
+HID_QUIRK_ALWAYS_POLL quirk, otherwise it disconnects each minute.
+
+USB ID of this device is 0x04f2:0x0939.
+
+We've introduced quirks like this for other models before, so lets add
+this mouse too.
+
+Link: https://github.com/sriemer/fix-linux-mouse#usb-mouse-disconnectsreconnects-every-minute-on-linux
+Signed-off-by: Oleksandr Natalenko <oleksandr@redhat.com>
+Acked-by: Sebastian Parschauer <s.parschauer@gmx.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 6537086fb145..f10f5cce7aa9 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -272,6 +272,7 @@
+ #define USB_DEVICE_ID_CHICONY_MULTI_TOUCH 0xb19d
+ #define USB_DEVICE_ID_CHICONY_WIRELESS 0x0618
+ #define USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE 0x1053
++#define USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE2 0x0939
+ #define USB_DEVICE_ID_CHICONY_WIRELESS2 0x1123
+ #define USB_DEVICE_ID_ASUS_AK1D 0x1125
+ #define USB_DEVICE_ID_CHICONY_TOSHIBA_WT10A 0x1408
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 189bf68eb35c..74c0ad21b267 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -45,6 +45,7 @@ static const struct hid_device_id hid_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_UC100KM), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_MULTI_TOUCH), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_PIXART_USB_OPTICAL_MOUSE2), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_WIRELESS), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CHIC, USB_DEVICE_ID_CHIC_GAMEPAD), HID_QUIRK_BADPAD },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_3AXIS_5BUTTON_STICK), HID_QUIRK_NOGET },
+--
+2.20.1
+
--- /dev/null
+From 1825867ab952e80d535474398f771f36e65dfcb8 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 14 Jun 2019 16:56:55 +0800
+Subject: HID: multitouch: Add pointstick support for ALPS Touchpad
+
+[ Upstream commit 0a95fc733da375de0688d0f1fd3a2869a1c1d499 ]
+
+There's a new ALPS touchpad/pointstick combo device that requires
+MT_CLS_WIN_8_DUAL to make its pointsitck work as a mouse.
+
+The device can be found on HP ZBook 17 G5.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-multitouch.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index a7037473ed94..b1636ce22060 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -83,6 +83,7 @@
+ #define HID_DEVICE_ID_ALPS_U1_DUAL_3BTN_PTP 0x1220
+ #define HID_DEVICE_ID_ALPS_U1 0x1215
+ #define HID_DEVICE_ID_ALPS_T4_BTNLESS 0x120C
++#define HID_DEVICE_ID_ALPS_1222 0x1222
+
+
+ #define USB_VENDOR_ID_AMI 0x046b
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 1565a307170a..42bb635895cf 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1780,6 +1780,10 @@ static const struct hid_device_id mt_devices[] = {
+ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_ALPS_JP,
+ HID_DEVICE_ID_ALPS_U1_DUAL_3BTN_PTP) },
++ { .driver_data = MT_CLS_WIN_8_DUAL,
++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
++ USB_VENDOR_ID_ALPS_JP,
++ HID_DEVICE_ID_ALPS_1222) },
+
+ /* Lenovo X1 TAB Gen 2 */
+ { .driver_data = MT_CLS_WIN_8_DUAL,
+--
+2.20.1
+
--- /dev/null
+From 321475cd9a259ebf28b62a77385d1699d926e27e Mon Sep 17 00:00:00 2001
+From: Kyle Godbey <me@kyle.ee>
+Date: Sat, 15 Jun 2019 18:15:06 -0500
+Subject: HID: uclogic: Add support for Huion HS64 tablet
+
+[ Upstream commit 315ffcc9a1e054bb460f9203058b52dc26b1173d ]
+
+Add support for Huion HS64 drawing tablet to hid-uclogic
+
+Signed-off-by: Kyle Godbey <me@kyle.ee>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-uclogic-core.c | 2 ++
+ drivers/hid/hid-uclogic-params.c | 2 ++
+ 3 files changed, 5 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index f10f5cce7aa9..a7037473ed94 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -572,6 +572,7 @@
+
+ #define USB_VENDOR_ID_HUION 0x256c
+ #define USB_DEVICE_ID_HUION_TABLET 0x006e
++#define USB_DEVICE_ID_HUION_HS64 0x006d
+
+ #define USB_VENDOR_ID_IBM 0x04b3
+ #define USB_DEVICE_ID_IBM_SCROLLPOINT_III 0x3100
+diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c
+index 8fe02d81265d..914fb527ae7a 100644
+--- a/drivers/hid/hid-uclogic-core.c
++++ b/drivers/hid/hid-uclogic-core.c
+@@ -369,6 +369,8 @@ static const struct hid_device_id uclogic_devices[] = {
+ USB_DEVICE_ID_UCLOGIC_TABLET_TWHA60) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_HUION,
+ USB_DEVICE_ID_HUION_TABLET) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_HUION,
++ USB_DEVICE_ID_HUION_HS64) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_UCLOGIC,
+ USB_DEVICE_ID_HUION_TABLET) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_UCLOGIC,
+diff --git a/drivers/hid/hid-uclogic-params.c b/drivers/hid/hid-uclogic-params.c
+index 0187c9f8fc22..273d784fff66 100644
+--- a/drivers/hid/hid-uclogic-params.c
++++ b/drivers/hid/hid-uclogic-params.c
+@@ -977,6 +977,8 @@ int uclogic_params_init(struct uclogic_params *params,
+ /* FALL THROUGH */
+ case VID_PID(USB_VENDOR_ID_HUION,
+ USB_DEVICE_ID_HUION_TABLET):
++ case VID_PID(USB_VENDOR_ID_HUION,
++ USB_DEVICE_ID_HUION_HS64):
+ case VID_PID(USB_VENDOR_ID_UCLOGIC,
+ USB_DEVICE_ID_HUION_TABLET):
+ case VID_PID(USB_VENDOR_ID_UCLOGIC,
+--
+2.20.1
+
--- /dev/null
+From e2439448613f34f55ae84a7903c1758016bbd2b7 Mon Sep 17 00:00:00 2001
+From: Heyi Guo <guoheyi@huawei.com>
+Date: Mon, 13 May 2019 19:42:06 +0800
+Subject: irqchip/gic-v3-its: Fix command queue pointer comparison bug
+
+[ Upstream commit a050fa5476d418fc16b25abe168b3d38ba11e13c ]
+
+When we run several VMs with PCI passthrough and GICv4 enabled, not
+pinning vCPUs, we will occasionally see below warnings in dmesg:
+
+ITS queue timeout (65440 65504 480)
+ITS cmd its_build_vmovp_cmd failed
+
+The reason for the above issue is that in BUILD_SINGLE_CMD_FUNC:
+1. Post the write command.
+2. Release the lock.
+3. Start to read GITS_CREADR to get the reader pointer.
+4. Compare the reader pointer to the target pointer.
+5. If reader pointer does not reach the target, sleep 1us and continue
+to try.
+
+If we have several processors running the above concurrently, other
+CPUs will post write commands while the 1st CPU is waiting the
+completion. So we may have below issue:
+
+phase 1:
+---rd_idx-----from_idx-----to_idx--0---------
+
+wait 1us:
+
+phase 2:
+--------------from_idx-----to_idx--0-rd_idx--
+
+That is the rd_idx may fly ahead of to_idx, and if in case to_idx is
+near the wrap point, rd_idx will wrap around. So the below condition
+will not be met even after 1s:
+
+if (from_idx < to_idx && rd_idx >= to_idx)
+
+There is another theoretical issue. For a slow and busy ITS, the
+initial rd_idx may fall behind from_idx a lot, just as below:
+
+---rd_idx---0--from_idx-----to_idx-----------
+
+This will cause the wait function exit too early.
