--- /dev/null
+From 59ab81471e3b271751b8c979842f25c2174cc076 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2019 18:50:11 +0100
+Subject: ARM: 8874/1: mm: only adjust sections of valid mm structures
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit c51bc12d06b3a5494fbfcbd788a8e307932a06e9 ]
+
+A timing hazard exists when an early fork/exec thread begins
+exiting and sets its mm pointer to NULL while a separate core
+tries to update the section information.
+
+This commit ensures that the mm pointer is not NULL before
+setting its section parameters. The arguments provided by
+commit 11ce4b33aedc ("ARM: 8672/1: mm: remove tasklist locking
+from update_sections_early()") are equally valid for not
+requiring grabbing the task_lock around this check.
+
+Fixes: 08925c2f124f ("ARM: 8464/1: Update all mm structures with section adjustments")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Laura Abbott <labbott@redhat.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Cc: Rob Herring <robh@kernel.org>
+Cc: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Cc: Peng Fan <peng.fan@nxp.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
+index 1565d6b671636..4fb1474141a61 100644
+--- a/arch/arm/mm/init.c
++++ b/arch/arm/mm/init.c
+@@ -698,7 +698,8 @@ static void update_sections_early(struct section_perm perms[], int n)
+ if (t->flags & PF_KTHREAD)
+ continue;
+ for_each_thread(t, s)
+- set_section_perms(perms, n, true, s->mm);
++ if (s->mm)
++ set_section_perms(perms, n, true, s->mm);
+ }
+ read_unlock(&tasklist_lock);
+ set_section_perms(perms, n, true, current->active_mm);
+--
+2.20.1
+
--- /dev/null
+From 7e3ccb1f27950e8d0b45ce72cbb6114974843157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 04:07:37 +0100
+Subject: ARM: 8901/1: add a criteria for pfn_valid of arm
+
+From: zhaoyang <huangzhaoyang@gmail.com>
+
+[ Upstream commit 5b3efa4f1479c91cb8361acef55f9c6662feba57 ]
+
+pfn_valid can be wrong when parsing a invalid pfn whose phys address
+exceeds BITS_PER_LONG as the MSB will be trimed when shifted.
+
+The issue originally arise from bellowing call stack, which corresponding to
+an access of the /proc/kpageflags from userspace with a invalid pfn parameter
+and leads to kernel panic.
+
+[46886.723249] c7 [<c031ff98>] (stable_page_flags) from [<c03203f8>]
+[46886.723264] c7 [<c0320368>] (kpageflags_read) from [<c0312030>]
+[46886.723280] c7 [<c0311fb0>] (proc_reg_read) from [<c02a6e6c>]
+[46886.723290] c7 [<c02a6e24>] (__vfs_read) from [<c02a7018>]
+[46886.723301] c7 [<c02a6f74>] (vfs_read) from [<c02a778c>]
+[46886.723315] c7 [<c02a770c>] (SyS_pread64) from [<c0108620>]
+(ret_fast_syscall+0x0/0x28)
+
+Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/init.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
+index 4fb1474141a61..0fe4a7025e467 100644
+--- a/arch/arm/mm/init.c
++++ b/arch/arm/mm/init.c
+@@ -192,6 +192,11 @@ static void __init zone_sizes_init(unsigned long min, unsigned long max_low,
+ #ifdef CONFIG_HAVE_ARCH_PFN_VALID
+ int pfn_valid(unsigned long pfn)
+ {
++ phys_addr_t addr = __pfn_to_phys(pfn);
++
++ if (__phys_to_pfn(addr) != pfn)
++ return 0;
++
+ return memblock_is_map_memory(__pfn_to_phys(pfn));
+ }
+ EXPORT_SYMBOL(pfn_valid);
+--
+2.20.1
+
--- /dev/null
+From d632856f39adabaa9790284e9ec60843a6f66094 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2019 03:44:52 -0700
+Subject: ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit afd58b162e48076e3fe66d08a69eefbd6fe71643 ]
+
+TRM says PWMSS_SYSCONFIG bit for SOFTRESET changes to zero when
+reset is completed. Let's configure it as otherwise we get warnings
+on boot when we check the data against dts provided data. Eventually
+the legacy platform data will be just dropped, but let's fix the
+warning first.
+
+Reviewed-by: Suman Anna <s-anna@ti.com>
+Tested-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/omap_hwmod_7xx_data.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c
+index 1ab7096af8e23..f850fc3a91e82 100644
+--- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c
+@@ -387,7 +387,8 @@ static struct omap_hwmod dra7xx_dcan2_hwmod = {
+ static struct omap_hwmod_class_sysconfig dra7xx_epwmss_sysc = {
+ .rev_offs = 0x0,
+ .sysc_offs = 0x4,
+- .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET,
++ .sysc_flags = SYSC_HAS_SIDLEMODE | SYSC_HAS_SOFTRESET |
++ SYSC_HAS_RESET_STATUS,
+ .idlemodes = (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
+ .sysc_fields = &omap_hwmod_sysc_type2,
+ };
+--
+2.20.1
+
--- /dev/null
+From dcf21b76f77e0f661a2bab60c1cca4f26e178991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2019 04:37:45 -0700
+Subject: ARM: OMAP2+: Fix omap4 errata warning on other SoCs
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 45da5e09dd32fa98c32eaafe2513db6bd75e2f4f ]
+
+We have errata i688 workaround produce warnings on SoCs other than
+omap4 and omap5:
+
+omap4_sram_init:Unable to allocate sram needed to handle errata I688
+omap4_sram_init:Unable to get sram pool needed to handle errata I688
+
+This is happening because there is no ti,omap4-mpu node, or no SRAM
+to configure for the other SoCs, so let's remove the warning based
+on the SoC revision checks.
+
+As nobody has complained it seems that the other SoC variants do not
+need this workaround.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/omap4-common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/mach-omap2/omap4-common.c b/arch/arm/mach-omap2/omap4-common.c
+index cf65ab8bb0046..e5dcbda20129d 100644
+--- a/arch/arm/mach-omap2/omap4-common.c
++++ b/arch/arm/mach-omap2/omap4-common.c
+@@ -131,6 +131,9 @@ static int __init omap4_sram_init(void)
+ struct device_node *np;
+ struct gen_pool *sram_pool;
+
++ if (!soc_is_omap44xx() && !soc_is_omap54xx())
++ return 0;
++
+ np = of_find_compatible_node(NULL, NULL, "ti,omap4-mpu");
+ if (!np)
+ pr_warn("%s:Unable to allocate sram needed to handle errata I688\n",
+--
+2.20.1
+
--- /dev/null
+From d9cad5eec1c020d6fdf347225c93fa0cda8f1c5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2019 08:55:36 +0200
+Subject: batman-adv: Only read OGM2 tvlv_len after buffer len check
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 0ff0f15a32c093381ad1abc06abe85afb561ab28 ]
+
+Multiple batadv_ogm2_packet can be stored in an skbuff. The functions
+batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there
+is another additional batadv_ogm2_packet in the skb or not before they
+continue processing the packet.
+
+The length for such an OGM2 is BATADV_OGM2_HLEN +
+batadv_ogm2_packet->tvlv_len. The check must first check that at least
+BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is
+part of the header. Otherwise it might try read outside of the currently
+available skbuff to get the content of tvlv_len.
+
+Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_v_ogm.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
+index 1aeeadca620cd..f435435b447e0 100644
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -618,17 +618,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv,
+ * batadv_v_ogm_aggr_packet - checks if there is another OGM aggregated
+ * @buff_pos: current position in the skb
+ * @packet_len: total length of the skb
+- * @tvlv_len: tvlv length of the previously considered OGM
++ * @ogm2_packet: potential OGM2 in buffer
+ *
+ * Return: true if there is enough space for another OGM, false otherwise.
+ */
+-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
+- __be16 tvlv_len)
++static bool
++batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
++ const struct batadv_ogm2_packet *ogm2_packet)
+ {
+ int next_buff_pos = 0;
+
+- next_buff_pos += buff_pos + BATADV_OGM2_HLEN;
+- next_buff_pos += ntohs(tvlv_len);
++ /* check if there is enough space for the header */
++ next_buff_pos += buff_pos + sizeof(*ogm2_packet);
++ if (next_buff_pos > packet_len)
++ return false;
++
++ /* check if there is enough space for the optional TVLV */
++ next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+
+ return (next_buff_pos <= packet_len) &&
+ (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
+@@ -775,7 +781,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
+ ogm_packet = (struct batadv_ogm2_packet *)skb->data;
+
+ while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
+- ogm_packet->tvlv_len)) {
++ ogm_packet)) {
+ batadv_v_ogm_process(skb, ogm_offset, if_incoming);
+
+ ogm_offset += BATADV_OGM2_HLEN;
+--
+2.20.1
+
--- /dev/null
+From 2c5aef2a49f6aae8c5c6e00decb2e66bae6911bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Aug 2019 08:09:50 +1000
+Subject: cifs: set domainName when a domain-key is used in multiuser
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit f2aee329a68f5a907bcff11a109dfe17c0b41aeb ]
+
+RHBZ: 1710429
+
+When we use a domain-key to authenticate using multiuser we must also set
+the domainnmame for the new volume as it will be used and passed to the server
+in the NTLMSSP Domain-name.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index f291ed0c155db..2a199f4b663bf 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2447,6 +2447,7 @@ static int
+ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses)
+ {
+ int rc = 0;
++ int is_domain = 0;
+ const char *delim, *payload;
+ char *desc;
+ ssize_t len;
+@@ -2494,6 +2495,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses)
+ rc = PTR_ERR(key);
+ goto out_err;
+ }
++ is_domain = 1;
+ }
+
+ down_read(&key->sem);
+@@ -2551,6 +2553,26 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses)
+ goto out_key_put;
+ }
+
++ /*
++ * If we have a domain key then we must set the domainName in the
++ * for the request.
++ */
++ if (is_domain && ses->domainName) {
++ vol->domainname = kstrndup(ses->domainName,
++ strlen(ses->domainName),
++ GFP_KERNEL);
++ if (!vol->domainname) {
++ cifs_dbg(FYI, "Unable to allocate %zd bytes for "
++ "domain\n", len);
++ rc = -ENOMEM;
++ kfree(vol->username);
++ vol->username = NULL;
++ kfree(vol->password);
++ vol->password = NULL;
++ goto out_key_put;
++ }
++ }
++
+ out_key_put:
+ up_read(&key->sem);
+ key_put(key);
+--
+2.20.1
+
--- /dev/null
+From 6b6ba21b3a193b025b390f569b6e403e9d612a72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2019 13:59:17 +0300
+Subject: cifs: Use kzfree() to zero out the password
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 478228e57f81f6cb60798d54fc02a74ea7dd267e ]
+
+It's safer to zero out the password so that it can never be disclosed.
+
+Fixes: 0c219f5799c7 ("cifs: set domainName when a domain-key is used in multiuser")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 2a199f4b663bf..e43ba6db2bdd6 100644
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2567,7 +2567,7 @@ cifs_set_cifscreds(struct smb_vol *vol, struct cifs_ses *ses)
+ rc = -ENOMEM;
+ kfree(vol->username);
+ vol->username = NULL;
+- kfree(vol->password);
++ kzfree(vol->password);
+ vol->password = NULL;
+ goto out_key_put;
+ }
+--
+2.20.1
+
--- /dev/null
+From 8621e505207bea67524b27009885f22a5b63f2c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2019 01:48:55 -0500
+Subject: dmaengine: ti: dma-crossbar: Fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 2c231c0c1dec42192aca0f87f2dc68b8f0cbc7d2 ]
+
+In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then
+of_property_read_u32_array() is invoked to search for the property.