+
+Actually, it does not make much sense to use from_idx to judge if
+to_idx is wrapped, but we need a initial rd_idx when lock is still
+acquired, and it can be used to judge whether to_idx is wrapped and
+the current rd_idx is wrapped.
+
+We switch to a method of calculating the delta of two adjacent reads
+and accumulating it to get the sum, so that we can get the real rd_idx
+from the wrapped value even when the queue is almost full.
+
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Signed-off-by: Heyi Guo <guoheyi@huawei.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 35 ++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 7577755bdcf4..eead9def9921 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -745,32 +745,43 @@ static void its_flush_cmd(struct its_node *its, struct its_cmd_block *cmd)
+ }
+
+ static int its_wait_for_range_completion(struct its_node *its,
+- struct its_cmd_block *from,
++ u64 prev_idx,
+ struct its_cmd_block *to)
+ {
+- u64 rd_idx, from_idx, to_idx;
++ u64 rd_idx, to_idx, linear_idx;
+ u32 count = 1000000; /* 1s! */
+
+- from_idx = its_cmd_ptr_to_offset(its, from);
++ /* Linearize to_idx if the command set has wrapped around */
+ to_idx = its_cmd_ptr_to_offset(its, to);
++ if (to_idx < prev_idx)
++ to_idx += ITS_CMD_QUEUE_SZ;
++
++ linear_idx = prev_idx;
+
+ while (1) {
++ s64 delta;
++
+ rd_idx = readl_relaxed(its->base + GITS_CREADR);
+
+- /* Direct case */
+- if (from_idx < to_idx && rd_idx >= to_idx)
+- break;
++ /*
++ * Compute the read pointer progress, taking the
++ * potential wrap-around into account.
++ */
++ delta = rd_idx - prev_idx;
++ if (rd_idx < prev_idx)
++ delta += ITS_CMD_QUEUE_SZ;
+
+- /* Wrapped case */
+- if (from_idx >= to_idx && rd_idx >= to_idx && rd_idx < from_idx)
++ linear_idx += delta;
++ if (linear_idx >= to_idx)
+ break;
+
+ count--;
+ if (!count) {
+- pr_err_ratelimited("ITS queue timeout (%llu %llu %llu)\n",
+- from_idx, to_idx, rd_idx);
++ pr_err_ratelimited("ITS queue timeout (%llu %llu)\n",
++ to_idx, linear_idx);
+ return -1;
+ }
++ prev_idx = rd_idx;
+ cpu_relax();
+ udelay(1);
+ }
+@@ -787,6 +798,7 @@ void name(struct its_node *its, \
+ struct its_cmd_block *cmd, *sync_cmd, *next_cmd; \
+ synctype *sync_obj; \
+ unsigned long flags; \
++ u64 rd_idx; \
+ \
+ raw_spin_lock_irqsave(&its->lock, flags); \
+ \
+@@ -808,10 +820,11 @@ void name(struct its_node *its, \
+ } \
+ \
+ post: \
++ rd_idx = readl_relaxed(its->base + GITS_CREADR); \
+ next_cmd = its_post_commands(its); \
+ raw_spin_unlock_irqrestore(&its->lock, flags); \
+ \
+- if (its_wait_for_range_completion(its, cmd, next_cmd)) \
++ if (its_wait_for_range_completion(its, rd_idx, next_cmd)) \
+ pr_err_ratelimited("ITS cmd %ps failed\n", builder); \
+ }
+
+--
+2.20.1
+
--- /dev/null
+From e903d904fee434be60d51752cd39fa0958920b35 Mon Sep 17 00:00:00 2001
+From: Guo Ren <ren_guo@c-sky.com>
+Date: Tue, 21 May 2019 15:54:05 +0800
+Subject: irqchip/irq-csky-mpintc: Support auto irq deliver to all cpus
+
+[ Upstream commit db56c5128e6625cb16efc4910b60627e46f608e3 ]
+
+The csky,mpintc could deliver a external irq to one cpu or all cpus, but
+it couldn't deliver a external irq to a group of cpus with cpu_mask. So
+we only use auto deliver mode when affinity mask_val is equal to
+cpu_present_mask.
+
+There is no limitation for only two cpus in SMP system.
+
+Signed-off-by: Guo Ren <ren_guo@c-sky.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-csky-mpintc.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-csky-mpintc.c b/drivers/irqchip/irq-csky-mpintc.c
+index c67c961ab6cc..a4c1aacba1ff 100644
+--- a/drivers/irqchip/irq-csky-mpintc.c
++++ b/drivers/irqchip/irq-csky-mpintc.c
+@@ -89,8 +89,19 @@ static int csky_irq_set_affinity(struct irq_data *d,
+ if (cpu >= nr_cpu_ids)
+ return -EINVAL;
+
+- /* Enable interrupt destination */
+- cpu |= BIT(31);
++ /*
++ * The csky,mpintc could support auto irq deliver, but it only
++ * could deliver external irq to one cpu or all cpus. So it
++ * doesn't support deliver external irq to a group of cpus
++ * with cpu_mask.
++ * SO we only use auto deliver mode when affinity mask_val is
++ * equal to cpu_present_mask.
++ *
++ */
++ if (cpumask_equal(mask_val, cpu_present_mask))
++ cpu = 0;
++ else
++ cpu |= BIT(31);
+
+ writel_relaxed(cpu, INTCG_base + INTCG_CIDSTR + offset);
+
+--
+2.20.1
+
--- /dev/null
+From b6172b08e2bf0a356792ec149eff7996271eb1a1 Mon Sep 17 00:00:00 2001
+From: Vinod Koul <vkoul@kernel.org>
+Date: Fri, 28 Jun 2019 12:07:21 -0700
+Subject: linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL
+
+[ Upstream commit 8f9fab480c7a87b10bb5440b5555f370272a5d59 ]
+
+DIV_ROUND_UP_ULL adds the two arguments and then invokes
+DIV_ROUND_DOWN_ULL. But on a 32bit system the addition of two 32 bit
+values can overflow. DIV_ROUND_DOWN_ULL does it correctly and stashes
+the addition into a unsigned long long so cast the result to unsigned
+long long here to avoid the overflow condition.
+
+[akpm@linux-foundation.org: DIV_ROUND_UP_ULL must be an rval]
+Link: http://lkml.kernel.org/r/20190625100518.30753-1-vkoul@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kernel.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/kernel.h b/include/linux/kernel.h
+index 2d14e21c16c0..4330cecd2237 100644
+--- a/include/linux/kernel.h
++++ b/include/linux/kernel.h
+@@ -92,7 +92,8 @@
+ #define DIV_ROUND_DOWN_ULL(ll, d) \
+ ({ unsigned long long _tmp = (ll); do_div(_tmp, d); _tmp; })
+
+-#define DIV_ROUND_UP_ULL(ll, d) DIV_ROUND_DOWN_ULL((ll) + (d) - 1, (d))
++#define DIV_ROUND_UP_ULL(ll, d) \
++ DIV_ROUND_DOWN_ULL((unsigned long long)(ll) + (d) - 1, (d))
+
+ #if BITS_PER_LONG == 32
+ # define DIV_ROUND_UP_SECTOR_T(ll,d) DIV_ROUND_UP_ULL(ll, d)
+--
+2.20.1
+
--- /dev/null
+From c97dd1f8cbb46566969f43b15c61cb71432ccc67 Mon Sep 17 00:00:00 2001
+From: Yafang Shao <laoar.shao@gmail.com>
+Date: Fri, 28 Jun 2019 12:06:59 -0700
+Subject: mm/oom_kill.c: fix uninitialized oc->constraint
+
+[ Upstream commit 432b1de0de02a83f64695e69a2d83cbee10c236f ]
+
+In dump_oom_summary() oc->constraint is used to show oom_constraint_text,
+but it hasn't been set before. So the value of it is always the default
+value 0. We should inititialize it before.
+
+Bellow is the output when memcg oom occurs,
+
+before this patch:
+ oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null), cpuset=/,mems_allowed=0,oom_memcg=/foo,task_memcg=/foo,task=bash,pid=7997,uid=0
+
+after this patch:
+ oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null), cpuset=/,mems_allowed=0,oom_memcg=/foo,task_memcg=/foo,task=bash,pid=13681,uid=0
+
+Link: http://lkml.kernel.org/r/1560522038-15879-1-git-send-email-laoar.shao@gmail.com
+Fixes: ef8444ea01d7 ("mm, oom: reorganize the oom report in dump_header")
+Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Wind Yu <yuzhoujian@didichuxing.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/oom_kill.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/mm/oom_kill.c b/mm/oom_kill.c
+index 3a2484884cfd..263efad6fc7e 100644
+--- a/mm/oom_kill.c
++++ b/mm/oom_kill.c
+@@ -985,8 +985,7 @@ static void oom_kill_process(struct oom_control *oc, const char *message)
+ /*
+ * Determines whether the kernel must panic because of the panic_on_oom sysctl.
+ */
+-static void check_panic_on_oom(struct oom_control *oc,
+- enum oom_constraint constraint)
++static void check_panic_on_oom(struct oom_control *oc)
+ {
+ if (likely(!sysctl_panic_on_oom))
+ return;
+@@ -996,7 +995,7 @@ static void check_panic_on_oom(struct oom_control *oc,
+ * does not panic for cpuset, mempolicy, or memcg allocation
+ * failures.
+ */
+- if (constraint != CONSTRAINT_NONE)
++ if (oc->constraint != CONSTRAINT_NONE)
+ return;
+ }
+ /* Do not panic for oom kills triggered by sysrq */
+@@ -1033,7 +1032,6 @@ EXPORT_SYMBOL_GPL(unregister_oom_notifier);
+ bool out_of_memory(struct oom_control *oc)
+ {
+ unsigned long freed = 0;
+- enum oom_constraint constraint = CONSTRAINT_NONE;
+
+ if (oom_killer_disabled)
+ return false;
+@@ -1069,10 +1067,10 @@ bool out_of_memory(struct oom_control *oc)
+ * Check if there were limitations on the allocation (only relevant for
+ * NUMA and memcg) that may require different handling.
+ */
+- constraint = constrained_alloc(oc);
+- if (constraint != CONSTRAINT_MEMORY_POLICY)
++ oc->constraint = constrained_alloc(oc);
++ if (oc->constraint != CONSTRAINT_MEMORY_POLICY)
+ oc->nodemask = NULL;
+- check_panic_on_oom(oc, constraint);
++ check_panic_on_oom(oc);
+
+ if (!is_memcg_oom(oc) && sysctl_oom_kill_allocating_task &&
+ current->mm && !oom_unkillable_task(current, NULL, oc->nodemask) &&
+--
+2.20.1
+
--- /dev/null
+From 0d9ce3b1ba15c63a9b6c2bdb9df58f8c4ac349d0 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 29 May 2019 14:37:24 +0200
+Subject: perf/core: Fix perf_sample_regs_user() mm check
+
+[ Upstream commit 085ebfe937d7a7a5df1729f35a12d6d655fea68c ]
+
+perf_sample_regs_user() uses 'current->mm' to test for the presence of
+userspace, but this is insufficient, consider use_mm().
+
+A better test is: '!(current->flags & PF_KTHREAD)', exec() clears
+PF_KTHREAD after it sets the new ->mm but before it drops to userspace
+for the first time.
+
+Possibly obsoletes: bf05fc25f268 ("powerpc/perf: Fix oops when kthread execs user process")
+
+Reported-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
+Reported-by: Young Xiao <92siuyang@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Frederic Weisbecker <fweisbec@gmail.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 4018994f3d87 ("perf: Add ability to attach user level registers dump to sample")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index dc7dead2d2cc..f33bd0a89391 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5913,7 +5913,7 @@ static void perf_sample_regs_user(struct perf_regs *regs_user,
+ if (user_mode(regs)) {
+ regs_user->abi = perf_reg_abi(current);
+ regs_user->regs = regs;
+- } else if (current->mm) {
++ } else if (!(current->flags & PF_KTHREAD)) {
+ perf_get_regs_user(regs_user, regs, regs_user_copy);
+ } else {
+ regs_user->abi = PERF_SAMPLE_REGS_ABI_NONE;
+--
+2.20.1
+
--- /dev/null
+From cc8f7226a1be1309956d80cd46c5e9dc7bedba79 Mon Sep 17 00:00:00 2001
+From: Phil Reid <preid@electromag.com.au>
+Date: Thu, 13 Jun 2019 12:10:23 +0800
+Subject: pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order
+
+[ Upstream commit 6dbc6e6f58556369bf999cd7d9793586f1b0e4b4 ]
+
+Currently probing of the mcp23s08 results in an error message
+"detected irqchip that is shared with multiple gpiochips:
+please fix the driver"
+
+This is due to the following:
+
+Call to mcp23s08_irqchip_setup() with call hierarchy:
+mcp23s08_irqchip_setup()
+ gpiochip_irqchip_add_nested()
+ gpiochip_irqchip_add_key()
+ gpiochip_set_irq_hooks()
+
+Call to devm_gpiochip_add_data() with call hierarchy:
+devm_gpiochip_add_data()
+ gpiochip_add_data_with_key()
+ gpiochip_add_irqchip()
+ gpiochip_set_irq_hooks()
+
+The gpiochip_add_irqchip() returns immediately if there isn't a irqchip
+but we added a irqchip due to the previous mcp23s08_irqchip_setup()
+call. So it calls gpiochip_set_irq_hooks() a second time.