+However, if this process fails, 'rsv_events' is not deallocated, leading to
+a memory leak bug. To fix this issue, free 'rsv_events' before returning
+the error.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Link: https://lore.kernel.org/r/1565938136-7249-1-git-send-email-wenwen@cs.uga.edu
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti-dma-crossbar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/ti-dma-crossbar.c b/drivers/dma/ti-dma-crossbar.c
+index 8c3c588834d2e..a7e1f6e17e3d1 100644
+--- a/drivers/dma/ti-dma-crossbar.c
++++ b/drivers/dma/ti-dma-crossbar.c
+@@ -395,8 +395,10 @@ static int ti_dra7_xbar_probe(struct platform_device *pdev)
+
+ ret = of_property_read_u32_array(node, pname, (u32 *)rsv_events,
+ nelm * 2);
+- if (ret)
++ if (ret) {
++ kfree(rsv_events);
+ return ret;
++ }
+
+ for (i = 0; i < nelm; i++) {
+ ti_dra7_xbar_reserve(rsv_events[i][0], rsv_events[i][1],
+--
+2.20.1
+
--- /dev/null
+From f1b5a8c323b91faf05a7dcf0ec703d376fb45568 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Aug 2019 01:56:08 -0500
+Subject: dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 962411b05a6d3342aa649e39cda1704c1fc042c6 ]
+
+If devm_request_irq() fails to disable all interrupts, no cleanup is
+performed before retuning the error. To fix this issue, invoke
+omap_dma_free() to do the cleanup.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Link: https://lore.kernel.org/r/1565938570-7528-1-git-send-email-wenwen@cs.uga.edu
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/omap-dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/omap-dma.c b/drivers/dma/omap-dma.c
+index 6b16ce390dce1..9f901f16bddcd 100644
+--- a/drivers/dma/omap-dma.c
++++ b/drivers/dma/omap-dma.c
+@@ -1429,8 +1429,10 @@ static int omap_dma_probe(struct platform_device *pdev)
+
+ rc = devm_request_irq(&pdev->dev, irq, omap_dma_irq,
+ IRQF_SHARED, "omap-dma-engine", od);
+- if (rc)
++ if (rc) {
++ omap_dma_free(od);
+ return rc;
++ }
+ }
+
+ if (omap_dma_glbl_read(od, CAPS_0) & CAPS_0_SUPPORT_LL123)
+--
+2.20.1
+
--- /dev/null
+From 4030bb34526b859467f0db112e87e2a4b4740ea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2019 10:39:54 +0200
+Subject: iommu/amd: Fix race in increase_address_space()
+
+From: Joerg Roedel <jroedel@suse.de>
+
+[ Upstream commit 754265bcab78a9014f0f99cd35e0d610fcd7dfa7 ]
+
+After the conversion to lock-less dma-api call the
+increase_address_space() function can be called without any
+locking. Multiple CPUs could potentially race for increasing
+the address space, leading to invalid domain->mode settings
+and invalid page-tables. This has been happening in the wild
+under high IO load and memory pressure.
+
+Fix the race by locking this operation. The function is
+called infrequently so that this does not introduce
+a performance regression in the dma-api path again.
+
+Reported-by: Qian Cai <cai@lca.pw>
+Fixes: 256e4621c21a ('iommu/amd: Make use of the generic IOVA allocator')
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index c1233d0288a03..dd7880de7e4e9 100644
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1321,18 +1321,21 @@ static void domain_flush_devices(struct protection_domain *domain)
+ * another level increases the size of the address space by 9 bits to a size up
+ * to 64 bits.
+ */
+-static bool increase_address_space(struct protection_domain *domain,
++static void increase_address_space(struct protection_domain *domain,
+ gfp_t gfp)
+ {
++ unsigned long flags;
+ u64 *pte;
+
+- if (domain->mode == PAGE_MODE_6_LEVEL)
++ spin_lock_irqsave(&domain->lock, flags);
++
++ if (WARN_ON_ONCE(domain->mode == PAGE_MODE_6_LEVEL))
+ /* address space already 64 bit large */
+- return false;
++ goto out;
+
+ pte = (void *)get_zeroed_page(gfp);
+ if (!pte)
+- return false;
++ goto out;
+
+ *pte = PM_LEVEL_PDE(domain->mode,
+ virt_to_phys(domain->pt_root));
+@@ -1340,7 +1343,10 @@ static bool increase_address_space(struct protection_domain *domain,
+ domain->mode += 1;
+ domain->updated = true;
+
+- return true;
++out:
++ spin_unlock_irqrestore(&domain->lock, flags);
++
++ return;
+ }
+
+ static u64 *alloc_pte(struct protection_domain *domain,
+--
+2.20.1
+
--- /dev/null
+From d925044c28f1d1b9b2694d4d6a97e2566dcb12dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2019 07:04:25 +0200
+Subject: Kconfig: Fix the reference to the IDT77105 Phy driver in the
+ description of ATM_NICSTAR_USE_IDT77105
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit cd9d4ff9b78fcd0fc4708900ba3e52e71e1a7690 ]
+
+This should be IDT77105, not IDT77015.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/Kconfig b/drivers/atm/Kconfig
+index 31c60101a69a4..7fa840170151b 100644
+--- a/drivers/atm/Kconfig
++++ b/drivers/atm/Kconfig
+@@ -199,7 +199,7 @@ config ATM_NICSTAR_USE_SUNI
+ make the card work).
+
+ config ATM_NICSTAR_USE_IDT77105
+- bool "Use IDT77015 PHY driver (25Mbps)"
++ bool "Use IDT77105 PHY driver (25Mbps)"
+ depends on ATM_NICSTAR
+ help
+ Support for the PHYsical layer chip in ForeRunner LE25 cards. In
+--
+2.20.1
+
--- /dev/null
+From 612901bc0802d1c49921b4aeb022aa837c958da6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2019 13:37:29 +0100
+Subject: keys: Fix missing null pointer check in request_key_auth_describe()
+
+From: Hillf Danton <hdanton@sina.com>
+
+[ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ]
+
+If a request_key authentication token key gets revoked, there's a window in
+which request_key_auth_describe() can see it with a NULL payload - but it
+makes no check for this and something like the following oops may occur:
+
+ BUG: Kernel NULL pointer dereference at 0x00000038
+ Faulting instruction address: 0xc0000000004ddf30
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ ...
+ NIP [...] request_key_auth_describe+0x90/0xd0
+ LR [...] request_key_auth_describe+0x54/0xd0
+ Call Trace:
+ [...] request_key_auth_describe+0x54/0xd0 (unreliable)
+ [...] proc_keys_show+0x308/0x4c0
+ [...] seq_read+0x3d0/0x540
+ [...] proc_reg_read+0x90/0x110
+ [...] __vfs_read+0x3c/0x70
+ [...] vfs_read+0xb4/0x1b0
+ [...] ksys_read+0x7c/0x130
+ [...] system_call+0x5c/0x70
+
+Fix this by checking for a NULL pointer when describing such a key.
+
+Also make the read routine check for a NULL pointer to be on the safe side.