+
+Fix this by moving the call to devm_gpiochip_add_data before
+the call to mcp23s08_irqchip_setup
+
+Fixes: 02e389e63e35 ("pinctrl: mcp23s08: fix irq setup order")
+Suggested-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Phil Reid <preid@electromag.com.au>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index 5d7a8514def9..b727de5654cd 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -881,6 +881,10 @@ static int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev,
+ if (ret < 0)
+ goto fail;
+
++ ret = devm_gpiochip_add_data(dev, &mcp->chip, mcp);
++ if (ret < 0)
++ goto fail;
++
+ mcp->irq_controller =
+ device_property_read_bool(dev, "interrupt-controller");
+ if (mcp->irq && mcp->irq_controller) {
+@@ -922,10 +926,6 @@ static int mcp23s08_probe_one(struct mcp23s08 *mcp, struct device *dev,
+ goto fail;
+ }
+
+- ret = devm_gpiochip_add_data(dev, &mcp->chip, mcp);
+- if (ret < 0)
+- goto fail;
+-
+ if (one_regmap_config) {
+ mcp->pinctrl_desc.name = devm_kasprintf(dev, GFP_KERNEL,
+ "mcp23xxx-pinctrl.%d", raw_chip_address);
+--
+2.20.1
+
--- /dev/null
+From b8c0edb68e571ad79d56eacf3e198f1b799ff722 Mon Sep 17 00:00:00 2001
+From: Nicolas Boichat <drinkcat@chromium.org>
+Date: Mon, 29 Apr 2019 11:55:14 +0800
+Subject: pinctrl: mediatek: Ignore interrupts that are wake only during resume
+
+[ Upstream commit 35594bc7cecf3a78504b590e350570e8f4d7779e ]
+
+Before suspending, mtk-eint would set the interrupt mask to the
+one in wake_mask. However, some of these interrupts may not have a
+corresponding interrupt handler, or the interrupt may be disabled.
+
+On resume, the eint irq handler would trigger nevertheless,
+and irq/pm.c:irq_pm_check_wakeup would be called, which would
+try to call irq_disable. However, if the interrupt is not enabled
+(irqd_irq_disabled(&desc->irq_data) is true), the call does nothing,
+and the interrupt is left enabled in the eint driver.
+
+Especially for level-sensitive interrupts, this will lead to an
+interrupt storm on resume.
+
+If we detect that an interrupt is only in wake_mask, but not in
+cur_mask, we can just mask it out immediately (as mtk_eint_resume
+would do anyway at a later stage in the resume sequence, when
+restoring cur_mask).
+
+Fixes: bf22ff45bed6 ("genirq: Avoid unnecessary low level irq function calls")
+Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
+Acked-by: Sean Wang <sean.wang@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/mtk-eint.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c
+index f464f8cd274b..737385e86beb 100644
+--- a/drivers/pinctrl/mediatek/mtk-eint.c
++++ b/drivers/pinctrl/mediatek/mtk-eint.c
+@@ -318,7 +318,7 @@ static void mtk_eint_irq_handler(struct irq_desc *desc)
+ struct irq_chip *chip = irq_desc_get_chip(desc);
+ struct mtk_eint *eint = irq_desc_get_handler_data(desc);
+ unsigned int status, eint_num;
+- int offset, index, virq;
++ int offset, mask_offset, index, virq;
+ void __iomem *reg = mtk_eint_get_offset(eint, 0, eint->regs->stat);
+ int dual_edge, start_level, curr_level;
+
+@@ -328,10 +328,24 @@ static void mtk_eint_irq_handler(struct irq_desc *desc)
+ status = readl(reg);
+ while (status) {
+ offset = __ffs(status);
++ mask_offset = eint_num >> 5;
+ index = eint_num + offset;
+ virq = irq_find_mapping(eint->domain, index);
+ status &= ~BIT(offset);
+
++ /*
++ * If we get an interrupt on pin that was only required
++ * for wake (but no real interrupt requested), mask the
++ * interrupt (as would mtk_eint_resume do anyway later
++ * in the resume sequence).
++ */
++ if (eint->wake_mask[mask_offset] & BIT(offset) &&
++ !(eint->cur_mask[mask_offset] & BIT(offset))) {
++ writel_relaxed(BIT(offset), reg -
++ eint->regs->stat +
++ eint->regs->mask_set);
++ }
++
+ dual_edge = eint->dual_edge[index];
+ if (dual_edge) {
+ /*
+--
+2.20.1
+
--- /dev/null
+From a39122f27d90c0c3b56b68001f25ddd47c3ae147 Mon Sep 17 00:00:00 2001
+From: Nicolas Boichat <drinkcat@chromium.org>
+Date: Wed, 26 Jun 2019 11:54:45 +0800
+Subject: pinctrl: mediatek: Update cur_mask in mask/mask ops
+
+[ Upstream commit 9d957a959bc8c3dfe37572ac8e99affb5a885965 ]
+
+During suspend/resume, mtk_eint_mask may be called while
+wake_mask is active. For example, this happens if a wake-source
+with an active interrupt handler wakes the system:
+irq/pm.c:irq_pm_check_wakeup would disable the interrupt, so
+that it can be handled later on in the resume flow.
+
+However, this may happen before mtk_eint_do_resume is called:
+in this case, wake_mask is loaded, and cur_mask is restored
+from an older copy, re-enabling the interrupt, and causing
+an interrupt storm (especially for level interrupts).
+
+Step by step, for a line that has both wake and interrupt enabled:
+ 1. cur_mask[irq] = 1; wake_mask[irq] = 1; EINT_EN[irq] = 1 (interrupt
+ enabled at hardware level)
+ 2. System suspends, resumes due to that line (at this stage EINT_EN
+ == wake_mask)
+ 3. irq_pm_check_wakeup is called, and disables the interrupt =>
+ EINT_EN[irq] = 0, but we still have cur_mask[irq] = 1
+ 4. mtk_eint_do_resume is called, and restores EINT_EN = cur_mask, so
+ it reenables EINT_EN[irq] = 1 => interrupt storm as the driver
+ is not yet ready to handle the interrupt.
+
+This patch fixes the issue in step 3, by recording all mask/unmask
+changes in cur_mask. This also avoids the need to read the current
+mask in eint_do_suspend, and we can remove mtk_eint_chip_read_mask
+function.
+
+The interrupt will be re-enabled properly later on, sometimes after
+mtk_eint_do_resume, when the driver is ready to handle it.
+
+Fixes: 58a5e1b64bb0 ("pinctrl: mediatek: Implement wake handler and suspend resume")
+Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
+Acked-by: Sean Wang <sean.wang@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/mtk-eint.c | 18 ++++--------------
+ 1 file changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/pinctrl/mediatek/mtk-eint.c b/drivers/pinctrl/mediatek/mtk-eint.c
+index 737385e86beb..7e526bcf5e0b 100644
+--- a/drivers/pinctrl/mediatek/mtk-eint.c
++++ b/drivers/pinctrl/mediatek/mtk-eint.c
+@@ -113,6 +113,8 @@ static void mtk_eint_mask(struct irq_data *d)
+ void __iomem *reg = mtk_eint_get_offset(eint, d->hwirq,
+ eint->regs->mask_set);
+
++ eint->cur_mask[d->hwirq >> 5] &= ~mask;
++
+ writel(mask, reg);
+ }
+
+@@ -123,6 +125,8 @@ static void mtk_eint_unmask(struct irq_data *d)
+ void __iomem *reg = mtk_eint_get_offset(eint, d->hwirq,
+ eint->regs->mask_clr);
+
++ eint->cur_mask[d->hwirq >> 5] |= mask;
++
+ writel(mask, reg);
+
+ if (eint->dual_edge[d->hwirq])
+@@ -217,19 +221,6 @@ static void mtk_eint_chip_write_mask(const struct mtk_eint *eint,
+ }
+ }
+
+-static void mtk_eint_chip_read_mask(const struct mtk_eint *eint,
+- void __iomem *base, u32 *buf)
+-{
+- int port;
+- void __iomem *reg;
+-
+- for (port = 0; port < eint->hw->ports; port++) {
+- reg = base + eint->regs->mask + (port << 2);
+- buf[port] = ~readl_relaxed(reg);
+- /* Mask is 0 when irq is enabled, and 1 when disabled. */
+- }
+-}
+-
+ static int mtk_eint_irq_request_resources(struct irq_data *d)
+ {
+ struct mtk_eint *eint = irq_data_get_irq_chip_data(d);
+@@ -384,7 +375,6 @@ static void mtk_eint_irq_handler(struct irq_desc *desc)
+
+ int mtk_eint_do_suspend(struct mtk_eint *eint)
+ {
+- mtk_eint_chip_read_mask(eint, eint->base, eint->cur_mask);
+ mtk_eint_chip_write_mask(eint, eint->base, eint->wake_mask);
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From ecbd73289fb0d46293e9f1248f5773da60ffc3e7 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 20 Jun 2019 20:30:36 +0200
+Subject: pinctrl: ocelot: fix gpio direction for pins after 31
+
+[ Upstream commit f2818ba3a0125670cb9999bb5a65ebb631a8da2f ]
+
+The third argument passed to REG is not the correct one and
+ocelot_gpio_set_direction is not working for pins after 31. Fix that by
+passing the pin number instead of the modulo 32 value.
+
+Fixes: da801ab56ad8 pinctrl: ocelot: add MSCC Jaguar2 support
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-ocelot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-ocelot.c b/drivers/pinctrl/pinctrl-ocelot.c
+index 3b4ca52d2456..d2478db975bd 100644
+--- a/drivers/pinctrl/pinctrl-ocelot.c
++++ b/drivers/pinctrl/pinctrl-ocelot.c
+@@ -432,7 +432,7 @@ static int ocelot_gpio_set_direction(struct pinctrl_dev *pctldev,
+ struct ocelot_pinctrl *info = pinctrl_dev_get_drvdata(pctldev);
+ unsigned int p = pin % 32;
+
+- regmap_update_bits(info->map, REG(OCELOT_GPIO_OE, info, p), BIT(p),
++ regmap_update_bits(info->map, REG(OCELOT_GPIO_OE, info, pin), BIT(p),
+ input ? 0 : BIT(p));
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From bebfd8c0eb0a126b19e09c74deb64bb8bf8545d7 Mon Sep 17 00:00:00 2001
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Thu, 20 Jun 2019 20:30:37 +0200
+Subject: pinctrl: ocelot: fix pinmuxing for pins after 31
+
+[ Upstream commit 4b36082e2e09c2769710756390d54cfca563ed96 ]
+
+The actual layout for OCELOT_GPIO_ALT[01] when there are more than 32 pins
+is interleaved, i.e. OCELOT_GPIO_ALT0[0], OCELOT_GPIO_ALT1[0],
+OCELOT_GPIO_ALT0[1], OCELOT_GPIO_ALT1[1]. Introduce a new REG_ALT macro to
+facilitate the register offset calculation and use it where necessary.
+
+Fixes: da801ab56ad8 pinctrl: ocelot: add MSCC Jaguar2 support
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-ocelot.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-ocelot.c b/drivers/pinctrl/pinctrl-ocelot.c
+index d2478db975bd..fb76fb2e9ea5 100644
+--- a/drivers/pinctrl/pinctrl-ocelot.c
++++ b/drivers/pinctrl/pinctrl-ocelot.c
+@@ -396,7 +396,7 @@ static int ocelot_pin_function_idx(struct ocelot_pinctrl *info,
+ return -1;
+ }
+
+-#define REG(r, info, p) ((r) * (info)->stride + (4 * ((p) / 32)))
++#define REG_ALT(msb, info, p) (OCELOT_GPIO_ALT0 * (info)->stride + 4 * ((msb) + ((info)->stride * ((p) / 32))))
+
+ static int ocelot_pinmux_set_mux(struct pinctrl_dev *pctldev,
+ unsigned int selector, unsigned int group)
+@@ -412,19 +412,21 @@ static int ocelot_pinmux_set_mux(struct pinctrl_dev *pctldev,
+
+ /*
+ * f is encoded on two bits.
+- * bit 0 of f goes in BIT(pin) of ALT0, bit 1 of f goes in BIT(pin) of
+- * ALT1
++ * bit 0 of f goes in BIT(pin) of ALT[0], bit 1 of f goes in BIT(pin) of
++ * ALT[1]
+ * This is racy because both registers can't be updated at the same time
+ * but it doesn't matter much for now.
+ */
+- regmap_update_bits(info->map, REG(OCELOT_GPIO_ALT0, info, pin->pin),
++ regmap_update_bits(info->map, REG_ALT(0, info, pin->pin),
+ BIT(p), f << p);
+- regmap_update_bits(info->map, REG(OCELOT_GPIO_ALT1, info, pin->pin),
++ regmap_update_bits(info->map, REG_ALT(1, info, pin->pin),
+ BIT(p), f << (p - 1));
+
+ return 0;
+ }
+
++#define REG(r, info, p) ((r) * (info)->stride + (4 * ((p) / 32)))
++
+ static int ocelot_gpio_set_direction(struct pinctrl_dev *pctldev,
+ struct pinctrl_gpio_range *range,
+ unsigned int pin, bool input)
+@@ -445,9 +447,9 @@ static int ocelot_gpio_request_enable(struct pinctrl_dev *pctldev,
+ struct ocelot_pinctrl *info = pinctrl_dev_get_drvdata(pctldev);
+ unsigned int p = offset % 32;
+
+- regmap_update_bits(info->map, REG(OCELOT_GPIO_ALT0, info, offset),
++ regmap_update_bits(info->map, REG_ALT(0, info, offset),
+ BIT(p), 0);
+- regmap_update_bits(info->map, REG(OCELOT_GPIO_ALT1, info, offset),
++ regmap_update_bits(info->map, REG_ALT(1, info, offset),
+ BIT(p), 0);
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 8b83b9a25b704a33d3c24b09fd38757743d25933 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 19 Jun 2019 15:34:07 +0200
+Subject: ppp: mppe: Add softdep to arc4
+
+[ Upstream commit aad1dcc4f011ea409850e040363dff1e59aa4175 ]
+
+The arc4 crypto is mandatory at ppp_mppe probe time, so let's put a
+softdep line, so that the corresponding module gets prepared
+gracefully. Without this, a simple inclusion to initrd via dracut
+failed due to the missing dependency, for example.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_mppe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ppp/ppp_mppe.c b/drivers/net/ppp/ppp_mppe.c
+index 7ccdc62c6052..06d620b10704 100644
+--- a/drivers/net/ppp/ppp_mppe.c
++++ b/drivers/net/ppp/ppp_mppe.c
+@@ -63,6 +63,7 @@ MODULE_AUTHOR("Frank Cusack <fcusack@fcusack.com>");
+ MODULE_DESCRIPTION("Point-to-Point Protocol Microsoft Point-to-Point Encryption support");
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_ALIAS("ppp-compress-" __stringify(CI_MPPE));
++MODULE_SOFTDEP("pre: arc4");
+ MODULE_VERSION("1.0.2");
+
+ static unsigned int
+--
+2.20.1
+
--- /dev/null
+From 8bbb25a2c229f1f0326a9c433175c36445ca7cfb Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Thu, 13 Jun 2019 12:07:59 +1000
+Subject: selftests/powerpc: Add test of fork with mapping above 512TB
+
+[ Upstream commit 16391bfc862342f285195013b73c1394fab28b97 ]
+
+This tests that when a process with a mapping above 512TB forks we
+correctly separate the parent and child address spaces. This exercises
+the bug in the context id handling fixed in the previous commit.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/mm/.gitignore | 3 +-
+ tools/testing/selftests/powerpc/mm/Makefile | 4 +-
+ .../powerpc/mm/large_vm_fork_separation.c | 87 +++++++++++++++++++
+ 3 files changed, 92 insertions(+), 2 deletions(-)
+ create mode 100644 tools/testing/selftests/powerpc/mm/large_vm_fork_separation.c
+
+diff --git a/tools/testing/selftests/powerpc/mm/.gitignore b/tools/testing/selftests/powerpc/mm/.gitignore
+index ba919308fe30..d503b8764a8e 100644
+--- a/tools/testing/selftests/powerpc/mm/.gitignore
++++ b/tools/testing/selftests/powerpc/mm/.gitignore
+@@ -3,4 +3,5 @@ subpage_prot
+ tempfile
+ prot_sao
+ segv_errors
+-wild_bctr
+\ No newline at end of file
++wild_bctr
++large_vm_fork_separation
+\ No newline at end of file
+diff --git a/tools/testing/selftests/powerpc/mm/Makefile b/tools/testing/selftests/powerpc/mm/Makefile
+index 43d68420e363..f1fbc15800c4 100644
+--- a/tools/testing/selftests/powerpc/mm/Makefile
++++ b/tools/testing/selftests/powerpc/mm/Makefile
+@@ -2,7 +2,8 @@
+ noarg:
+ $(MAKE) -C ../
+
+-TEST_GEN_PROGS := hugetlb_vs_thp_test subpage_prot prot_sao segv_errors wild_bctr
++TEST_GEN_PROGS := hugetlb_vs_thp_test subpage_prot prot_sao segv_errors wild_bctr \
++ large_vm_fork_separation
+ TEST_GEN_FILES := tempfile
+
+ top_srcdir = ../../../../..