+
+[DH: Modified to not take already-held rcu lock and modified to also check
+ in the read routine]
+
+Fixes: 04c567d9313e ("[PATCH] Keys: Fix race between two instantiators of a key")
+Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/keys/request_key_auth.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
+index f60baeb338e5f..b47445022d5ce 100644
+--- a/security/keys/request_key_auth.c
++++ b/security/keys/request_key_auth.c
+@@ -71,6 +71,9 @@ static void request_key_auth_describe(const struct key *key,
+ {
+ struct request_key_auth *rka = key->payload.data[0];
+
++ if (!rka)
++ return;
++
+ seq_puts(m, "key:");
+ seq_puts(m, key->description);
+ if (key_is_positive(key))
+@@ -88,6 +91,9 @@ static long request_key_auth_read(const struct key *key,
+ size_t datalen;
+ long ret;
+
++ if (!rka)
++ return -EKEYREVOKED;
++
+ datalen = rka->callout_len;
+ ret = datalen;
+
+--
+2.20.1
+
--- /dev/null
+From 7ae4fcceaae72c4f400a41cade66d01865a3fdc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2019 09:17:51 +0200
+Subject: net: seeq: Fix the function used to release some memory in an error
+ handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 ]
+
+In commit 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv"),
+a call to 'get_zeroed_page()' has been turned into a call to
+'dma_alloc_coherent()'. Only the remove function has been updated to turn
+the corresponding 'free_page()' into 'dma_free_attrs()'.
+The error hndling path of the probe function has not been updated.
+
+Fix it now.
+
+Rename the corresponding label to something more in line.
+
+Fixes: 99cd149efe82 ("sgiseeq: replace use of dma_cache_wback_inv")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/seeq/sgiseeq.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/seeq/sgiseeq.c b/drivers/net/ethernet/seeq/sgiseeq.c
+index c2bd5378ffdaf..3527962f0bdad 100644
+--- a/drivers/net/ethernet/seeq/sgiseeq.c
++++ b/drivers/net/ethernet/seeq/sgiseeq.c
+@@ -792,15 +792,16 @@ static int sgiseeq_probe(struct platform_device *pdev)
+ printk(KERN_ERR "Sgiseeq: Cannot register net device, "
+ "aborting.\n");
+ err = -ENODEV;
+- goto err_out_free_page;
++ goto err_out_free_attrs;
+ }
+
+ printk(KERN_INFO "%s: %s %pM\n", dev->name, sgiseeqstr, dev->dev_addr);
+
+ return 0;
+
+-err_out_free_page:
+- free_page((unsigned long) sp->srings);
++err_out_free_attrs:
++ dma_free_attrs(&pdev->dev, sizeof(*sp->srings), sp->srings,
++ sp->srings_dma, DMA_ATTR_NON_CONSISTENT);
+ err_out_free_dev:
+ free_netdev(dev);
+
+--
+2.20.1
+
--- /dev/null
+From cd9b82ebe16e6584a59dd05a411aa212e8aee636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2019 16:14:28 +0200
+Subject: netfilter: nf_conntrack_ftp: Fix debug output
+
+From: Thomas Jarosch <thomas.jarosch@intra2net.com>
+
+[ Upstream commit 3a069024d371125227de3ac8fa74223fcf473520 ]
+
+The find_pattern() debug output was printing the 'skip' character.
+This can be a NULL-byte and messes up further pr_debug() output.
+
+Output without the fix:
+kernel: nf_conntrack_ftp: Pattern matches!
+kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8
+kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8
+
+Output with the fix:
+kernel: nf_conntrack_ftp: Pattern matches!
+kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter!
+kernel: nf_conntrack_ftp: Match succeeded!
+kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645)
+kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8
+
+Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_ftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
+index e3ed200608788..562b545242492 100644
+--- a/net/netfilter/nf_conntrack_ftp.c
++++ b/net/netfilter/nf_conntrack_ftp.c
+@@ -323,7 +323,7 @@ static int find_pattern(const char *data, size_t dlen,
+ i++;
+ }
+
+- pr_debug("Skipped up to `%c'!\n", skip);
++ pr_debug("Skipped up to 0x%hhx delimiter!\n", skip);
+
+ *numoff = i;
+ *numlen = getnum(data + i, dlen - i, cmd, term, numoff);
+--
+2.20.1
+
--- /dev/null
+From a0a93b66d480ab64d028a5fecd3777aa3f14f504 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2019 14:19:09 -0400
+Subject: NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 17d8c5d145000070c581f2a8aa01edc7998582ab ]
+
+Initialise the result count to 0 rather than initialising it to the
+argument count. The reason is that we want to ensure we record the
+I/O stats correctly in the case where an error is returned (for
+instance in the layoutstats).
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pagelist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
+index fad4d5188aafa..b6e25126a0b0f 100644
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -562,7 +562,7 @@ static void nfs_pgio_rpcsetup(struct nfs_pgio_header *hdr,
+ }
+
+ hdr->res.fattr = &hdr->fattr;
+- hdr->res.count = count;
++ hdr->res.count = 0;
+ hdr->res.eof = 0;
+ hdr->res.verf = &hdr->verf;
+ nfs_fattr_init(&hdr->fattr);
+--
+2.20.1
+
--- /dev/null
+From 24477498cb88ae438adad4f6c02e26965aaad304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 20:41:16 -0400
+Subject: NFSv2: Fix eof handling
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 71affe9be45a5c60b9772e1b2701710712637274 ]
+
+If we received a reply from the server with a zero length read and
+no error, then that implies we are at eof.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c
+index b7bca83039895..f3e8bcbd29a09 100644
+--- a/fs/nfs/proc.c
++++ b/fs/nfs/proc.c
+@@ -588,7 +588,8 @@ static int nfs_read_done(struct rpc_task *task, struct nfs_pgio_header *hdr)
+ /* Emulate the eof flag, which isn't normally needed in NFSv2
+ * as it is guaranteed to always return the file attributes
+ */
+- if (hdr->args.offset + hdr->res.count >= hdr->res.fattr->size)
++ if ((hdr->res.count == 0 && hdr->args.count > 0) ||
++ hdr->args.offset + hdr->res.count >= hdr->res.fattr->size)
+ hdr->res.eof = 1;
+ }
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From c1b2c7f7f82f96c04008b1f82182d6053e15ecb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2019 07:03:28 -0400
+Subject: NFSv2: Fix write regression
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit d33d4beb522987d1c305c12500796f9be3687dee ]
+
+Ensure we update the write result count on success, since the
+RPC call itself does not do so.