+@@ -13,6 +14,7 @@ $(TEST_GEN_PROGS): ../harness.c
+ $(OUTPUT)/prot_sao: ../utils.c
+
+ $(OUTPUT)/wild_bctr: CFLAGS += -m64
++$(OUTPUT)/large_vm_fork_separation: CFLAGS += -m64
+
+ $(OUTPUT)/tempfile:
+ dd if=/dev/zero of=$@ bs=64k count=1
+diff --git a/tools/testing/selftests/powerpc/mm/large_vm_fork_separation.c b/tools/testing/selftests/powerpc/mm/large_vm_fork_separation.c
+new file mode 100644
+index 000000000000..2363a7f3ab0d
+--- /dev/null
++++ b/tools/testing/selftests/powerpc/mm/large_vm_fork_separation.c
+@@ -0,0 +1,87 @@
++// SPDX-License-Identifier: GPL-2.0+
++//
++// Copyright 2019, Michael Ellerman, IBM Corp.
++//
++// Test that allocating memory beyond the memory limit and then forking is
++// handled correctly, ie. the child is able to access the mappings beyond the
++// memory limit and the child's writes are not visible to the parent.
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <sys/mman.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++#include <unistd.h>
++
++#include "utils.h"
++
++
++#ifndef MAP_FIXED_NOREPLACE
++#define MAP_FIXED_NOREPLACE MAP_FIXED // "Should be safe" above 512TB
++#endif
++
++
++static int test(void)
++{
++ int p2c[2], c2p[2], rc, status, c, *p;
++ unsigned long page_size;
++ pid_t pid;
++
++ page_size = sysconf(_SC_PAGESIZE);
++ SKIP_IF(page_size != 65536);
++
++ // Create a mapping at 512TB to allocate an extended_id
++ p = mmap((void *)(512ul << 40), page_size, PROT_READ | PROT_WRITE,
++ MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED_NOREPLACE, -1, 0);
++ if (p == MAP_FAILED) {
++ perror("mmap");
++ printf("Error: couldn't mmap(), confirm kernel has 4TB support?\n");
++ return 1;
++ }
++
++ printf("parent writing %p = 1\n", p);
++ *p = 1;
++
++ FAIL_IF(pipe(p2c) == -1 || pipe(c2p) == -1);
++
++ pid = fork();
++ if (pid == 0) {
++ FAIL_IF(read(p2c[0], &c, 1) != 1);
++
++ pid = getpid();
++ printf("child writing %p = %d\n", p, pid);
++ *p = pid;
++
++ FAIL_IF(write(c2p[1], &c, 1) != 1);
++ FAIL_IF(read(p2c[0], &c, 1) != 1);
++ exit(0);
++ }
++
++ c = 0;
++ FAIL_IF(write(p2c[1], &c, 1) != 1);
++ FAIL_IF(read(c2p[0], &c, 1) != 1);
++
++ // Prevent compiler optimisation
++ barrier();
++
++ rc = 0;
++ printf("parent reading %p = %d\n", p, *p);
++ if (*p != 1) {
++ printf("Error: BUG! parent saw child's write! *p = %d\n", *p);
++ rc = 1;
++ }
++
++ FAIL_IF(write(p2c[1], &c, 1) != 1);
++ FAIL_IF(waitpid(pid, &status, 0) == -1);
++ FAIL_IF(!WIFEXITED(status) || WEXITSTATUS(status));
++
++ if (rc == 0)
++ printf("success: test completed OK\n");
++
++ return rc;
++}
++
++int main(void)
++{
++ return test_harness(test, "large_vm_fork_separation");
++}
+--
+2.20.1
+
nilfs2-do-not-use-unexported-cpu_to_le32-le32_to_cpu-in-uapi-header.patch
drivers-base-cacheinfo-ensure-cpu-hotplug-work-is-done-before-intel-rdt.patch
firmware-improve-lsm-ima-security-behaviour.patch
+arm-dts-meson8-fix-gpu-interrupts-and-drop-an-undocu.patch
+arm-dts-meson8b-fix-the-operating-voltage-of-the-mal.patch
+irqchip-irq-csky-mpintc-support-auto-irq-deliver-to-.patch
+irqchip-gic-v3-its-fix-command-queue-pointer-compari.patch
+clk-ti-clkctrl-fix-returning-uninitialized-data.patch
+efi-bgrt-drop-bgrt-status-field-reserved-bits-check.patch
+arm64-dts-ls1028a-fix-cpu-idle-fail.patch
+selftests-powerpc-add-test-of-fork-with-mapping-abov.patch
+perf-core-fix-perf_sample_regs_user-mm-check.patch
+arm-dts-gemini-fix-up-dns-313-compatible-string.patch
+arm-omap2-remove-incorrect-__init-annotation.patch
+afs-fix-uninitialised-spinlock-afs_volume-cb_break_l.patch
+x86-efi-fix-a-wtype-limits-compilation-warning.patch
+x86-apic-fix-integer-overflow-on-10-bit-left-shift-o.patch
+be2net-fix-link-failure-after-ethtool-offline-test.patch
+ppp-mppe-add-softdep-to-arc4.patch
+sis900-fix-tx-completion.patch
+arm-dts-imx6ul-fix-pwm-1-4-interrupts.patch
+pinctrl-mcp23s08-fix-add_data-and-irqchip_add_nested.patch
+pinctrl-ocelot-fix-gpio-direction-for-pins-after-31.patch
+pinctrl-ocelot-fix-pinmuxing-for-pins-after-31.patch
+dm-table-don-t-copy-from-a-null-pointer-in-realloc_a.patch
+dm-verity-use-message-limit-for-data-block-corruptio.patch
+x86-boot-64-fix-crash-if-kernel-image-crosses-page-t.patch
+x86-boot-64-add-missing-fixup_pointer-for-next_early.patch
+hid-chicony-add-another-quirk-for-pixart-mouse.patch
+hid-uclogic-add-support-for-huion-hs64-tablet.patch
+hid-multitouch-add-pointstick-support-for-alps-touch.patch
+pinctrl-mediatek-ignore-interrupts-that-are-wake-onl.patch
+cpu-hotplug-fix-out-of-bounds-read-when-setting-fail.patch
+pinctrl-mediatek-update-cur_mask-in-mask-mask-ops.patch
+mm-oom_kill.c-fix-uninitialized-oc-constraint.patch
+fork-memcg-alloc_thread_stack_node-needs-to-set-tsk-.patch
+linux-kernel.h-fix-overflow-for-div_round_up_ull.patch
--- /dev/null
+From 669ca992d60aa860f2cd9bbab4ca09f968a9bc47 Mon Sep 17 00:00:00 2001
+From: Sergej Benilov <sergej.benilov@googlemail.com>
+Date: Thu, 20 Jun 2019 11:02:18 +0200
+Subject: sis900: fix TX completion
+
+[ Upstream commit 8ac8a01092b2added0749ef937037bf1912e13e3 ]
+
+Since commit 605ad7f184b60cfaacbc038aa6c55ee68dee3c89 "tcp: refine TSO autosizing",
+outbound throughput is dramatically reduced for some connections, as sis900
+is doing TX completion within idle states only.