+
+Reported-by: Jan Stancek <jstancek@redhat.com>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Tested-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/proc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c
+index f3e8bcbd29a09..06e72229be123 100644
+--- a/fs/nfs/proc.c
++++ b/fs/nfs/proc.c
+@@ -610,8 +610,10 @@ static int nfs_proc_pgio_rpc_prepare(struct rpc_task *task,
+
+ static int nfs_write_done(struct rpc_task *task, struct nfs_pgio_header *hdr)
+ {
+- if (task->tk_status >= 0)
++ if (task->tk_status >= 0) {
++ hdr->res.count = hdr->args.count;
+ nfs_writeback_update_inode(hdr);
++ }
+ return 0;
+ }
+
+--
+2.20.1
+
--- /dev/null
+From be3a5746e295019d9901fb75f18c3496404897e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Aug 2019 15:03:11 -0400
+Subject: NFSv4: Fix return values for nfs4_file_open()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 90cf500e338ab3f3c0f126ba37e36fb6a9058441 ]
+
+Currently, we are translating RPC level errors such as timeouts,
+as well as interrupts etc into EOPENSTALE, which forces a single
+replay of the open attempt. What we actually want to do is
+force the replay only in the cases where the returned error
+indicates that the file may have changed on the server.
+
+So the fix is to spell out the exact set of errors where we want
+to return EOPENSTALE.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4file.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
+index 8a0c301b0c699..7138383382ff1 100644
+--- a/fs/nfs/nfs4file.c
++++ b/fs/nfs/nfs4file.c
+@@ -73,13 +73,13 @@ nfs4_file_open(struct inode *inode, struct file *filp)
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
+ switch (err) {
+- case -EPERM:
+- case -EACCES:
+- case -EDQUOT:
+- case -ENOSPC:
+- case -EROFS:
+- goto out_put_ctx;
+ default:
++ goto out_put_ctx;
++ case -ENOENT:
++ case -ESTALE:
++ case -EISDIR:
++ case -ENOTDIR:
++ case -ELOOP:
+ goto out_drop;
+ }
+ }
+--
+2.20.1
+
--- /dev/null
+From 41509cfd102407d7bfa472f5befbf470edd2d59b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2019 14:57:30 -0500
+Subject: perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+[ Upstream commit 0f4cd769c410e2285a4e9873a684d90423f03090 ]
+
+When counting dispatched micro-ops with cnt_ctl=1, in order to prevent
+sample bias, IBS hardware preloads the least significant 7 bits of
+current count (IbsOpCurCnt) with random values, such that, after the
+interrupt is handled and counting resumes, the next sample taken
+will be slightly perturbed.
+
+The current count bitfield is in the IBS execution control h/w register,
+alongside the maximum count field.
+
+Currently, the IBS driver writes that register with the maximum count,
+leaving zeroes to fill the current count field, thereby overwriting
+the random bits the hardware preloaded for itself.
+
+Fix the driver to actually retain and carry those random bits from the
+read of the IBS control register, through to its write, instead of
+overwriting the lower current count bits with zeroes.
+
+Tested with:
+
+perf record -c 100001 -e ibs_op/cnt_ctl=1/pp -a -C 0 taskset -c 0 <workload>
+
+'perf annotate' output before:
+
+ 15.70 65: addsd %xmm0,%xmm1
+ 17.30 add $0x1,%rax
+ 15.88 cmp %rdx,%rax
+ je 82
+ 17.32 72: test $0x1,%al
+ jne 7c
+ 7.52 movapd %xmm1,%xmm0
+ 5.90 jmp 65
+ 8.23 7c: sqrtsd %xmm1,%xmm0
+ 12.15 jmp 65
+
+'perf annotate' output after:
+
+ 16.63 65: addsd %xmm0,%xmm1
+ 16.82 add $0x1,%rax
+ 16.81 cmp %rdx,%rax
+ je 82
+ 16.69 72: test $0x1,%al
+ jne 7c
+ 8.30 movapd %xmm1,%xmm0
+ 8.13 jmp 65
+ 8.24 7c: sqrtsd %xmm1,%xmm0
+ 8.39 jmp 65
+
+Tested on Family 15h and 17h machines.
+
+Machines prior to family 10h Rev. C don't have the RDWROPCNT capability,
+and have the IbsOpCurCnt bitfield reserved, so this patch shouldn't
+affect their operation.
+
+It is unknown why commit db98c5faf8cb ("perf/x86: Implement 64-bit
+counter support for IBS") ignored the lower 4 bits of the IbsOpCurCnt
+field; the number of preloaded random bits has always been 7, AFAICT.
+
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: "Arnaldo Carvalho de Melo" <acme@kernel.org>
+Cc: <x86@kernel.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: "Borislav Petkov" <bp@alien8.de>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: "Namhyung Kim" <namhyung@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Link: https://lkml.kernel.org/r/20190826195730.30614-1-kim.phillips@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/ibs.c | 13 ++++++++++---
+ arch/x86/include/asm/perf_event.h | 12 ++++++++----
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c
+index fd4484ae3ffca..112e3c4636b4f 100644
+--- a/arch/x86/events/amd/ibs.c
++++ b/arch/x86/events/amd/ibs.c
+@@ -671,10 +671,17 @@ fail:
+
+ throttle = perf_event_overflow(event, &data, ®s);
+ out:
+- if (throttle)
++ if (throttle) {
+ perf_ibs_stop(event, 0);
+- else
+- perf_ibs_enable_event(perf_ibs, hwc, period >> 4);
++ } else {
++ period >>= 4;
++
++ if ((ibs_caps & IBS_CAPS_RDWROPCNT) &&
++ (*config & IBS_OP_CNT_CTL))
++ period |= *config & IBS_OP_CUR_CNT_RAND;
++
++ perf_ibs_enable_event(perf_ibs, hwc, period);
++ }
+
+ perf_event_update_userpage(event);
+
+diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h
+index f353061bba1d0..81d5ea71bbe94 100644
+--- a/arch/x86/include/asm/perf_event.h
++++ b/arch/x86/include/asm/perf_event.h
+@@ -200,16 +200,20 @@ struct x86_pmu_capability {
+ #define IBSCTL_LVT_OFFSET_VALID (1ULL<<8)
+ #define IBSCTL_LVT_OFFSET_MASK 0x0F
+
+-/* ibs fetch bits/masks */
++/* IBS fetch bits/masks */
+ #define IBS_FETCH_RAND_EN (1ULL<<57)
+ #define IBS_FETCH_VAL (1ULL<<49)
+ #define IBS_FETCH_ENABLE (1ULL<<48)
+ #define IBS_FETCH_CNT 0xFFFF0000ULL
+ #define IBS_FETCH_MAX_CNT 0x0000FFFFULL
+
+-/* ibs op bits/masks */
+-/* lower 4 bits of the current count are ignored: */
+-#define IBS_OP_CUR_CNT (0xFFFF0ULL<<32)
++/*
++ * IBS op bits/masks
++ * The lower 7 bits of the current count are random bits
++ * preloaded by hardware and ignored in software
++ */
++#define IBS_OP_CUR_CNT (0xFFF80ULL<<32)
++#define IBS_OP_CUR_CNT_RAND (0x0007FULL<<32)
+ #define IBS_OP_CNT_CTL (1ULL<<19)
+ #define IBS_OP_VAL (1ULL<<18)
+ #define IBS_OP_ENABLE (1ULL<<17)
+--
+2.20.1
+
--- /dev/null
+From 4c9848fb25cf256d0b73d0f9746e4bb09c4c69ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2019 19:13:31 -0400
+Subject: perf/x86/intel: Restrict period on Nehalem
+
+From: Josh Hunt <johunt@akamai.com>
+
+[ Upstream commit 44d3bbb6f5e501b873218142fe08cdf62a4ac1f3 ]
+
+We see our Nehalem machines reporting 'perfevents: irq loop stuck!' in
+some cases when using perf:
+
+perfevents: irq loop stuck!
+WARNING: CPU: 0 PID: 3485 at arch/x86/events/intel/core.c:2282 intel_pmu_handle_irq+0x37b/0x530
+...
+RIP: 0010:intel_pmu_handle_irq+0x37b/0x530
+...
+Call Trace:
+<NMI>
+? perf_event_nmi_handler+0x2e/0x50
+? intel_pmu_save_and_restart+0x50/0x50
+perf_event_nmi_handler+0x2e/0x50
+nmi_handle+0x6e/0x120
+default_do_nmi+0x3e/0x100
+do_nmi+0x102/0x160
+end_repeat_nmi+0x16/0x50
+...
+? native_write_msr+0x6/0x20
+? native_write_msr+0x6/0x20
+</NMI>
+intel_pmu_enable_event+0x1ce/0x1f0
+x86_pmu_start+0x78/0xa0
+x86_pmu_enable+0x252/0x310
+__perf_event_task_sched_in+0x181/0x190
+? __switch_to_asm+0x41/0x70
+? __switch_to_asm+0x35/0x70
+? __switch_to_asm+0x41/0x70
+? __switch_to_asm+0x35/0x70
+finish_task_switch+0x158/0x260
+__schedule+0x2f6/0x840
+? hrtimer_start_range_ns+0x153/0x210
+schedule+0x32/0x80
+schedule_hrtimeout_range_clock+0x8a/0x100
+? hrtimer_init+0x120/0x120
+ep_poll+0x2f7/0x3a0
+? wake_up_q+0x60/0x60
+do_epoll_wait+0xa9/0xc0
+__x64_sys_epoll_wait+0x1a/0x20
+do_syscall_64+0x4e/0x110
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7fdeb1e96c03
+...
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: acme@kernel.org
+Cc: Josh Hunt <johunt@akamai.com>
+Cc: bpuranda@akamai.com
+Cc: mingo@redhat.com
+Cc: jolsa@redhat.com
+Cc: tglx@linutronix.de
+Cc: namhyung@kernel.org
+Cc: alexander.shishkin@linux.intel.com
+Link: https://lkml.kernel.org/r/1566256411-18820-1-git-send-email-johunt@akamai.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index e98e238d37750..55e362f9dbfaa 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -3075,6 +3075,11 @@ static u64 bdw_limit_period(struct perf_event *event, u64 left)
+ return left;
+ }
+
++static u64 nhm_limit_period(struct perf_event *event, u64 left)
++{
++ return max(left, 32ULL);
++}
++
+ PMU_FORMAT_ATTR(event, "config:0-7" );
+ PMU_FORMAT_ATTR(umask, "config:8-15" );
+ PMU_FORMAT_ATTR(edge, "config:18" );
+@@ -3734,6 +3739,7 @@ __init int intel_pmu_init(void)
+ x86_pmu.pebs_constraints = intel_nehalem_pebs_event_constraints;
+ x86_pmu.enable_all = intel_pmu_nhm_enable_all;
+ x86_pmu.extra_regs = intel_nehalem_extra_regs;
++ x86_pmu.limit_period = nhm_limit_period;
+
+ x86_pmu.cpu_events = nhm_events_attrs;
+
+--
+2.20.1
+
--- /dev/null
+From 0b06a2f6e4b4579c46c2be2b78e5238afe6e0c13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2019 23:46:36 -0500
+Subject: qed: Add cleanup in qed_slowpath_start()
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit de0e4fd2f07ce3bbdb69dfb8d9426b7227451b69 ]
+
+If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to
+memory leaks. To fix this issue, introduce the label 'err4' to perform the
+cleanup work before returning the error.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c b/drivers/net/ethernet/qlogic/qed/qed_main.c
+index a769196628d91..708117fc6f733 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
+@@ -958,7 +958,7 @@ static int qed_slowpath_start(struct qed_dev *cdev,
+ &drv_version);
+ if (rc) {
+ DP_NOTICE(cdev, "Failed sending drv version command\n");
+- return rc;
++ goto err4;
+ }
+ }
+
+@@ -966,6 +966,8 @@ static int qed_slowpath_start(struct qed_dev *cdev,
+
+ return 0;
+
++err4:
++ qed_ll2_dealloc_if(cdev);
+ err3:
+ qed_hw_stop(cdev);
+ err2:
+--
+2.20.1
+
--- /dev/null
+From 855add65563d91de3f65f168a3daedf23253dac9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Aug 2019 01:36:19 -0700
+Subject: r8152: Set memory to all 0xFFs on failed reg reads
+
+From: Prashant Malani <pmalani@chromium.org>
+
+[ Upstream commit f53a7ad189594a112167efaf17ea8d0242b5ac00 ]
+
+get_registers() blindly copies the memory written to by the
+usb_control_msg() call even if the underlying urb failed.