+
+Make TX completion happen after every transmitted packet.
+
+Test:
+netperf
+
+before patch:
+> netperf -H remote -l -2000000 -- -s 1000000
+MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo
+Recv Send Send
+Socket Socket Message Elapsed
+Size Size Size Time Throughput
+bytes bytes bytes secs. 10^6bits/sec
+
+ 87380 327680 327680 253.44 0.06
+
+after patch:
+> netperf -H remote -l -10000000 -- -s 1000000
+MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo
+Recv Send Send
+Socket Socket Message Elapsed
+Size Size Size Time Throughput
+bytes bytes bytes secs. 10^6bits/sec
+
+ 87380 327680 327680 5.38 14.89
+
+Thx to Dave Miller and Eric Dumazet for helpful hints
+
+Signed-off-by: Sergej Benilov <sergej.benilov@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sis/sis900.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c
+index 67f9bb6e941b..9b036c857b1d 100644
+--- a/drivers/net/ethernet/sis/sis900.c
++++ b/drivers/net/ethernet/sis/sis900.c
+@@ -1057,7 +1057,7 @@ sis900_open(struct net_device *net_dev)
+ sis900_set_mode(sis_priv, HW_SPEED_10_MBPS, FDX_CAPABLE_HALF_SELECTED);
+
+ /* Enable all known interrupts by setting the interrupt mask. */
+- sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE);
++ sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE | TxDESC);
+ sw32(cr, RxENA | sr32(cr));
+ sw32(ier, IE);
+
+@@ -1578,7 +1578,7 @@ static void sis900_tx_timeout(struct net_device *net_dev)
+ sw32(txdp, sis_priv->tx_ring_dma);
+
+ /* Enable all known interrupts by setting the interrupt mask. */
+- sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE);
++ sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE | TxDESC);
+ }
+
+ /**
+@@ -1618,7 +1618,7 @@ sis900_start_xmit(struct sk_buff *skb, struct net_device *net_dev)
+ spin_unlock_irqrestore(&sis_priv->lock, flags);
+ return NETDEV_TX_OK;
+ }
+- sis_priv->tx_ring[entry].cmdsts = (OWN | skb->len);
++ sis_priv->tx_ring[entry].cmdsts = (OWN | INTR | skb->len);
+ sw32(cr, TxENA | sr32(cr));
+
+ sis_priv->cur_tx ++;
+@@ -1674,7 +1674,7 @@ static irqreturn_t sis900_interrupt(int irq, void *dev_instance)
+ do {
+ status = sr32(isr);
+
+- if ((status & (HIBERR|TxURN|TxERR|TxIDLE|RxORN|RxERR|RxOK)) == 0)
++ if ((status & (HIBERR|TxURN|TxERR|TxIDLE|TxDESC|RxORN|RxERR|RxOK)) == 0)
+ /* nothing intresting happened */
+ break;
+ handled = 1;
+@@ -1684,7 +1684,7 @@ static irqreturn_t sis900_interrupt(int irq, void *dev_instance)
+ /* Rx interrupt */
+ sis900_rx(net_dev);
+
+- if (status & (TxURN | TxERR | TxIDLE))
++ if (status & (TxURN | TxERR | TxIDLE | TxDESC))
+ /* Tx interrupt */
+ sis900_finish_xmit(net_dev);
+
+@@ -1896,8 +1896,8 @@ static void sis900_finish_xmit (struct net_device *net_dev)
+
+ if (tx_status & OWN) {
+ /* The packet is not transmitted yet (owned by hardware) !
+- * Note: the interrupt is generated only when Tx Machine
+- * is idle, so this is an almost impossible case */
++ * Note: this is an almost impossible condition
++ * in case of TxDESC ('descriptor interrupt') */
+ break;
+ }
+
+@@ -2473,7 +2473,7 @@ static int sis900_resume(struct pci_dev *pci_dev)
+ sis900_set_mode(sis_priv, HW_SPEED_10_MBPS, FDX_CAPABLE_HALF_SELECTED);
+
+ /* Enable all known interrupts by setting the interrupt mask. */
+- sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE);
++ sw32(imr, RxSOVR | RxORN | RxERR | RxOK | TxURN | TxERR | TxIDLE | TxDESC);
+ sw32(cr, RxENA | sr32(cr));
+ sw32(ier, IE);
+
+--
+2.20.1
+
--- /dev/null
+From 1e8517c8b92c1d409fa3050be6c13e75dad00277 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 19 Jun 2019 19:14:46 +0100
+Subject: x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz
+
+[ Upstream commit ea136a112d89bade596314a1ae49f748902f4727 ]
+
+The left shift of unsigned int cpu_khz will overflow for large values of
+cpu_khz, so cast it to a long long before shifting it to avoid overvlow.
+For example, this can happen when cpu_khz is 4194305, i.e. ~4.2 GHz.
+
+Addresses-Coverity: ("Unintentional integer overflow")
+Fixes: 8c3ba8d04924 ("x86, apic: ack all pending irqs when crashed/on kexec")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H . Peter Anvin" <hpa@zytor.com>
+Cc: kernel-janitors@vger.kernel.org
+Link: https://lkml.kernel.org/r/20190619181446.13635-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/apic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index b7bcdd781651..ec6225cb94f9 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1458,7 +1458,8 @@ static void apic_pending_intr_clear(void)
+ if (queued) {
+ if (boot_cpu_has(X86_FEATURE_TSC) && cpu_khz) {
+ ntsc = rdtsc();
+- max_loops = (cpu_khz << 10) - (ntsc - tsc);
++ max_loops = (long long)cpu_khz << 10;
++ max_loops -= ntsc - tsc;
+ } else {
+ max_loops--;
+ }
+--
+2.20.1
+
--- /dev/null
+From a53d74863398027cf69c015872ff671209d7da61 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill@shutemov.name>
+Date: Thu, 20 Jun 2019 14:24:22 +0300
+Subject: x86/boot/64: Add missing fixup_pointer() for next_early_pgt access
+
+[ Upstream commit c1887159eb48ba40e775584cfb2a443962cf1a05 ]
+
+__startup_64() uses fixup_pointer() to access global variables in a
+position-independent fashion. Access to next_early_pgt was wrapped into the
+helper, but one instance in the 5-level paging branch was missed.