+
+This could lead to junk register values being read by the driver, since
+some indirect callers of get_registers() ignore the return values. One
+example is:
+ ocp_read_dword() ignores the return value of generic_ocp_read(), which
+ calls get_registers().
+
+So, emulate PCI "Master Abort" behavior by setting the buffer to all
+0xFFs when usb_control_msg() fails.
+
+This patch is copied from the r8152 driver (v2.12.0) published by
+Realtek (www.realtek.com).
+
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Acked-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 02e29562d254e..15dc70c118579 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -689,8 +689,11 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
+ ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0),
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+ value, index, tmp, size, 500);
++ if (ret < 0)
++ memset(data, 0xff, size);
++ else
++ memcpy(data, tmp, size);
+
+- memcpy(data, tmp, size);
+ kfree(tmp);
+
+ return ret;
+--
+2.20.1
+
--- /dev/null
+From 3d5dfc64e354428e254199ebe763d7bc583cd01a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2019 17:03:32 +0200
+Subject: s390/bpf: fix lcgr instruction encoding
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit bb2d267c448f4bc3a3389d97c56391cb779178ae ]
+
+"masking, test in bounds 3" fails on s390, because
+BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0) ignores the top 32 bits of
+BPF_REG_2. The reason is that JIT emits lcgfr instead of lcgr.
+The associated comment indicates that the code was intended to
+emit lcgr in the first place, it's just that the wrong opcode
+was used.
+
+Fix by using the correct opcode.
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 896344b6e0363..e4616090732a4 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -881,7 +881,7 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
+ break;
+ case BPF_ALU64 | BPF_NEG: /* dst = -dst */
+ /* lcgr %dst,%dst */
+- EMIT4(0xb9130000, dst_reg, dst_reg);
++ EMIT4(0xb9030000, dst_reg, dst_reg);
+ break;
+ /*
+ * BPF_FROM_BE/LE
+--
+2.20.1
+
--- /dev/null
+From 4735742b320dc429123a3a2042bf360cf0aba25f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2019 18:18:07 +0200
+Subject: s390/bpf: use 32-bit index for tail calls
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 ]
+
+"p runtime/jit: pass > 32bit index to tail_call" fails when
+bpf_jit_enable=1, because the tail call is not executed.
+
+This in turn is because the generated code assumes index is 64-bit,
+while it must be 32-bit, and as a result prog array bounds check fails,
+while it should pass. Even if bounds check would have passed, the code
+that follows uses 64-bit index to compute prog array offset.
+
+Fix by using clrj instead of clgrj for comparing index with array size,
+and also by using llgfr for truncating index to 32 bits before using it
+to compute prog array offset.
+
+Fixes: 6651ee070b31 ("s390/bpf: implement bpf_tail_call() helper")
+Reported-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Acked-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index e4616090732a4..9b15a1dc66287 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -1062,8 +1062,8 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
+ /* llgf %w1,map.max_entries(%b2) */
+ EMIT6_DISP_LH(0xe3000000, 0x0016, REG_W1, REG_0, BPF_REG_2,
+ offsetof(struct bpf_array, map.max_entries));
+- /* clgrj %b3,%w1,0xa,label0: if %b3 >= %w1 goto out */
+- EMIT6_PCREL_LABEL(0xec000000, 0x0065, BPF_REG_3,
++ /* clrj %b3,%w1,0xa,label0: if (u32)%b3 >= (u32)%w1 goto out */
++ EMIT6_PCREL_LABEL(0xec000000, 0x0077, BPF_REG_3,
+ REG_W1, 0, 0xa);
+
+ /*
+@@ -1089,8 +1089,10 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i
+ * goto out;
+ */
+
+- /* sllg %r1,%b3,3: %r1 = index * 8 */
+- EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, BPF_REG_3, REG_0, 3);
++ /* llgfr %r1,%b3: %r1 = (u32) index */
++ EMIT4(0xb9160000, REG_1, BPF_REG_3);
++ /* sllg %r1,%r1,3: %r1 *= 8 */
++ EMIT6_DISP_LH(0xeb000000, 0x000d, REG_1, REG_1, REG_0, 3);
+ /* lg %r1,prog(%b2,%r1) */
+ EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, BPF_REG_2,
+ REG_1, offsetof(struct bpf_array, ptrs));
+--
+2.20.1
+
serial-sprd-correct-the-wrong-sequence-of-arguments.patch
tty-serial-atmel-reschedule-tx-after-rx-was-started.patch
mwifiex-fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
+arm-omap2-fix-missing-sysc_has_reset_status-for-dra7.patch
+s390-bpf-fix-lcgr-instruction-encoding.patch
+arm-omap2-fix-omap4-errata-warning-on-other-socs.patch
+s390-bpf-use-32-bit-index-for-tail-calls.patch
+nfsv4-fix-return-values-for-nfs4_file_open.patch
+nfs-fix-initialisation-of-i-o-result-struct-in-nfs_p.patch
+kconfig-fix-the-reference-to-the-idt77105-phy-driver.patch
+qed-add-cleanup-in-qed_slowpath_start.patch
+arm-8874-1-mm-only-adjust-sections-of-valid-mm-struc.patch
+batman-adv-only-read-ogm2-tvlv_len-after-buffer-len-.patch
+r8152-set-memory-to-all-0xffs-on-failed-reg-reads.patch
+x86-apic-fix-arch_dynirq_lower_bound-bug-for-dt-enab.patch
+netfilter-nf_conntrack_ftp-fix-debug-output.patch
+nfsv2-fix-eof-handling.patch
+nfsv2-fix-write-regression.patch
+cifs-set-domainname-when-a-domain-key-is-used-in-mul.patch
+cifs-use-kzfree-to-zero-out-the-password.patch
+arm-8901-1-add-a-criteria-for-pfn_valid-of-arm.patch
+sky2-disable-msi-on-yet-another-asus-boards-p6xxxx.patch
+perf-x86-intel-restrict-period-on-nehalem.patch
+perf-x86-amd-ibs-fix-sample-bias-for-dispatched-micr.patch
+tools-power-turbostat-fix-buffer-overrun.patch
+net-seeq-fix-the-function-used-to-release-some-memor.patch
+dmaengine-ti-dma-crossbar-fix-a-memory-leak-bug.patch
+dmaengine-ti-omap-dma-add-cleanup-in-omap_dma_probe.patch
+x86-uaccess-don-t-leak-the-ac-flags-into-__get_user-.patch
+keys-fix-missing-null-pointer-check-in-request_key_a.patch
+iommu-amd-fix-race-in-increase_address_space.patch
--- /dev/null
+From f5f76de208921080b071ab297918301d7d68ae3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2019 08:31:19 +0200
+Subject: sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 189308d5823a089b56e2299cd96589507dac7319 ]
+
+A similar workaround for the suspend/resume problem is needed for yet
+another ASUS machines, P6X models. Like the previous fix, the BIOS
+doesn't provide the standard DMI_SYS_* entry, so again DMI_BOARD_*
+entries are used instead.