+
+GCC generates a R_X86_64_PC32 PC-relative relocation for the access which
+doesn't trigger the issue, but Clang emmits a R_X86_64_32S which leads to
+an invalid memory access and system reboot.
+
+Fixes: 187e91fe5e91 ("x86/boot/64/clang: Use fixup_pointer() to access 'next_early_pgt'")
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Alexander Potapenko <glider@google.com>
+Link: https://lkml.kernel.org/r/20190620112422.29264-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/head64.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
+index 7df5bce4e1be..29ffa495bd1c 100644
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -184,7 +184,8 @@ unsigned long __head __startup_64(unsigned long physaddr,
+ pgtable_flags = _KERNPG_TABLE_NOENC + sme_get_me_mask();
+
+ if (la57) {
+- p4d = fixup_pointer(early_dynamic_pgts[next_early_pgt++], physaddr);
++ p4d = fixup_pointer(early_dynamic_pgts[(*next_pgt_ptr)++],
++ physaddr);
+
+ i = (physaddr >> PGDIR_SHIFT) % PTRS_PER_PGD;
+ pgd[i + 0] = (pgdval_t)p4d + pgtable_flags;
+--
+2.20.1
+
--- /dev/null
+From 80693cd4dfc819c5b8f9f62627d004229fe65a48 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill@shutemov.name>
+Date: Thu, 20 Jun 2019 14:23:45 +0300
+Subject: x86/boot/64: Fix crash if kernel image crosses page table boundary
+
+[ Upstream commit 81c7ed296dcd02bc0b4488246d040e03e633737a ]
+
+A kernel which boots in 5-level paging mode crashes in a small percentage
+of cases if KASLR is enabled.
+
+This issue was tracked down to the case when the kernel image unpacks in a
+way that it crosses an 1G boundary. The crash is caused by an overrun of
+the PMD page table in __startup_64() and corruption of P4D page table
+allocated next to it. This particular issue is not visible with 4-level
+paging as P4D page tables are not used.
+
+But the P4D and the PUD calculation have similar problems.
+
+The PMD index calculation is wrong due to operator precedence, which fails
+to confine the PMDs in the PMD array on wrap around.
+
+The P4D calculation for 5-level paging and the PUD calculation calculate
+the first index correctly, but then blindly increment it which causes the
+same issue when a kernel image is located across a 512G and for 5-level
+paging across a 46T boundary.
+
+This wrap around mishandling was introduced when these parts moved from
+assembly to C.
+
+Restore it to the correct behaviour.
+
+Fixes: c88d71508e36 ("x86/boot/64: Rewrite startup_64() in C")
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20190620112345.28833-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/head64.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
+index 16b1cbd3a61e..7df5bce4e1be 100644
+--- a/arch/x86/kernel/head64.c
++++ b/arch/x86/kernel/head64.c
+@@ -190,18 +190,18 @@ unsigned long __head __startup_64(unsigned long physaddr,
+ pgd[i + 0] = (pgdval_t)p4d + pgtable_flags;
+ pgd[i + 1] = (pgdval_t)p4d + pgtable_flags;
+
+- i = (physaddr >> P4D_SHIFT) % PTRS_PER_P4D;
+- p4d[i + 0] = (pgdval_t)pud + pgtable_flags;
+- p4d[i + 1] = (pgdval_t)pud + pgtable_flags;
++ i = physaddr >> P4D_SHIFT;
++ p4d[(i + 0) % PTRS_PER_P4D] = (pgdval_t)pud + pgtable_flags;
++ p4d[(i + 1) % PTRS_PER_P4D] = (pgdval_t)pud + pgtable_flags;
+ } else {
+ i = (physaddr >> PGDIR_SHIFT) % PTRS_PER_PGD;
+ pgd[i + 0] = (pgdval_t)pud + pgtable_flags;
+ pgd[i + 1] = (pgdval_t)pud + pgtable_flags;
+ }
+
+- i = (physaddr >> PUD_SHIFT) % PTRS_PER_PUD;
+- pud[i + 0] = (pudval_t)pmd + pgtable_flags;
+- pud[i + 1] = (pudval_t)pmd + pgtable_flags;
++ i = physaddr >> PUD_SHIFT;
++ pud[(i + 0) % PTRS_PER_PUD] = (pudval_t)pmd + pgtable_flags;
++ pud[(i + 1) % PTRS_PER_PUD] = (pudval_t)pmd + pgtable_flags;
+
+ pmd_entry = __PAGE_KERNEL_LARGE_EXEC & ~_PAGE_GLOBAL;
+ /* Filter out unsupported __PAGE_KERNEL_* bits: */
+@@ -211,8 +211,9 @@ unsigned long __head __startup_64(unsigned long physaddr,
+ pmd_entry += physaddr;
+
+ for (i = 0; i < DIV_ROUND_UP(_end - _text, PMD_SIZE); i++) {
+- int idx = i + (physaddr >> PMD_SHIFT) % PTRS_PER_PMD;
+- pmd[idx] = pmd_entry + i * PMD_SIZE;
++ int idx = i + (physaddr >> PMD_SHIFT);
++
++ pmd[idx % PTRS_PER_PMD] = pmd_entry + i * PMD_SIZE;
+ }
+
+ /*
+--
+2.20.1
+
--- /dev/null
+From aaa7cf2df726b14cc63067ccc702696ff73e411a Mon Sep 17 00:00:00 2001
+From: Qian Cai <cai@lca.pw>
+Date: Wed, 19 Jun 2019 13:47:44 -0400
+Subject: x86/efi: fix a -Wtype-limits compilation warning
+
+[ Upstream commit 919aef44d73d5d0c04213cb1bc31149cc074e65e ]
+
+Compiling a kernel with W=1 generates this warning,
+
+arch/x86/platform/efi/quirks.c:731:16: warning: comparison of unsigned
+expression >= 0 is always true [-Wtype-limits]
+
+Fixes: 3425d934fc03 ("efi/x86: Handle page faults occurring while running ...")
+Signed-off-by: Qian Cai <cai@lca.pw>
+Acked-by: "Prakhya, Sai Praneeth" <sai.praneeth.prakhya@intel.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/platform/efi/quirks.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c
+index a25a9fd987a9..529522c62d89 100644
+--- a/arch/x86/platform/efi/quirks.c
++++ b/arch/x86/platform/efi/quirks.c
+@@ -724,7 +724,7 @@ void efi_recover_from_page_fault(unsigned long phys_addr)
+ * Address range 0x0000 - 0x0fff is always mapped in the efi_pgd, so
+ * page faulting on these addresses isn't expected.
+ */
+- if (phys_addr >= 0x0000 && phys_addr <= 0x0fff)
++ if (phys_addr <= 0x0fff)
+ return;
+
+ /*
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