+
+Reported-and-tested-by: SteveM <swm@swm1.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
+index 59dbecd19c93f..49f692907a30b 100644
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -4946,6 +4946,13 @@ static const struct dmi_system_id msi_blacklist[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "P6T"),
+ },
+ },
++ {
++ .ident = "ASUS P6X",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "P6X"),
++ },
++ },
+ {}
+ };
+
+--
+2.20.1
+
--- /dev/null
+From 04061788e06000306332dca38d538cfe019761b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2019 16:02:14 +0900
+Subject: tools/power turbostat: fix buffer overrun
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+[ Upstream commit eeb71c950bc6eee460f2070643ce137e067b234c ]
+
+turbostat could be terminated by general protection fault on some latest
+hardwares which (for example) support 9 levels of C-states and show 18
+"tADDED" lines. That bloats the total output and finally causes buffer
+overrun. So let's extend the buffer to avoid this.
+
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index b4c5d96e54c12..7c2c8e74aa9a9 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -3593,7 +3593,7 @@ int initialize_counters(int cpu_id)
+
+ void allocate_output_buffer()
+ {
+- output_buffer = calloc(1, (1 + topo.num_cpus) * 1024);
++ output_buffer = calloc(1, (1 + topo.num_cpus) * 2048);
+ outp = output_buffer;
+ if (outp == NULL)
+ err(-1, "calloc output buffer");
+--
+2.20.1
+
--- /dev/null
+From b047ae6bb83df346ae32f8f66a67b7cc82336aeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2019 15:16:31 +0200
+Subject: x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 3e5bedc2c258341702ddffbd7688c5e6eb01eafa ]
+
+Rahul Tanwar reported the following bug on DT systems:
+
+> 'ioapic_dynirq_base' contains the virtual IRQ base number. Presently, it is
+> updated to the end of hardware IRQ numbers but this is done only when IOAPIC
+> configuration type is IOAPIC_DOMAIN_LEGACY or IOAPIC_DOMAIN_STRICT. There is
+> a third type IOAPIC_DOMAIN_DYNAMIC which applies when IOAPIC configuration
+> comes from devicetree.
+>
+> See dtb_add_ioapic() in arch/x86/kernel/devicetree.c
+>
+> In case of IOAPIC_DOMAIN_DYNAMIC (DT/OF based system), 'ioapic_dynirq_base'
+> remains to zero initialized value. This means that for OF based systems,
+> virtual IRQ base will get set to zero.
+
+Such systems will very likely not even boot.
+
+For DT enabled machines ioapic_dynirq_base is irrelevant and not
+updated, so simply map the IRQ base 1:1 instead.
+
+Reported-by: Rahul Tanwar <rahul.tanwar@linux.intel.com>
+Tested-by: Rahul Tanwar <rahul.tanwar@linux.intel.com>
+Tested-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: alan@linux.intel.com
+Cc: bp@alien8.de
+Cc: cheol.yong.kim@intel.com
+Cc: qi-ming.wu@intel.com
+Cc: rahul.tanwar@intel.com
+Cc: rppt@linux.ibm.com
+Cc: tony.luck@intel.com
+Link: http://lkml.kernel.org/r/20190821081330.1187-1-rahul.tanwar@linux.intel.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/io_apic.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
+index d34629d70421f..09dd95cabfc28 100644
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -2346,7 +2346,13 @@ unsigned int arch_dynirq_lower_bound(unsigned int from)
+ * dmar_alloc_hwirq() may be called before setup_IO_APIC(), so use
+ * gsi_top if ioapic_dynirq_base hasn't been initialized yet.
+ */
+- return ioapic_initialized ? ioapic_dynirq_base : gsi_top;
++ if (!ioapic_initialized)
++ return gsi_top;
++ /*
++ * For DT enabled machines ioapic_dynirq_base is irrelevant and not
++ * updated. So simply return @from if ioapic_dynirq_base == 0.
++ */
++ return ioapic_dynirq_base ? : from;
+ }
+
+ #ifdef CONFIG_X86_32
+--
+2.20.1
+
--- /dev/null
+From c8f4609eae1b16fbd365a33aec7beb4f02e5e093 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2019 10:24:45 +0200
+Subject: x86/uaccess: Don't leak the AC flags into __get_user() argument
+ evaluation
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5 ]
+
+Identical to __put_user(); the __get_user() argument evalution will too
+leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region.
+While uncommon this was observed to happen for:
+
+ drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i]))
+
+where UBSAN added array bound checking.
+
+This complements commit:
+
+ 6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation")
+
+Tested-by Sedat Dilek <sedat.dilek@gmail.com>
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: broonie@kernel.org
+Cc: sfr@canb.auug.org.au
+Cc: akpm@linux-foundation.org
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: mhocko@suse.cz
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/uaccess.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
+index 2177c7551ff77..9db8d8758ed3b 100644
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -438,8 +438,10 @@ do { \
+ ({ \
+ int __gu_err; \
+ __inttype(*(ptr)) __gu_val; \
++ __typeof__(ptr) __gu_ptr = (ptr); \
++ __typeof__(size) __gu_size = (size); \
+ __uaccess_begin_nospec(); \
+- __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
++ __get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT); \
+ __uaccess_end(); \
+ (x) = (__force __typeof__(*(ptr)))__gu_val; \
+ __builtin_expect(__gu_err, 0); \
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
